Workstation Profile Name Change on a Domain

Monopoly money comes in many flavors: 7, Vista, XP, 2K, ME, 98, etc.

Moderators: Flying Fox, Ryu Connor

Workstation Profile Name Change on a Domain

Postposted on Mon May 05, 2014 6:30 am

Interesting question as I've ran across varying results from google searches, none of which seem to be my same scenario.

Have an office that has a high turn over rate. As a result they are constantly wanting a new user added to their domain and consequentially the profile on the computer as well. So when ex-ployee "J" is gone, new employee "K" wants to login with their own name. Considering that these people are usually doing the exact same work I usually just copy everything in the profile over to a newly created profile. This isn't particularly difficult, but little meta-data stuff is lost every time depending on the program they were using. Ideally I could just rename the login and re-associate the re-named profile with a different domain user. Is this sort of thing possible? This is such a simply stupid "issue" to have and I suggested just having the profile be the name of the position as I've done at other offices but they insist on it being setup for their name :roll: .
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

i5-2500K|Asus P67 Sabertooth|16GB Corsair 1600|MSI 7850 2GB|250gb Evo 840|Corsair 400R|ET750w PSU|Logitech G5|Dell 2420L|Corsair Vengeance 1300
Welch
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2662
Joined: Thu Nov 04, 2004 5:45 pm
Location: Fairbanks, Alaska

Re: Workstation Profile Name Change on a Domain

Postposted on Mon May 05, 2014 9:32 am

Hmm, not something I've ever considered but I'll be watching this thread as I've never bothered looking up how you'd change the default profile (which all new user profiles are created from).

Changing the default might also work for your new users.
<insert large, flashing, epileptic-fit-inducing signature (based on the latest internet-meme) here>
Chrispy_
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2088
Joined: Fri Apr 09, 2004 3:49 pm

Re: Workstation Profile Name Change on a Domain

Postposted on Mon May 05, 2014 10:27 am

Huh. I think there's a few reasons you don't want to copy profile stuff from profile to profile, but I need a little more coffee to get it. I've not encountered an application that requires the same GUID or anything like that. Our solution is to create one login based on the job position and change the display name. It's a nice gesture for a new employee to have their own login, but we've found that having the display name correct is good enough. Not to mention creating new user profiles isn't a huge pain, but still a pain. If the user really wants to login with their own name, hand them a cleenex and violin.
Calm seas never made a skilled mariner.
drsauced
Graphmaster Gerbil
 
Posts: 1475
Joined: Mon Apr 21, 2003 1:38 pm
Location: Here!

Re: Workstation Profile Name Change on a Domain

Postposted on Mon May 05, 2014 10:57 am

Profwiz is designed for just such a situation.

https://www.forensit.com/downloads.html

It's original intent was taking people from a workgroup profile to a domain profile. It can be used to "rename" user profiles on an existing domain account. It's been a while since I've used it, so I can't give you specific instructions on how to do it. I think it will get the job done.

But because I feel compelled to say it's always best to make a new account and have a fresh profile. There can be things like viruses that embed themselves into a profile and you would just be spreading the disease to each new user if it was never a clean install. We do not live in a perfect world though, so sometimes spitting on the end of two sticks to glue them together is the best we can get.
LaChupacabra
Gerbil First Class
Gold subscriber
 
 
Posts: 138
Joined: Tue Dec 30, 2008 10:59 pm

Re: Workstation Profile Name Change on a Domain

Postposted on Mon May 05, 2014 1:57 pm

Short answer...if they want a unique username for the new user your easiest option is to rename the domain account. Doing this will leave the account SID the same, which is what the profile is tied to, so when the new user logs on with the renamed account they will login to the old profile. It can be a bit confusing though as the profile path will contain the name of the original account the profile was created with.

If they want them to all have the same information on turn over is there a reason they're not using a generic account and just forcing a password change when the new person starts?

If it's just a matter of getting the configuration settings for each application, why not find out those settings and have them set through either a script or GPO? If it's an ini file of some sort, you could have a script that would copy that at the first logon. If it's registry settings, that can be done through a GPO (or even just in a script).

I'm with drsauced...I don't particularly care for copying profile stuff from one profile to another...even if it's the same user to a new computer. You ALWAYS run into issues at some point. And whatever you do, DON'T rename the profile. There's more to it than just that. There would be registry edits and NTFS permission fixes involved...more than it's worth.
curtisb
Gerbil
 
Posts: 56
Joined: Tue Mar 30, 2010 11:27 pm

Re: Workstation Profile Name Change on a Domain

Postposted on Mon May 05, 2014 2:33 pm

LaChupacabra wrote:Profwiz is designed for just such a situation.

https://www.forensit.com/downloads.html

It's original intent was taking people from a workgroup profile to a domain profile. It can be used to "rename" user profiles on an existing domain account. It's been a while since I've used it, so I can't give you specific instructions on how to do it. I think it will get the job done.

But because I feel compelled to say it's always best to make a new account and have a fresh profile. There can be things like viruses that embed themselves into a profile and you would just be spreading the disease to each new user if it was never a clean install. We do not live in a perfect world though, so sometimes spitting on the end of two sticks to glue them together is the best we can get.

I can second this. Have used it many times to migrate workgroup profiles to domain, but I believe it should do what you want.

Or even if it won't solve all your problems, it could still save you some time joining the new user to the domain.
300Two + 3770K + Gigabyte Z77-D3H + 16GB 1600MHz + GTX970 + SeaSonic S12II 520W
CM Elite 120 + 3550 + Gigabyte H77N-WIFI + 16GB 1600MHz + HD7950 + SilverStone ST45SF 450W
Source 210 + QX6700@3GHz + Gigabye P35-DS3L + 6GB 800MHz + GTX670 + Corsair CX500W
homerdog
Gerbil
Silver subscriber
 
 
Posts: 60
Joined: Wed Jul 09, 2008 9:34 am

Re: Workstation Profile Name Change on a Domain

Postposted on Tue May 06, 2014 5:43 am

So, based on the recommendation that a clean profile is better than a copied/renamed profile - is there a safe/easy way to edit the defaults for a clean profile?
<insert large, flashing, epileptic-fit-inducing signature (based on the latest internet-meme) here>
Chrispy_
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2088
Joined: Fri Apr 09, 2004 3:49 pm

Re: Workstation Profile Name Change on a Domain

Postposted on Tue May 06, 2014 6:58 am

GPO. I have to run a gpupdate /force after initial login but that's your best bet.
Scrotos
Graphmaster Gerbil
 
Posts: 1036
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Workstation Profile Name Change on a Domain

Postposted on Tue May 06, 2014 9:13 am

I concur. Since you're in a domain setting a script in a GPO that runs at logon or using Group Policy Preferences in a GPO is the best answer. There are several ways you can target the GPO. I would link it at the top-level of the domain with a WMI Filter that looks for the particular application in question (so long as the application appears in Win32_Product*):

Select * from Win32_Product where (Name like "partial application name%")

The reason I use part of the application name is that sometimes the developer will include the version number. Using % at the end instead of putting in the version number will prevent from having to update the filter every time you upgrade the application.


* To see if the application appears in Win32_Product, you can use Scriptomatic2.
curtisb
Gerbil
 
Posts: 56
Joined: Tue Mar 30, 2010 11:27 pm

Re: Workstation Profile Name Change on a Domain

Postposted on Tue May 06, 2014 9:18 am

Chrispy_ wrote:So, based on the recommendation that a clean profile is better than a copied/renamed profile - is there a safe/easy way to edit the defaults for a clean profile?


Depends on what settings you're talking about. Is it things like a custom background? Then that's a group policy object. Default printers? Can be done with a GPO. Custom in application settings? Might have to dump a file somewhere in %appdata%. Can you be more specific with what you're trying to accomplish?
LaChupacabra
Gerbil First Class
Gold subscriber
 
 
Posts: 138
Joined: Tue Dec 30, 2008 10:59 pm

Re: Workstation Profile Name Change on a Domain

Postposted on Tue May 06, 2014 4:27 pm

I do loads of stuff in GPO already. I'm talking about stupid niggly stuff like enabling file-extensions by default, making all folders show detail view by default, having browsers (ie is the worst) in a used state so they don't ask you a fricking questionnaire every time you launch them on a new machine.
<insert large, flashing, epileptic-fit-inducing signature (based on the latest internet-meme) here>
Chrispy_
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2088
Joined: Fri Apr 09, 2004 3:49 pm

Re: Workstation Profile Name Change on a Domain

Postposted on Wed May 07, 2014 9:26 pm

Those are all registry settings, but unfortunately most of them don't have a GPO setting associated with them. If you can figure them out you can set them in a Preference in a GPO. Here are a couple of settings that can be set in a Preference:

Code: Select all
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"HideDrivesWithNoMedia"=dword:00000001
"HideFileExt"=dword:00000000
"NavPaneExpandToCurrentFolder"=dword:00000001
"NavPaneShowAllFolders"=dword:00000001
"ShowSuperHidden"=dword:00000001
"Start_ShowControlPanel"=dword:00000002


The ones that really irk me are the "Show all folders" and "Automatically expand to current folder" not being selected by default.

Another option is to create a generic user, logon and configure all of the options that you want set. Then logout (this is important, the file will be locked if you're still logged in as that user), and copy the NTUSER.DAT in the root of that user profile over the NTUSER.DAT in the Default profile located at %SystemDrive%\Users\Default\ on Windows 7/8/8.1. The Default profile is what gets copied to all new logons for a given machine.

If you know the registry settings you want to set, you can load the registry for the Default profile by opening the Registry Editor, selecting one of the top level keys (I usually use HKEY_USERS), the click on File and choose Load Hive. Now you can browse to the NTUSER.DAT for the Default profile and select it. It'll ask you to name it...the name you use doesn't matter. Make all of your edits and then File > Unload Hive (make sure you have the name you chose selected when you do this step). If you don't unload the hive, a user logging onto that machine for the first time will get an error about not being able to create a profile because the Default profile NTUSER.DAT will be locked.

So now you have some options. I would opt for figuring out the HKCU settings you want and put them in a GPO. You only have to configure that in one location. Going the NTUSER.DAT route means you have to make sure that your edited one is on every workstation (and/or in your base image if you create one).
curtisb
Gerbil
 
Posts: 56
Joined: Tue Mar 30, 2010 11:27 pm

Re: Workstation Profile Name Change on a Domain

Postposted on Wed May 07, 2014 10:06 pm

I'll be giving some of these options a shot soon as I've got a a profile that needs to be taken care of shortly. I'll report back on my findings.

By the way when I'm copying over from one profile to another I simply copy data, no settings. Their emails are hosted online via Citrix based apps. I manually change things to match certain settings needed such as Printers (still have issues with an XP and 7 mixed environment) so its done manually. Its not difficult, just adds time to the process that is un-nesscary.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

i5-2500K|Asus P67 Sabertooth|16GB Corsair 1600|MSI 7850 2GB|250gb Evo 840|Corsair 400R|ET750w PSU|Logitech G5|Dell 2420L|Corsair Vengeance 1300
Welch
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2662
Joined: Thu Nov 04, 2004 5:45 pm
Location: Fairbanks, Alaska

Re: Workstation Profile Name Change on a Domain

Postposted on Thu May 08, 2014 12:57 am

You can map all of your printers via GPO as well by either using the Printer Deployment feature or Group Policy Preferences. On the XP machines you'll just need to install the Group Policy Preferences client-side extension. The client-side extension is included starting with Windows 7.

I'll be honest and tell you that I don't actually do my printer and drive maps that way, though. I still use an old school KiXtart logon script to map printers and network drives based on group membership(s). My script does several other things as well, though. For instance, we use Forefront Endpoint Protection with SCCM 2007 R3 (moving to System Center Endpoint Protection on SCCM 2012 R2). The logon script does a check for definition age and forces an update if it's over 5 days. It also does a check to see when the last scan was and forces a scan if that's been over 7 days. I have logic included to see if the OS install date is recent so it doesn't kick off those forced options on a freshly installed OS. Just some examples of what it does...the script in it's current form is just over 2500 lines.
curtisb
Gerbil
 
Posts: 56
Joined: Tue Mar 30, 2010 11:27 pm

Re: Workstation Profile Name Change on a Domain

Postposted on Sat May 10, 2014 2:17 am

curtisb wrote:You can map all of your printers via GPO as well by either using the Printer Deployment feature or Group Policy Preferences. On the XP machines you'll just need to install the Group Policy Preferences client-side extension. The client-side extension is included starting with Windows 7.

I'll be honest and tell you that I don't actually do my printer and drive maps that way, though. I still use an old school KiXtart logon script to map printers and network drives based on group membership(s). My script does several other things as well, though. For instance, we use Forefront Endpoint Protection with SCCM 2007 R3 (moving to System Center Endpoint Protection on SCCM 2012 R2). The logon script does a check for definition age and forces an update if it's over 5 days. It also does a check to see when the last scan was and forces a scan if that's been over 7 days. I have logic included to see if the OS install date is recent so it doesn't kick off those forced options on a freshly installed OS. Just some examples of what it does...the script in it's current form is just over 2500 lines.


I too also map drives via a logon batch script. However the printers with a bat script, I could never get to work properly. If you know of a working batch script for printers similar to the mapped drives, I'd appreciate that as well :).

I have not yet had a chance to migrate that profile over to a new one. I was waiting a few days to confirm that no issues with the machine cropped back up. The user was complaining about it randomly restarting, yet looking at the logs for the workstation show it as though they asked the machine to turn off. I ran just about every test known to man, cleaned a bunch of stuff up and it still was being "Shut Down". After I mentioned that it would be impossible for the machine to just shut down automatically without notification (even windows updates) the machine has magically been flawless and no shut downs. Nothing in the logs about a piece of software asking the machine to shut down either. It leads me to believe the person was accidentally doing something to make the machine shut down without knowing about it (no keyboard hot keys either). Odd stuff. Should be able to try changing around the profile this week to see if I can successfully change ownership of a profile with the tools listed above.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

i5-2500K|Asus P67 Sabertooth|16GB Corsair 1600|MSI 7850 2GB|250gb Evo 840|Corsair 400R|ET750w PSU|Logitech G5|Dell 2420L|Corsair Vengeance 1300
Welch
Minister of Gerbil Affairs
Gold subscriber
 
 
Posts: 2662
Joined: Thu Nov 04, 2004 5:45 pm
Location: Fairbanks, Alaska

Re: Workstation Profile Name Change on a Domain

Postposted on Wed May 14, 2014 1:23 pm

I do all of my drive and printer maps in the KiXtart script. My initial script is a .cmd file, but it calls the KiXtart script. You can put the KIX32.EXE executable on your NETLOGON share, or copy it to each workstation. I created an installer to install it on each of our workstations and pushed that with SCCM, but I also have it on the NETLOGON share just in case. This is my logon.cmd:

Code: Select all
@ECHO OFF
IF EXIST %SystemRoot%\KIX32.EXE GOTO local
GOTO netlogon

:local
ECHO Running from local drive...
REM %SystemRoot%\KIX32.EXE /f
%SystemRoot%\KIX32.EXE %0\..\logon.kix
GOTO done

:netlogon
ECHO Running from NETLOGON
REM %0\..\KIX32.EXE /f
%0\..\KIX32.EXE %0\..\logon.kix

:done



The Bad ThingTM about using a .bat file is that your drive maps are now persistent, unless you specified /PERSISTENT:NO on the NET USE command line. You can, however, have KiXtart remove those if you want.

Here is an example code snippet of mapping a drive with KiXtart based on membership of a domain group called "GroupName":

Code: Select all
If InGroup("GroupName")
   Use X: "\\SERVER\Share"
EndIf


We have a departmental share where users are mapped directly to their departmental folder on the primary share (access to the subfolders is controlled through NTFS permissions). Instead of having a bunch of If InGroup statements you could use Select Case statements. This is a bit faster because it stops evaluating everything after the first true Case:

Code: Select all
Select
   Case InGroup("GroupName_Sub1")
      Use X: "\\SERVER\Share\SubFolder1"
   Case InGroup("GroupName_Sub2")
      Use X: "\\SERVER\Share\SubFolder2"
EndSelect


For printer mapping, it supports a full set of commands for adding, deleting, and setting a default printer. You can add multiple printers without making any of them a default, though. We don't have any direct attached printers so we map everything from the logon script and set the default printer.

Code: Select all
If InGroup("PrinterGroup1")
   AddPrinterConnection("\\SERVER\PrinterShare1")
   Sleep 0.50
   SetDefaultPrinter("\\SERVER\PrinterShare1")
EndIf

If InGroup("PrinterGroup2")
   AddPrinterConnection("\\SERVER\PrinterShare2")
EndIf


Now there's no error checking in any of that code. It could be added and display a message on whether the drive or printer map is successful or not. There's tons more that can be done...read/set/delete registry values, read WMI, read/write text files, shell to executables to run other commands not native to KiXtart, etc. If you REALLY want to get fancy you can even read from or write to a SQL database! Just keep in mind that by default the script runs in the user context of the person logging on so you're limited to what access levels they have.
curtisb
Gerbil
 
Posts: 56
Joined: Tue Mar 30, 2010 11:27 pm


Return to Windows

Who is online

Users browsing this forum: Google [Bot] and 1 guest