Personal computing discussed

Moderators: renee, Flying Fox, Ryu Connor

 
Welch
Grand Gerbil Poohbah
Topic Author
Posts: 3582
Joined: Thu Nov 04, 2004 5:45 pm
Location: Alaska
Contact:

Workstation Profile Name Change on a Domain

Mon May 05, 2014 6:30 am

Interesting question as I've ran across varying results from google searches, none of which seem to be my same scenario.

Have an office that has a high turn over rate. As a result they are constantly wanting a new user added to their domain and consequentially the profile on the computer as well. So when ex-ployee "J" is gone, new employee "K" wants to login with their own name. Considering that these people are usually doing the exact same work I usually just copy everything in the profile over to a newly created profile. This isn't particularly difficult, but little meta-data stuff is lost every time depending on the program they were using. Ideally I could just rename the login and re-associate the re-named profile with a different domain user. Is this sort of thing possible? This is such a simply stupid "issue" to have and I suggested just having the profile be the name of the position as I've done at other offices but they insist on it being setup for their name :roll: .
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

1600x | Strix B350-F | CM 240 Lite | 16GB 3200 | RX 580 8GB | 970 EVO | Corsair 400R | Seasonic X 850 | Corsair M95 / K90 | Sennheiser PC37x
 
Chrispy_
Maximum Gerbil
Posts: 4670
Joined: Fri Apr 09, 2004 3:49 pm
Location: Europe, most frequently London.

Re: Workstation Profile Name Change on a Domain

Mon May 05, 2014 9:32 am

Hmm, not something I've ever considered but I'll be watching this thread as I've never bothered looking up how you'd change the default profile (which all new user profiles are created from).

Changing the default might also work for your new users.
Congratulations, you've noticed that this year's signature is based on outdated internet memes; CLICK HERE NOW to experience this unforgettable phenomenon. This sentence is just filler and as irrelevant as my signature.
 
drsauced
Gerbil Jedi
Posts: 1543
Joined: Mon Apr 21, 2003 1:38 pm
Location: Here!

Re: Workstation Profile Name Change on a Domain

Mon May 05, 2014 10:27 am

Huh. I think there's a few reasons you don't want to copy profile stuff from profile to profile, but I need a little more coffee to get it. I've not encountered an application that requires the same GUID or anything like that. Our solution is to create one login based on the job position and change the display name. It's a nice gesture for a new employee to have their own login, but we've found that having the display name correct is good enough. Not to mention creating new user profiles isn't a huge pain, but still a pain. If the user really wants to login with their own name, hand them a cleenex and violin.
Calm seas never made a skilled mariner. But, sadly I'm an A's fan.
 
LaChupacabra
Gerbil First Class
Posts: 145
Joined: Tue Dec 30, 2008 10:59 pm

Re: Workstation Profile Name Change on a Domain

Mon May 05, 2014 10:57 am

Profwiz is designed for just such a situation.

https://www.forensit.com/downloads.html

It's original intent was taking people from a workgroup profile to a domain profile. It can be used to "rename" user profiles on an existing domain account. It's been a while since I've used it, so I can't give you specific instructions on how to do it. I think it will get the job done.

But because I feel compelled to say it's always best to make a new account and have a fresh profile. There can be things like viruses that embed themselves into a profile and you would just be spreading the disease to each new user if it was never a clean install. We do not live in a perfect world though, so sometimes spitting on the end of two sticks to glue them together is the best we can get.
 
curtisb
Gerbil XP
Posts: 452
Joined: Tue Mar 30, 2010 11:27 pm
Location: Oklahoma

Re: Workstation Profile Name Change on a Domain

Mon May 05, 2014 1:57 pm

Short answer...if they want a unique username for the new user your easiest option is to rename the domain account. Doing this will leave the account SID the same, which is what the profile is tied to, so when the new user logs on with the renamed account they will login to the old profile. It can be a bit confusing though as the profile path will contain the name of the original account the profile was created with.

If they want them to all have the same information on turn over is there a reason they're not using a generic account and just forcing a password change when the new person starts?

If it's just a matter of getting the configuration settings for each application, why not find out those settings and have them set through either a script or GPO? If it's an ini file of some sort, you could have a script that would copy that at the first logon. If it's registry settings, that can be done through a GPO (or even just in a script).

I'm with drsauced...I don't particularly care for copying profile stuff from one profile to another...even if it's the same user to a new computer. You ALWAYS run into issues at some point. And whatever you do, DON'T rename the profile. There's more to it than just that. There would be registry edits and NTFS permission fixes involved...more than it's worth.
ASUS MAXIMUS VIII HERO | Intel Core i7-6700 | Zotac GTX 1080 8GB Mini | 2 x Corsair LPX 8GB | WD SN750 Black 500GB | 2 x Crucial MX200 500GB | 2 x WD RED Pro 4TB | Phanteks Eclipse | Seasonic X-850 | 2 x Samsung U28E590
 
homerdog
Gerbil First Class
Posts: 193
Joined: Wed Jul 09, 2008 9:34 am
Contact:

Re: Workstation Profile Name Change on a Domain

Mon May 05, 2014 2:33 pm

LaChupacabra wrote:
Profwiz is designed for just such a situation.

https://www.forensit.com/downloads.html

It's original intent was taking people from a workgroup profile to a domain profile. It can be used to "rename" user profiles on an existing domain account. It's been a while since I've used it, so I can't give you specific instructions on how to do it. I think it will get the job done.

But because I feel compelled to say it's always best to make a new account and have a fresh profile. There can be things like viruses that embed themselves into a profile and you would just be spreading the disease to each new user if it was never a clean install. We do not live in a perfect world though, so sometimes spitting on the end of two sticks to glue them together is the best we can get.

I can second this. Have used it many times to migrate workgroup profiles to domain, but I believe it should do what you want.

Or even if it won't solve all your problems, it could still save you some time joining the new user to the domain.
Antec 300Two + i7-3770K + Gigabyte Z77-D3H + 16GB 1866MHz + GTX970 + SeaSonic S12II 520W + 180GB Intel 330 + 240GB Intel 530
CM Elite 120 + i5-3550 + Gigabyte H77N-WIFI + 16GB 1600MHz + HD7950 + SilverStone ST45SF 450W + 250GB Crucial MX100
 
Chrispy_
Maximum Gerbil
Posts: 4670
Joined: Fri Apr 09, 2004 3:49 pm
Location: Europe, most frequently London.

Re: Workstation Profile Name Change on a Domain

Tue May 06, 2014 5:43 am

So, based on the recommendation that a clean profile is better than a copied/renamed profile - is there a safe/easy way to edit the defaults for a clean profile?
Congratulations, you've noticed that this year's signature is based on outdated internet memes; CLICK HERE NOW to experience this unforgettable phenomenon. This sentence is just filler and as irrelevant as my signature.
 
Scrotos
Graphmaster Gerbil
Posts: 1109
Joined: Tue Oct 02, 2007 12:57 pm
Location: Denver, CO.

Re: Workstation Profile Name Change on a Domain

Tue May 06, 2014 6:58 am

GPO. I have to run a gpupdate /force after initial login but that's your best bet.
 
curtisb
Gerbil XP
Posts: 452
Joined: Tue Mar 30, 2010 11:27 pm
Location: Oklahoma

Re: Workstation Profile Name Change on a Domain

Tue May 06, 2014 9:13 am

I concur. Since you're in a domain setting a script in a GPO that runs at logon or using Group Policy Preferences in a GPO is the best answer. There are several ways you can target the GPO. I would link it at the top-level of the domain with a WMI Filter that looks for the particular application in question (so long as the application appears in Win32_Product*):

Select * from Win32_Product where (Name like "partial application name%")

The reason I use part of the application name is that sometimes the developer will include the version number. Using % at the end instead of putting in the version number will prevent from having to update the filter every time you upgrade the application.


* To see if the application appears in Win32_Product, you can use Scriptomatic2.
ASUS MAXIMUS VIII HERO | Intel Core i7-6700 | Zotac GTX 1080 8GB Mini | 2 x Corsair LPX 8GB | WD SN750 Black 500GB | 2 x Crucial MX200 500GB | 2 x WD RED Pro 4TB | Phanteks Eclipse | Seasonic X-850 | 2 x Samsung U28E590
 
LaChupacabra
Gerbil First Class
Posts: 145
Joined: Tue Dec 30, 2008 10:59 pm

Re: Workstation Profile Name Change on a Domain

Tue May 06, 2014 9:18 am

Chrispy_ wrote:
So, based on the recommendation that a clean profile is better than a copied/renamed profile - is there a safe/easy way to edit the defaults for a clean profile?


Depends on what settings you're talking about. Is it things like a custom background? Then that's a group policy object. Default printers? Can be done with a GPO. Custom in application settings? Might have to dump a file somewhere in %appdata%. Can you be more specific with what you're trying to accomplish?
 
Chrispy_
Maximum Gerbil
Posts: 4670
Joined: Fri Apr 09, 2004 3:49 pm
Location: Europe, most frequently London.

Re: Workstation Profile Name Change on a Domain

Tue May 06, 2014 4:27 pm

I do loads of stuff in GPO already. I'm talking about stupid niggly stuff like enabling file-extensions by default, making all folders show detail view by default, having browsers (ie is the worst) in a used state so they don't ask you a fricking questionnaire every time you launch them on a new machine.
Congratulations, you've noticed that this year's signature is based on outdated internet memes; CLICK HERE NOW to experience this unforgettable phenomenon. This sentence is just filler and as irrelevant as my signature.
 
curtisb
Gerbil XP
Posts: 452
Joined: Tue Mar 30, 2010 11:27 pm
Location: Oklahoma

Re: Workstation Profile Name Change on a Domain

Wed May 07, 2014 9:26 pm

Those are all registry settings, but unfortunately most of them don't have a GPO setting associated with them. If you can figure them out you can set them in a Preference in a GPO. Here are a couple of settings that can be set in a Preference:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"HideDrivesWithNoMedia"=dword:00000001
"HideFileExt"=dword:00000000
"NavPaneExpandToCurrentFolder"=dword:00000001
"NavPaneShowAllFolders"=dword:00000001
"ShowSuperHidden"=dword:00000001
"Start_ShowControlPanel"=dword:00000002


The ones that really irk me are the "Show all folders" and "Automatically expand to current folder" not being selected by default.

Another option is to create a generic user, logon and configure all of the options that you want set. Then logout (this is important, the file will be locked if you're still logged in as that user), and copy the NTUSER.DAT in the root of that user profile over the NTUSER.DAT in the Default profile located at %SystemDrive%\Users\Default\ on Windows 7/8/8.1. The Default profile is what gets copied to all new logons for a given machine.

If you know the registry settings you want to set, you can load the registry for the Default profile by opening the Registry Editor, selecting one of the top level keys (I usually use HKEY_USERS), the click on File and choose Load Hive. Now you can browse to the NTUSER.DAT for the Default profile and select it. It'll ask you to name it...the name you use doesn't matter. Make all of your edits and then File > Unload Hive (make sure you have the name you chose selected when you do this step). If you don't unload the hive, a user logging onto that machine for the first time will get an error about not being able to create a profile because the Default profile NTUSER.DAT will be locked.

So now you have some options. I would opt for figuring out the HKCU settings you want and put them in a GPO. You only have to configure that in one location. Going the NTUSER.DAT route means you have to make sure that your edited one is on every workstation (and/or in your base image if you create one).
ASUS MAXIMUS VIII HERO | Intel Core i7-6700 | Zotac GTX 1080 8GB Mini | 2 x Corsair LPX 8GB | WD SN750 Black 500GB | 2 x Crucial MX200 500GB | 2 x WD RED Pro 4TB | Phanteks Eclipse | Seasonic X-850 | 2 x Samsung U28E590
 
Welch
Grand Gerbil Poohbah
Topic Author
Posts: 3582
Joined: Thu Nov 04, 2004 5:45 pm
Location: Alaska
Contact:

Re: Workstation Profile Name Change on a Domain

Wed May 07, 2014 10:06 pm

I'll be giving some of these options a shot soon as I've got a a profile that needs to be taken care of shortly. I'll report back on my findings.

By the way when I'm copying over from one profile to another I simply copy data, no settings. Their emails are hosted online via Citrix based apps. I manually change things to match certain settings needed such as Printers (still have issues with an XP and 7 mixed environment) so its done manually. Its not difficult, just adds time to the process that is un-nesscary.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

1600x | Strix B350-F | CM 240 Lite | 16GB 3200 | RX 580 8GB | 970 EVO | Corsair 400R | Seasonic X 850 | Corsair M95 / K90 | Sennheiser PC37x
 
curtisb
Gerbil XP
Posts: 452
Joined: Tue Mar 30, 2010 11:27 pm
Location: Oklahoma

Re: Workstation Profile Name Change on a Domain

Thu May 08, 2014 12:57 am

You can map all of your printers via GPO as well by either using the Printer Deployment feature or Group Policy Preferences. On the XP machines you'll just need to install the Group Policy Preferences client-side extension. The client-side extension is included starting with Windows 7.

I'll be honest and tell you that I don't actually do my printer and drive maps that way, though. I still use an old school KiXtart logon script to map printers and network drives based on group membership(s). My script does several other things as well, though. For instance, we use Forefront Endpoint Protection with SCCM 2007 R3 (moving to System Center Endpoint Protection on SCCM 2012 R2). The logon script does a check for definition age and forces an update if it's over 5 days. It also does a check to see when the last scan was and forces a scan if that's been over 7 days. I have logic included to see if the OS install date is recent so it doesn't kick off those forced options on a freshly installed OS. Just some examples of what it does...the script in it's current form is just over 2500 lines.
ASUS MAXIMUS VIII HERO | Intel Core i7-6700 | Zotac GTX 1080 8GB Mini | 2 x Corsair LPX 8GB | WD SN750 Black 500GB | 2 x Crucial MX200 500GB | 2 x WD RED Pro 4TB | Phanteks Eclipse | Seasonic X-850 | 2 x Samsung U28E590
 
Welch
Grand Gerbil Poohbah
Topic Author
Posts: 3582
Joined: Thu Nov 04, 2004 5:45 pm
Location: Alaska
Contact:

Re: Workstation Profile Name Change on a Domain

Sat May 10, 2014 2:17 am

curtisb wrote:
You can map all of your printers via GPO as well by either using the Printer Deployment feature or Group Policy Preferences. On the XP machines you'll just need to install the Group Policy Preferences client-side extension. The client-side extension is included starting with Windows 7.

I'll be honest and tell you that I don't actually do my printer and drive maps that way, though. I still use an old school KiXtart logon script to map printers and network drives based on group membership(s). My script does several other things as well, though. For instance, we use Forefront Endpoint Protection with SCCM 2007 R3 (moving to System Center Endpoint Protection on SCCM 2012 R2). The logon script does a check for definition age and forces an update if it's over 5 days. It also does a check to see when the last scan was and forces a scan if that's been over 7 days. I have logic included to see if the OS install date is recent so it doesn't kick off those forced options on a freshly installed OS. Just some examples of what it does...the script in it's current form is just over 2500 lines.


I too also map drives via a logon batch script. However the printers with a bat script, I could never get to work properly. If you know of a working batch script for printers similar to the mapped drives, I'd appreciate that as well :).

I have not yet had a chance to migrate that profile over to a new one. I was waiting a few days to confirm that no issues with the machine cropped back up. The user was complaining about it randomly restarting, yet looking at the logs for the workstation show it as though they asked the machine to turn off. I ran just about every test known to man, cleaned a bunch of stuff up and it still was being "Shut Down". After I mentioned that it would be impossible for the machine to just shut down automatically without notification (even windows updates) the machine has magically been flawless and no shut downs. Nothing in the logs about a piece of software asking the machine to shut down either. It leads me to believe the person was accidentally doing something to make the machine shut down without knowing about it (no keyboard hot keys either). Odd stuff. Should be able to try changing around the profile this week to see if I can successfully change ownership of a profile with the tools listed above.
"I think there is a world market for maybe five computers."
Thomas Watson, chairman of IBM, 1943

1600x | Strix B350-F | CM 240 Lite | 16GB 3200 | RX 580 8GB | 970 EVO | Corsair 400R | Seasonic X 850 | Corsair M95 / K90 | Sennheiser PC37x
 
curtisb
Gerbil XP
Posts: 452
Joined: Tue Mar 30, 2010 11:27 pm
Location: Oklahoma

Re: Workstation Profile Name Change on a Domain

Wed May 14, 2014 1:23 pm

I do all of my drive and printer maps in the KiXtart script. My initial script is a .cmd file, but it calls the KiXtart script. You can put the KIX32.EXE executable on your NETLOGON share, or copy it to each workstation. I created an installer to install it on each of our workstations and pushed that with SCCM, but I also have it on the NETLOGON share just in case. This is my logon.cmd:

@ECHO OFF
IF EXIST %SystemRoot%\KIX32.EXE GOTO local
GOTO netlogon

:local
ECHO Running from local drive...
REM %SystemRoot%\KIX32.EXE /f
%SystemRoot%\KIX32.EXE %0\..\logon.kix
GOTO done

:netlogon
ECHO Running from NETLOGON
REM %0\..\KIX32.EXE /f
%0\..\KIX32.EXE %0\..\logon.kix

:done



The Bad ThingTM about using a .bat file is that your drive maps are now persistent, unless you specified /PERSISTENT:NO on the NET USE command line. You can, however, have KiXtart remove those if you want.

Here is an example code snippet of mapping a drive with KiXtart based on membership of a domain group called "GroupName":

If InGroup("GroupName")
   Use X: "\\SERVER\Share"
EndIf


We have a departmental share where users are mapped directly to their departmental folder on the primary share (access to the subfolders is controlled through NTFS permissions). Instead of having a bunch of If InGroup statements you could use Select Case statements. This is a bit faster because it stops evaluating everything after the first true Case:

Select
   Case InGroup("GroupName_Sub1")
      Use X: "\\SERVER\Share\SubFolder1"
   Case InGroup("GroupName_Sub2")
      Use X: "\\SERVER\Share\SubFolder2"
EndSelect


For printer mapping, it supports a full set of commands for adding, deleting, and setting a default printer. You can add multiple printers without making any of them a default, though. We don't have any direct attached printers so we map everything from the logon script and set the default printer.

If InGroup("PrinterGroup1")
   AddPrinterConnection("\\SERVER\PrinterShare1")
   Sleep 0.50
   SetDefaultPrinter("\\SERVER\PrinterShare1")
EndIf

If InGroup("PrinterGroup2")
   AddPrinterConnection("\\SERVER\PrinterShare2")
EndIf


Now there's no error checking in any of that code. It could be added and display a message on whether the drive or printer map is successful or not. There's tons more that can be done...read/set/delete registry values, read WMI, read/write text files, shell to executables to run other commands not native to KiXtart, etc. If you REALLY want to get fancy you can even read from or write to a SQL database! Just keep in mind that by default the script runs in the user context of the person logging on so you're limited to what access levels they have.
ASUS MAXIMUS VIII HERO | Intel Core i7-6700 | Zotac GTX 1080 8GB Mini | 2 x Corsair LPX 8GB | WD SN750 Black 500GB | 2 x Crucial MX200 500GB | 2 x WD RED Pro 4TB | Phanteks Eclipse | Seasonic X-850 | 2 x Samsung U28E590

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On