« Slipstreaming / Free tool for making ISOs of bootable CDs | Main | Power Settings via Group Policy »

May 16, 2005

Moving NT4 Profiles to Active Directory

I'm currently moving an office from their own NT4 domain to the Campus Active Directory and wanted to keep their account settings identical. I needed a straightforward way to migrate their old NT4 profile to ADS. I ended up using the moveuser.exe tool which is part of the Windows Server 2003 Resource Kit Tools.

On each machine, I made a local user called "tempuser". I then issued the command to associate the old NT4 profile with the new local user:

moveuser.exe nt4_domain\username tempuser

I then went through the proceedure to join the computer to the active directory. Once on the active directory, I did:

moveuser.exe tempuser ads\username

to asssociate the now local profile with the ADS account. I could then delete "tempuser", log on as the individual and the old profile was now properly associated with their active directory account.

Why couldn't I just "moveuser nt4_domain\username ads\username"? This is because the NT4 domain and campus AD are not trusted. The moveuser tool needs to be able to lookup the SSID for both accounts. Hence, the only way I could accomplish this was using an intermediary local account.

CAUTION: Often I'd have to reboot between adding the tempuser account and issuing the moveuser.exe command. Otherwise I'd get errors that it couldn't find the NT4 domain account, or occasionally an "Access Denied" error, presumably because some portion of the NT4 user's profile is still in use and inaccessable.

Sometimes "HKEY_LOCAL_MACHINE\Software\Classes" still has the old NT SSID in the permissions. When I'd log into AD as the user for the first time, I'd see if I could open it. If not, I'd change the permissions on Classes and find the old SSID in there... Delete it, and add the ADS\username into the permissions.

Apparently "HKEY_LOCAL_MACHINE\Software\Classes" is simply a link to the current user's own HKEY_CLASSES hive. If you go into regedit and look under "HKEY_USERS", you'll notice each user has a <SSID> entry and an <SSID>_Classes entry. I guess moveuser.exe sucks and doesn't check for the presence of <SSID>_Classes and change the permissions accordingly.

Posted by djc6 at May 16, 2005 10:08 PM

Trackback Pings

TrackBack URL for this entry:


This sounds like something that should be put in the Case Wiki...

Posted by: Gregory Szorc at June 16, 2005 02:07 PM

Hey Dave, now that the Case wiki system is live, I would love to see this information gradually migrate to the wiki. Then we can all contribute! =)

Posted by: Aaron Shaffer at June 16, 2005 03:05 PM