Translating Local User Profiles
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Local profiles contain the desktop state and user data for users in the source account domain. ADMT can migrate local profiles only for workstations running Windows NT 4.0, Windows 2000, and Microsoft® Windows® XP. Migrate local user profiles for a batch of users immediately after migrating the batch of users, and before the users log on to the target domain.
It is important to verify that user profile translation succeeded for each user before that user is allowed to log on. If the user profile translation fails for a user, that user must not log on to the target domain. Roll the user back manually, by disabling the user account in the target domain, and enabling the account in the source domain.
You can migrate roaming user profiles during the user account migration process. However, you still need to translate the local copy of the profile.
Note
- Migrate the local user profiles the night before you notify the users to log on by using their new accounts in the target domain. Migrating profiles the night before ensures that the new user profile reflects the most current user settings.
Before you migrate local user profiles, create a list of the workstations in the source domain. You can migrate local user profiles by running the ADMT console, by using the ADMT command-line option, or by using a script.
To migrate local user profiles by using the ADMT console
For each workstation in the source domain that is running Windows NT 4.0, verify that the ADMT account migration account was added as a member of the local Administrators group.
On the domain controller in the target domain on which you installed ADMT, log on by using the ADMT resource migration account.
Open the Active Directory Migration Tool, and then run the Security Translation Wizard.
Complete the Security Translation Wizard by using the information in Table 10.12.
Table 10.12 Using the Security Translation Wizard to Migrate Local User Profiles
| Wizard Page | Action |
|---|---|
Test or Make Changes |
Select Migrate Now? |
Security Translation Options |
Select Previously migrated objects. |
Domain Selection |
In the Source domain box, type or select the name of the domain that contains the user accounts. In the Target domain box, type or select the name of the target domain. |
Computer Selection |
Click Add and add computers from the domain that contains the computer accounts. (Depending on your existing domain structure, this might be a resource domain.) |
Translate Objects |
Select User Profiles. |
Security Translation Options |
Select Replace. |
After migrating local user profiles, you must verify that the migration process was successful. Complete the following steps to verify that the user profile migration was successful:
Review the status message for each computer for which you migrated the user profile.
For computers for which the status is not Success, review the message to identify the cause of the failure. For more details about the cause of the failure, click View Dispatch Log.
For each computer for which the agent completed successfully, select the computer name from the list, and click Agent Detail.
Click View Log and review the log for any errors that occurred during the local profile migration process.
For computers to which an agent failed to be dispatched, fix the cause of the problem, and then run the Retry Wizard to dispatch agents to those computers.
For any computers for which the agent failed to migrate the local profile, fix the cause of the problem, and then perform the local profile migration again on those computers.
You can use the following procedure to migrate local user profiles by using the ADMT command-line option
To migrate local user profiles by using the ADMT command-line option
On the domain controller in the target domain on which ADMT is installed, log on by using the ADMT account migration account.
At the command line, type:
ADMT SECURITY /N “computer_name1” “computer_name2” [parameters]You can append parameters to the command as follows:
ADMT SECURITY /N “computer_name1” “computer_name2” /SD:”source_domain” /TD:”target_domain” /TOT:ADD /TUP:YESAlternatively, you can include parameters in an option file that is specified on the command line as follows:
ADMT USER /N “user_name1” “user_name2” /O:“option_file.txt”
Table 10.13 lists the parameters required for migrating user accounts, along with the command-line parameter and option file equivalents.
Table 10.13 Parameters Required for Local User Profile Migrations
| Parameters | Command-Line Syntax | Option File Syntax |
|---|---|---|
Source domain |
|
|
Target domain |
|
|
Translate option |
/TOT:REPLACE |
TranslateOption=REPLACE |
Modify local user profile security |
/TUP:YES |
TranslateUserProfiles=YES |
Review the results that are displayed on the screen for any errors.
Review the dispatch log to determine whether agents were successfully dispatched to every computer.
Review the migration log for errors related to local profiles on workstations.
For computers to which the agent failed to be dispatched, fix the cause of the problem, and then run the Retry Wizard to dispatch agents to those computers.
For any computers for which the agent failed to migrate the local profile, fix the cause of the problem, and then perform the local profile migration again on those computers.
Note that it is important to verify the success of the local profile migration before users attempt to log on to the target domain.
If a user logs on to the target domain by using their new target account and their local profile did not migrate successfully, then you must do the following:
On the computer of the user, delete the following registry subkey, where SID is the SID of the user account in the target domain:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\SID
Remigrate the local user profile for that computer.
Caution
- The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first and see the "Registry Reference" on the Windows Server 2003 Deployment Kit companion CD or on the Microsoft Web site.
To migrate local user profiles by using a script
- Prepare a script that incorporates ADMT commands and options for migrating local profiles by using the sample script shown in Listing 10.7. To verify that the local user profile migration was successful, use the verification process listed in steps 3 through 7 of the command-line procedure.
Listing 10.7 Migrating Local Profiles
<Job id=" MigratingLocalProfilesNTSource" >
<Script language=" VBScript" src=" AdmtConstants.vbs" />
<Script language=" VBScript" >
Option Explicit
Dim objMigration
Dim objSecurityTranslation
'
'Create instance of ADMT migration objects.
'
Set objMigration = CreateObject(" ADMT.Migration" )
Set objSecurityTranslation = objMigration.CreateSecurityTranslation
'
'Specify general migration options.
'
objMigration.SourceDomain = " source domain"
objMigration.TargetDomain = " target domain"
objMigration.TargetOu = " Computers"
'
'Specify security translation specific options.
'
objSecurityTranslation.TranslationOption = admtTranslateReplace
objSecurityTranslation.TranslateUserProfiles = True
'
'Perform security translation on specified computer objects.
'
objSecurityTranslation.Translate admtData, _
Array(" computer name1" ," computer name2" )
Set objSecurityTranslation = Nothing
Set objMigration = Nothing
</Script>
</Job>
For a sample script to assist you in migrating local profiles, see "Migrating Local Profiles — Windows NT 4.0 Source" (DSSRENT_9.wsf) on the Windows Server 2003 Deployment Kit companion CD (or see "Migrating Local Profiles — Windows NT 4.0 Source" on the Web at https://www.microsoft.com/reskit).