Windows Domain Migration -- after-thought edition

From
Revision as of 23:07, 17 February 2006 by Henryk (talk | contribs)
Jump to navigation Jump to search

So one day you come back to work and find that your administrator set up a completely new windows domain and you were assigned a completely new user account with a completely new SID. But you don't feel like setting up your user account on your windows workstation from scratch, losing all your preferences and possibly some work and also a lot of time in the process. subinacl comes to the rescue!

You need to be a local administrator (at least, though domain administrator will probably work too) and the latest version of subinacl from Microsoft's web site. (I've been advised to only use the latest version, which currently seems to be 5.2.3790.1180.)

For the rest of this page I'll assume that your username is foo, your old domain is bar, your new domain is baz and your old SID is S-1-5-1-2-3-4-5. Before you start, you should use the windows provided backup utility to completely back up the registry and your old profile directory. Just in case.

  1. Associate the workstation with the new domain. (System Properties -> Computer Name -> Change...)
  2. Reboot
  3. Log on as baz/foo. Log out.
  4. Log on as local (or domain) administrator
  5. Find your old user's SID. Usually the easiest way to do this is to view the permissions of your old profile directory. Because the domain controller is gone, windows will be unable to resolve your old user's SID to a name and it will comfortably stand out in the permissions list. Take permanent note of that SID (e.g. write it down somewhere).
  6. Replace the permissions on your files: subinacl /subdirectories "C:\*.*" /replace=S-1-5-1-2-3-4-5=baz/foo
    Repeat this for each drive letter besides C.
  7. Replace the registry permissions (first time): subinacl /subkeyreg "HKEY_LOCAL_MACHINE/*" /replace=S-1-5-1-2-3-4-5=baz/foo
    Repeat this for HKEY_USERS/* and maybe other parts of the registry that your old user might have had access to.
  8. Change the profile path for your new user to your old profile path in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\your new user's SID\ProfileImagePath. You'll find your old profile path in the key for your old user (the one that is named with your old user's sid). If you are not sure which your new user's SID is: Simply go through all keys below HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ (there can't be that many) and look for one that has your new user's profile path in ProfileImagePath. (Your new user's profile path will probably end in foo.baz.)
  9. Now you need to load the user specific part of the registry for your user and change the permissions there. The easiest way seems to be: Start -> Programs -> Accessories, (shift) right-click "Command Prompt" and choose "Run As ..." user baz\foo. Use regedit to verify that there is now a subkey below HKEY_USERS that is named for your new SID.
  10. Replace the registry permissions (second time): subinacl /subkeyreg "HKEY_USERS/*" /replace=S-1-5-1-2-3-4-5=baz/foo
  11. Log out

If you log in now as your new user baz/foo you should find your old environment with next to everything working as it were. Some things will not have been repaired by this procedure, most notably the local group memberships. If your old user was a member in certain special groups you will need to manually put your new user into those groups.

--Henryk 00:07, 18 February 2006 (CET)