|
just in case you've not yet proceeded with any of your
actions: a trust is not a requirement to migrate your users and do the profile
updates on the clients or in fact to migrate objects from one domain to
another. You can work just fine with passthrough-authentication instead
(i.e. using an admin user + password from one domain, that is the same as an
admin user + password in the other domain). You are however limited in what you
can migrate => e.g. you won't be able to migrate the user passwords and you
won't be able to use SIDhistory. Both should be
uncritical if you only have to migrate 40 users...
ADMT basically performs the steps that Susan described in
the "User Profile Registry" part. There is however one little step missing in
that list of steps, which is to grant the new user account full control over the
old profile path directory on the respective client - this is also being taken
care of automatically by ADMT.
Your benefit: you can also migrate groups and group
memberships (or merge the users into existing groups in the target domain), if
this is required in your case. Don't know any details of your environment,
so maybe you don't want to take over the groups and memberships of the users you
are migrating accross...
/Guido
Thanks to
everyone for the input. Definitely helpful. Looks like the lack of a domain
trust is going to prevent most methods. We’ll have to resort to a manual process
along the lines of Susan’s steps unless they can be convinced to just come over
fresh.
And yes, the
kool-aid is plentiful. ;-)
Many
thanks
Jerry
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Al
Mulnick
Sent: Friday, June 02,
2006 9:10 AM
To:
ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Profile migration
to new domain
Silly, just go back to the OEM version. It's
already paid for, supported, etc.
If not, let me know and I'll forward my shipping address
off-line. <G>
As for the Dell support, I've found that using their
support web controls often helps. Unless there was a mod on the machine,
it's likely that they have the driver out there. You *could* always go to
the nic manufacturer and get a driver there as well.
I don't think that Mr HP has that issue though.
I'm pretty sure he has a large pool with which to get licenses and likely has a
support contract that he can utilize for assistance getting tools, drivers,
advice, developer interaction, kool-aid, etc. Just a guess though. :)
On 6/1/06, Susan Bradley, CPA aka Ebitz - SBS Rocks
[MVP] <[EMAIL PROTECTED]>
wrote:
Well I nuked and paved a formerly Dell OEM now a retail
OS.. and now
can't get the NIC on the motherboard to find nic
drivers....anyone for a
black decorative doorstop until I find the driver it
wants or throw a
intel card in there?
Small firms we
a. don't
have the proper license to nuke/pave/reimage
b. may not have the proper media
to restore (you get the lovely OEM view
of 'restoration media')
c. We're
already running the kitchen sink service as it is and now you
want us to RIS
on that box as well? Geeze guys....(it can do it but we
recommend
you turn it on when you need it and turn it off otherwise
Exchange isn't a
real happy camper sharing mem space)
Al Mulnick wrote:
> Sorry
ma'am. I should have completed my sentence and said,
"..unless
> Susan can post the step by step directions."
>
>
Silly me for not proof reading first.
>
> I'd still opt for nuke and
pave in that environment. Allows you to
> have a known state, and last I
checked that's kind of important to the
> type of customer he has.
>
> Now he has more options.
>
> USMT would have been a
thought except that there is no trust and no
> reason to move the sid that
I can think of. Same reason that moveuser
> wouldn't really
matter to me. I'd prefer the control of creating the
> users
as new users. In effect, they are new users (secprin's)
anyway
> - treat 'em that way.
>
> Susan offers a way to get
the settings and magical icons though.
> That's a nice touch an option if
so taken.
>
>
> On 6/1/06, *Susan Bradley, CPA aka Ebitz -
SBS Rocks [MVP]*
> <[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED] >>
wrote:
>
> Rip out a
profile? Nuke and pave?
>
> Bite
your tongue sir... we want that icon to be exactly
right
> THERE on
>
the desktop.
>
> file/transfer wiz in XP
(but don't get docs..just do settings)
>
>
> Download details: Windows
Server 2003 Resource Kit Tools:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en
>
<
http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffd&displaylang=en>
>
>
Moveuser.exe
> How to migrate user
accounts:
> http://www.microsoft.com/technet/windowsvista/library/6730111b-b111-4a64-8f00-af87a63fd157.mspx
>
Moveuser - Move between domains:
> http://www.ss64.com/nt/moveuser.html
> <http://www.ss64.com/nt/moveuser.html>
>
>
>
*The Old Fashioned Way*
>
> Call it a lesson
learned late on a Saturday night. This method was
> used
> in late
January during the heat of a conversion battle by yours
truly!
> For this procedure, I assume that you are
using a Windows XP
> Professional
workstation.
>
> 1. While the XP
Pro workstation is still attached to the legacy
SBS
> 2000
network, copy the network profile down to the local
hard
> disk. So
assuming you are logged on to said SBS 2000 network,
> proceed to
the next step.
>
> 2. Click
Start>Control Panel>System>Advanced>User
Profiles>Settings.
>
> 3.
Highlight the network profile for the user. For example, NormH.
>
> 4. Select Copy To and
direct the profile to copy to the local
hard
> disk.
For example, C:\Temp. Click
OK>OK.
>
> 5. From
the Control Panel, launch Administrative Tools>Computer
> Management.
>
>
6. Select System Tools>Local Users and
Groups.
>
> 7. Select
Users.
>
> 8. Right-click in the
right-pane and select New User to add a user
> named
"Foo."
>
> 9. Double-click the
user object and select the Profile tab to
view
> the
properties for Foo.
>
> 10. In the Profile
path field, point to the exact profile you copied
> to C:\Temp
in Step 4. Click OK.
>
> 11. Close all open
applications, shut down the Windows XP Pro
machine,
> and
move it physically to the new SBS 2003 network. Reboot
and
> relaunch
the SBS Network Configuration Wizard.
>
>
12. Back on the screen to Assign users to this computer and
migrate
> their
profiles, in the lower section, under the user name (for
> example,
NormH), click Current User Settings and select
Foo.
> Complete
the steps for joining the workstation to the SBS
2003
> domain.
The profile WILL be migrated!
>
>
>
*User Profile Registry*
>
> This method came
in from M.J. Shoer ( [EMAIL PROTECTED]
>
<mailto:[EMAIL PROTECTED] >), who
attended
> the SMB Nation Summit in Boston in May.
He writes:
>
> This
method has worked for us without fail. We can retain
the
> complete profile
customizations for a PC that was logged into one
> domain and must now be
logged into a new
one.
>
> The method
works for both Win2K and WinXP. It has also worked
for
> upgrading SBS 2000 to
SBS 2003, where it is happening on the same
> server, meaning that you
have to reformat the SBS 2000 server
and
> load "freshie," as
you would say, with SBS 2003. Here's how it
>
works.
>
> Once the
SBS 2003 server is set up and the computers are set up on
> the server side, log
into the client PC and run the
>
connectcomputer
> URL. When
that step is completed, log in as the user.
Then
> immediately log off
and log on as the domain administrator.
>
> Be sure the
domain user account is in the local
administrator's
> group.
Then open Registry Editor and navigate
to
>
>
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList.
> You will see a listing
for each SID. Within each SID key, you
will
> see an entry for
ProfileImagePath with a path to the users
profile
> in the form of
%SystemDrive%\Documents and Settings\UserName.
>
> The trick is to
find the new key that was set up at logon to
> the
SBS
> 2003 server and edit
the path to refer back to the original
>
profile
> path. So, for
example, if you are migrating and changing domains,
> you want to have a path
like %SystemDrive%\Documents
and
> Settings\UserName.OldDomain.
You then have a new SID key with a
>
path
> like
%SystemDrive%\Documents and Settings\UserName.NewDomain. You
> can edit this key and
replace NewDomain with OldDomain to point
to
> the old
profile.
>
> In the
case of a server migration within the same domain,
you
> have
a
> path to the effect of
%SystemDrive%\Documents
and
> Settings\UserName.Domain
and %SystemDrive%\Documents
and
> Settings\UserName.Domain.000.
In this instance, you delete the
.000
> to point back to the
original profile.
>
>
> *The MCSE
Way*
>
> Then there are the grizzled MCSEs
amongst us who pointedly highlight
> using the
Active Directory Migration Tool (ADMT). Details
at
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/admtool.mspx
>
<http://www.microsoft.com/technet/prodtechnol/windows2000serv/downloads/admtool.mspx
>).
> Enough
said!
>
>
>
>
> Al Mulnick
wrote:
>
> > Suggestions? More like a
shot in the dark. :)
>
>
> > Have you seen the transfer your
settings wizard in XP? Have you
> > checked to
see what that can do for you? I suspect there
will
> be some
>
> scripting involved, because there will be no automated way
to
> > determine the source/target profiles
programatically. You could
> > migrate their
settings etc, but there's no sid/sidhistory to
>
> reference. Not much point in getting that information
either.
> There's
>
> also the permissions issues etc.
>
>
> > Was it me, I'd suggest taking this
opportunity to re-image the
> > workstations in
question. Cleaner, neater, more secure, and no
>
> lingering issues to deal with.
>
>
> > Al
>
>
> >
> >
On 6/1/06, *Condra, Jerry W Mr HP* <[EMAIL PROTECTED]
>
<mailto: [EMAIL PROTECTED]>
>
> <mailto: [EMAIL PROTECTED]
>
<mailto:
[EMAIL PROTECTED]>>>
wrote:
> >
>
> Hi all
>
> The environment I'm in has multiple domains and
I've been
> given a
task
> > to move about
40 users from one domain to another. There's
> no
trust
> > between the
source domain and mine and no plans to have one.
>
Too much
> > red tape.
My dilemma is trying to preserve the user's
>
desktop profiles
> >
when they come over to my domain. In the past there's been
a
> trust
>
> between any domain migrations I've performed which
provides
> a host
of
> > avenues but with
no trust I'm not sure of a way to do it other
>
> than some
>
> manual moves and permission/registry tweaks.
However, doing
>
that
> > for
40
> > users with a
manual process is not my idea of fun. Saving their
> > email
is
> > covered so it's
not an issue. Any ideas or methods would be
>
welcomed.
> >
>
> Many thanks
>
>
> > Jerry
> >
>
> List info : http://www.activedir.org/List.aspx
>
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> <http://www.activedir.org/ListFAQ.aspx>
>
> List archive: http://www.activedir.org/ml/threads.aspx
> > <http://www.activedir.org/ml/threads.aspx
>
<http://www.activedir.org/ml/threads.aspx
>>
>
>
>
>
>
> --
>
Letting your vendors set your risk analysis these
days?
> http://www.threatcode.com
>
The SBS product team wants to hear from you:
> http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
>
>
List info : http://www.activedir.org/List.aspx
>
List FAQ : http://www.activedir.org/ListFAQ.aspx
>
List archive: http://www.activedir.org/ml/threads.aspx
>
>
--
Letting
your vendors set your risk analysis these days?
http://www.threatcode.com
The SBS
product team wants to hear from you:
http://msmvps.com/blogs/bradley/archive/2006/05/18/95865.aspx
List
info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List
archive: http://www.activedir.org/ml/threads.aspx
|
