K
Kevin Levie
At work, I've got a problem that I've been stuck with for almost an
entire day, but I really can't figure out what's going on.
We used to have a Windows 2003 domain controller and a Windows 2000
fileserver running. As the Windows 2003 machine is going to have some
other task, the Windows 2000 machine has become domain controller.
Since the AD schema at the 2003 machine was in 2003 native mode, we
had to rebuild it at the 2000 machine and get all 40 workstations to
rejoin the new domain. Not a nice task, but not too big of a problem
either.
All these workstations contain one or more local user profiles (which
keep some settings, an Outlook PST file, and those sorts of things). I
can't copy the profiles using the 'Copy to' function in the System
dialog anymore, because I demoted the old domain controller since (I
know, quite stupid indeed).
I tried connecting these existing local user profiles with 'new'
domain users (who obviously have new SIDs):
* I tried copying the entire profile folder contents to the new
profile folder
* I tried copying the entire profile folder contents to the new
profile folder, except for the user part of the registry (ntuser.dat),
and copied the latter using regedt2 (after I read this article in
another microsoft newsgroup -
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=Pf#ThC4iCHA.212@cpmsftngxa06)
* I tried logging on to a workstation as the domain users first, then
changing the profile path (ProfileImagePath) for the user SID in
question in HKLM\Software\MS\Windows NT\CurrentVersion\ProfileList
The first two options hardly work at all. The latter works fine... if
the user is a local administrator. If he's not, the user can still
logon, but can hardly do anything afterwards. Outlook won't run,
saying that mapi32.dll can't be found (though it works fine when
logged on as Administrator), Outlook Express completely lost its
identities while they're still in their folder, and various other
applications refuse to run.
Of course I checked all file permissions. I even tried giving users
all permissions and ownership for the old and the new local profile
directory using the subinacl tool from the resource kit. The Domain
Users group has been mapped to the local User group (as it should be),
and should therefore be able to read programs and dlls. So at the end
of the day I don't have the faintest idea how to solve this problem -
how can it be that someone with the same permissions at the new domain
as at the old one, suddenly can't do everything he used to be able to
anymore?
Our users are now working using an empty, new profile (logging on to
the domain and using network shares is still possible; apparently the
problem is really at the workstations), but I really want to restore
these local user profiles as quickly as possible. Is there something
I've missed? Or is there another way to link these local profiles to
users, even if the user that used to be the profile's owner doesn't
exist anymore?
Thanks a lot in advance for your help.
Yours sincerely,
Kevin Levie
entire day, but I really can't figure out what's going on.
We used to have a Windows 2003 domain controller and a Windows 2000
fileserver running. As the Windows 2003 machine is going to have some
other task, the Windows 2000 machine has become domain controller.
Since the AD schema at the 2003 machine was in 2003 native mode, we
had to rebuild it at the 2000 machine and get all 40 workstations to
rejoin the new domain. Not a nice task, but not too big of a problem
either.
All these workstations contain one or more local user profiles (which
keep some settings, an Outlook PST file, and those sorts of things). I
can't copy the profiles using the 'Copy to' function in the System
dialog anymore, because I demoted the old domain controller since (I
know, quite stupid indeed).
I tried connecting these existing local user profiles with 'new'
domain users (who obviously have new SIDs):
* I tried copying the entire profile folder contents to the new
profile folder
* I tried copying the entire profile folder contents to the new
profile folder, except for the user part of the registry (ntuser.dat),
and copied the latter using regedt2 (after I read this article in
another microsoft newsgroup -
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&selm=Pf#ThC4iCHA.212@cpmsftngxa06)
* I tried logging on to a workstation as the domain users first, then
changing the profile path (ProfileImagePath) for the user SID in
question in HKLM\Software\MS\Windows NT\CurrentVersion\ProfileList
The first two options hardly work at all. The latter works fine... if
the user is a local administrator. If he's not, the user can still
logon, but can hardly do anything afterwards. Outlook won't run,
saying that mapi32.dll can't be found (though it works fine when
logged on as Administrator), Outlook Express completely lost its
identities while they're still in their folder, and various other
applications refuse to run.
Of course I checked all file permissions. I even tried giving users
all permissions and ownership for the old and the new local profile
directory using the subinacl tool from the resource kit. The Domain
Users group has been mapped to the local User group (as it should be),
and should therefore be able to read programs and dlls. So at the end
of the day I don't have the faintest idea how to solve this problem -
how can it be that someone with the same permissions at the new domain
as at the old one, suddenly can't do everything he used to be able to
anymore?
Our users are now working using an empty, new profile (logging on to
the domain and using network shares is still possible; apparently the
problem is really at the workstations), but I really want to restore
these local user profiles as quickly as possible. Is there something
I've missed? Or is there another way to link these local profiles to
users, even if the user that used to be the profile's owner doesn't
exist anymore?
Thanks a lot in advance for your help.
Yours sincerely,
Kevin Levie