DOMAIN User --> LOCAL user profile - How?

S

shizniz

I have a serious question regarding a current setup on am attempting to

employ in the SOHO.

I currently have a Windows 2003 Server machine I've just gotten online
this weekend to serve as a domain.local DC. The issue I am running
into, is that the initial Windows XP Professional workstation I am
setting up already has LOCAL profiles on it in which much time and
pleasure has been taken into customizing each.

I've created the AD domain user account to coincide with the current
account on the Windows XP Professional machine. I want the DOMAIN
profile to sync to the LOCAL profile ' ..\name.name ', NOT to
create/use a profile of it's own making such as ' ..\name.nameDOMAIN '.


No mind you, 3 times I have already attempted the common registry edit
of changing the ' ProfileImagePath '. Unfortunately, each time when
re-attempting to log back into the machine under the DOMAIN user and
expecting to see the LOCAL profile, it creates a new profile altogether

under the auspices of ' ..\name.nameDOMAIN.001 ' or similar.

HOW do I get the DOMAIN user account to use the LOCAL user's
profile/directory ?!

I've become utterly frustrated trying to figure this one out. I'm sure
this is simple enough, but I've not found how to make it happen
successfully yet as the domain user account when it logs in seems to
overwrite that ' ProfileImagePath ' key with it's own information since

it creates a new one and all.

Any help would be GREATLY appreciated.
 
L

Lanwench [MVP - Exchange]

In
I have a serious question regarding a current setup on am attempting
to

employ in the SOHO.

I currently have a Windows 2003 Server machine I've just gotten online
this weekend to serve as a domain.local DC. The issue I am running
into, is that the initial Windows XP Professional workstation I am
setting up already has LOCAL profiles on it in which much time and
pleasure has been taken into customizing each.

I've created the AD domain user account to coincide with the current
account on the Windows XP Professional machine. I want the DOMAIN
profile to sync to the LOCAL profile ' ..\name.name ', NOT to
create/use a profile of it's own making such as ' ..\name.nameDOMAIN

Well, it's going to create a username.domain folder if there's an existing
username folder. You can't really get around that.
'.


No mind you, 3 times I have already attempted the common registry edi
of changing the ' ProfileImagePath '. Unfortunately, each time when
re-attempting to log back into the machine under the DOMAIN user and
expecting to see the LOCAL profile, it creates a new profile
altogether

under the auspices of ' ..\name.nameDOMAIN.001 ' or similar.

HOW do I get the DOMAIN user account to use the LOCAL user's
profile/directory ?!

I've become utterly frustrated trying to figure this one out. I'm sure
this is simple enough, but I've not found how to make it happen
successfully yet as the domain user account when it logs in seems to
overwrite that ' ProfileImagePath ' key with it's own information
since

it creates a new one and all.

Any help would be GREATLY appreciated.

Try this:

1. Log in once as the domain user.
2. Log out.
3. Log in as an admin.
4. Go to control panel | system, Advanced, click "Settings" in the User
Profiles section.
5. Select the local account, choose Copy To, and then browse to the domain
user's "Documents and Settings" folder (.e.g., c:\documents and
settings\user.domain ).
6. Log back in as the domain user and see if it 'took.'

There may be some things that require a little bit of tweaking (Outlook in
particular) but you may get lucky and not have to fuss with anything.
 
S

shizniz

Oddly enough, I tried this earlier this afternoon. I logged in under
Administrator (LOCAL to the box) and selected the LOCAL ' name.name '
account. I did a ' Copy To ' and selected the directory of the DOMAIN
account. It seems this was a task without any positive results. Once
again, when I finished this and logged out to re-login as the DOMAIN
user, it built an entirely new profile for the account locally.

So the frustration continues. I appreciate your suggestion though.
Anyone else have some insight into what has gone awry?
 
G

Guest

A profile (other than default) should never be loaded from a location other
than the one where it was created. The reason is that many third-party apps
create direct links to files within the profile, thus once it's been in-use
you cannot safely move it.

I think you can change the profile-location in the registry, but this still
leaves the issue that the account would then be incompatible with other
domain computers so maybe that's not wise.

You best course of action here is to continue to log-on as the local user.
You can do this even if the computer is a domain-member, there is a
dropdown-box on the logon screen.

If you need to authentiate tot he server as a domain-account, then you can
still do so under other credentials, and this won't lose your settings. The
only time this gets a little complex is when accessing non-server reources in
the domain.
 
A

AJR

Personally I had some difficulty following your post - however here goes -
and I may be repeating information of which you are already aware;

A main function of the DC is to authenticate a users credentials to permit
local logon - in this situation the profile becomes a roaming profile which
provides the benefit of the user being able to log on a computer other than
the one they normally use.
The profile is stored on the DC - user log on and DC sends profile to the
local computer - user logs off and profile at local level is compared
(synced) with copy on DC.
I am not positive but it seems you are trying to do the opposite.
 
G

Guest

AJR said:
A main function of the DC is to authenticate a users credentials to permit
local logon - in this situation the profile becomes a roaming profile which
provides the benefit of the user being able to log on a computer other than
the one they normally use.


A common misconception is that making a user a domain-member will provide
roaming profiles, that is they will see their own settings/files at any
computer.

Not so. Domain logon allows a user to log-on at any computer in the domain
with the same credentials. But that's all. If Dave logs-on at ten computers,
then there will be ten 'Dave' profiles around the network, all different.

Roaming profiles have to be created manually, and in fact are nothing to do
with domain logon.

Just thought I should clarify this point.
 
G

Guest

I have not found an easy way to do what you want. You could always try the
Files and Settings transfer Wizard. I have never had much success with it,
but it might be worth a shot.

But here is what I would do, similar to what Lanwench recommended, but
different.

Do this process for each local profile you want to keep:
1a. Make a copy of the Default User folder.
1. After rebooting the machine, login as an admin
2. Go to Control Panel -> System and select the Advanced tab and click the
Settings button under User Profiles.
3. Select the profile that you would like to keep and select Copy To
4. Browse to the C:\Documents and Settings\Default User and click okay
5. Click okay to overwrite

After doing this, logoff admin and login using the profile you just copied
to the Default User. Yes, it will create a new profile folder for the
domain. However, all of the files and settings should be copied over to the
domain version of the profile.

Again, if you have multiple profiles you'd like "saved" for the Domain, do
those same steps for each. Just make sure each profile logs in before moving
 
K

Kerry Brown

There are a couple of ways to accomplish this. Easiest is the Files and
Settings Transfer wizard. Logon as the local user. Run FAST and save the
data to a folder. Logon as the Domain User. Run FAST and import the files
and settings. FAST doesn't copy some things . e.g. .PST files. That has to
be done manually. Next easiest is to copy the files. That has already been
gone over in other posts in the thread. This method can often be faster but
sometimes it doesn't work quite right and you have to spend some time
figuring out what happened and fix it. If the domain is an SBS domain or if
Exchange is involved then whichever method you use their will be tweaking.
If the profile is really complicated sometimes neither method will work and
I just copy My Documents, Desktop files and shortcuts, IE and/or Firefox
favourites, and then import the email from the old profile.
 
S

shizniz

I understand what you're referring to, but this is in fact
contradictory to what I am attempting to accomplish. Say I have
multiple XP clients available, prior to the 2K3 DC, people might have
used their LOCAL profile extensively to the point where creating
another globally authenticating profile across the forest would become
frustrating for them as they would have to migrate and re-customize
their global profile once again.

Roaming profiles aren't a solution here as the situation really doesn't
warrant their need, so if I can just point the domain user (which at
this point doesn't seem very likely) to the local account's
storage/working directory it'd facilitate their needs and cause the
least bit of non-translucent change in their lives. This is not
necessarily to say each machine they have a profile on currently across
the network has the same tools or settings. Some are design
workstations and others are print stations for OCE 9800 digital
plotters, so giving them the ability to login globally, being helf to a
global SP/GP and still be able to use the convenience of their own
desktop's in the manner they've become used to is primo.

I've attempted the FAST on a test machine... what a horrible tool, I
don't even know why MS tried.
 
W

Wayne Roop

Take a look at this. Right-click My Computer on the XP machine, go
Properties>Advanced>User Profiles:Settings. Highlight the profile you want
to copy, Copy To will be the new profile that must already exist in
Documents and Settings. Permitted To Use:Change should point to the "new"
user(corresponding to the new profile) under Users in the domain. This will
copy the old profile data with new SID to the new profile. The old profile
will still exist. I have used this to transfer profiles from one domain to
another. If Outlook PST's are used the "new" user may have to be added to
the files security properties.

Regards,
Wayne R.
 
S

shizniz

I've tested with that as well. But the issue then becomes all their
'new' data that ends up getting stored on that profile copy will be
inaccessible should the DC go down - i.e. you're not supposed to be
able to login to a domain account if the DC is offline as the domain
account authenticates strictly against the DC/AD. So if in some case
there was a DC failure or maintenance event, their work would be
incapable of being access given that the authentication device is
offline. At that time they could of course revert back to their local
profile, but the data wouldn't be saved there.

I know this is an odd eventuality, but it is something I have to look
at, especially for the mobile users who have been issued laptops.

I think I'll have to build profiles per machine on the local side and
just find a way from them to access domain global items. I am however,
still convinced there is a trick Ive not stumbled upon.
 
G

Guest

Maybe I'm confused but it seems your concern is that should the DC become
unavailable (or network is unavailable) they won't be able to login with
their domain account. That is incorrect. Windows will cache the domain
credentials for exactly that purpose. If it cannot contact a DC it will
revert to the local cache credentials and the domain profile would load
successfully (because it is stored locally). To me it seems there is no
problem.
 
L

Lanwench [MVP - Exchange]

In
I've tested with that as well. But the issue then becomes all their
'new' data that ends up getting stored on that profile copy will be
inaccessible should the DC go down - i.e. you're not supposed to be
able to login to a domain account if the DC is offline as the domain
account authenticates strictly against the DC/AD.

No - by default, you can always log in using cached credentials. This is why
I never set up local accounts for domain users, even on laptops.

I also use roaming profiles, even if they don't roam, so if a workstation
needs to be replaced, I don't have to start over from scratch.
So if in some case
there was a DC failure or maintenance event, their work would be
incapable of being access given that the authentication device is
offline. At that time they could of course revert back to their local
profile, but the data wouldn't be saved there.

I know this is an odd eventuality, but it is something I have to look
at, especially for the mobile users who have been issued laptops.

I think I'll have to build profiles per machine on the local side and
just find a way from them to access domain global items. I am however,
still convinced there is a trick Ive not stumbled upon.

I think you should reconsider this. It's way more work.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top