ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Move Computer
  Active Topics Active Topics
  FAQ FAQ  Forum Search   Calendar   Register Register  Login Login

Move "dead" profile: Ownership and access rights

 Post Reply Post Reply
Author
Message
  Topic Search Topic Search  Topic Options Topic Options
ZipwiZ View Drop Down
Newbie
Newbie


Joined: 26 May 2008
Location: Germany
Online Status: Offline
Posts: 4
  Quote ZipwiZ Quote  Post ReplyReply Direct Link To This Post Topic: Move "dead" profile: Ownership and access rights
    Posted: 26 May 2008 at 4:15am
Hi,
 
I want to continue to use a profile located on the HD of my old (defunct) laptop by moving the data and settings to a new machine and "make them seen by the OS as if they were originally there". My new laptop is technically different, but I set up XP Home on both (old: SP2, new: SP3) and all applications I want to continue to use are installed now properly, using the same version and HD location where possible.  There is just one admin profile, no "user" profiles on the machine set up now. So I should be prepared.
 
As I read, for this situation you recommend Profile Wizard: Copy the complete profile folder to the new machine into the right location (!), start ProfWiz, select the copied profile folder from the "unassigned accounts" list part and assign a local account -- and then go on.
 
Before I will start I have 4 questions:
 
(1) Language of OS: Both machines are bought and set up in Germany, so the actual profiles folder is "C:\Dokumente und Einstellungen" instead of "C:\Documents and Settings", but Windows has a generic handle for this. Which will ProfWiz expect and use? The generic one I hope?
 
(2) File transfer: Should the profile folder copy process be done "via FAT32" to drop ownership and access right information before, or is it even better to directly copy the profile folder using Explorer from the source NTFS volume?
 
(3) Ownership of files: The files inside the "dead" profile folder are currently owned by the old account. Will the ownership of all contained files automatically be changed to the new assigned account by ProfWiz?
 
(4) Access rights: As another news article and a FAQ in the manual says, the access right scheme of files & folders is generally not changed. Thus generic access rights (like "SYSTEM" or "Administrators group" or "Owner") will probably still work, but access rights explicitly granted to selected users or groups on the old system will be kept as they are and thus be useless. Is there something else to know about access rights?
--Z
Back to Top
ZipwiZ View Drop Down
Newbie
Newbie


Joined: 26 May 2008
Location: Germany
Online Status: Offline
Posts: 4
  Quote ZipwiZ Quote  Post ReplyReply Direct Link To This Post Posted: 26 May 2008 at 8:28am
OK, I was tooooo curious and just checked it out.
 
First: Yes, it works. :-) My Settings are saved, at least as far as I have checked them out so far: Outlook2000 POP3 state & opened folders, SonyEricsson PC Suit Sync state with Outlook, files of course. Picasa still stands out (the folders, collections, items worked on etc.)
 
 
but... there are some special things.
 
 
Security:
 
After copying the profile folder using Explorer from the NTFS source drive (was an XP Home system volume) to my new machine, all copied files are owned by the user executing the copying Explorer process, but the ("unknown") former owner was still present in the ACL.
 
After assigning the profile (of 3GB and thousands of files) was complete, the executing account owns all files of the profile (still), the assigned account has "full access",
BUT "Everyone" ("Jeder" in German) HAS READ/EXECUTE ACCESS TO ALL FILES!
 
-> 2 things to do: Transfer ownership for the files *inside the profile folder* to the assigned account & do not (may be by option) grant read/execute access to Everyone.
 
Currently I am still using the newly assigned profile as "Administrator" user, not as "Restricted" (which is the only choice on XP Home). So I do not know if this will change anything. But I will switch down the account to "Restricted" soon again.
 
I will also try to "gain ownership on all files in the profile" which should be possible with "full access", and then remove "read"execute access to Everyone" since that is not that private.
 
 
Files and applications:
 
I am mainly concerned about user/pw settings and caches, like "which mails are already fetched via POP3" and so on. Cache state looks good, as I said before, but user/pw state is somewhat weird:
 
For Outlook2000, the first start presented the E-Mail Configuration dialogue, and I was quite shocked, but OL2K recognized the present settings again and everything was fine. But the e-mail account setup was weird: The profiles and accounts were present, but I was asked for the passwords again. A look into the config dialog boxes told me that everything was fine, but OL2K did not use the PW really, although the login was present and a password was shown as ***** with "keep password" option set.
 
For Skype I maybe have installed a newer version then was installed on the old laptop. The username was remebered, but not the PW, and thus I had to change it, because I did not find the old one anywhere.
 
That all seems as if PW data is not really reusable when it was encrypted by the application before. It would be interesting to hear about other user experiences on this topic.
 
 
Last: Desktop setup:
 
That is not really important, but besides task bar config and wallpaper config it does not work properly anyway: The Icons are just messed up.
 
 
*****
 
BUT FINALLY that all seems NOTHING to me compared with rebuilding all settings manually, deleting >4000 double mails from my client again, cleaning up double calendar entries on my telephone etc. etc.
 
THUS:
 
Yes, good work!!
 
Just go ahead and improve the security settings, as far as possible. And add something about this to the documentation, since it may be of real concern.
--Z
Back to Top
ZipwiZ View Drop Down
Newbie
Newbie


Joined: 26 May 2008
Location: Germany
Online Status: Offline
Posts: 4
  Quote ZipwiZ Quote  Post ReplyReply Direct Link To This Post Posted: 26 May 2008 at 8:29am
Huh, before I forget: ProfWiz looks into the "generic" profiles folder, thus for me it was OK to use "C:\Dokumente und Einstellungen". :-)
--Z
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Online Status: Offline
Posts: 1296
  Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 27 May 2008 at 5:57am

Hi,

Thank you very much for your feedback. It is much appreciated.

We are aware of the issue with permissions on the profile folder. (I think it is has been mentioned elsewhere on this forum.) This is something that we will address in the next release.
 
The issue with Outlook (and other) passwords and encrypted files comes back to the way Windows stores the passwords. The passwords are encrypted using the user's credentials. The only way we could get around this would be to prompt for the credentials during backup, encrypt the passwords using some method of our own, and then decrypt them again during the restore of the profile. Not impossible, but definitely clunky...
 
 
Back to Top
ZipwiZ View Drop Down
Newbie
Newbie


Joined: 26 May 2008
Location: Germany
Online Status: Offline
Posts: 4
  Quote ZipwiZ Quote  Post ReplyReply Direct Link To This Post Posted: 27 May 2008 at 7:16am
I just should add 2 things:
 
(1) The desktop arrangement was better then complained about babove: The icons known to the old profile folder where arranged nearly as they were before, the other ones just have changed on the new machine.
 
(2) Usually as an Administrator you can see the "My Documents" folder of every user, not just your own and the "All Users" one. This is not true for the "My Documents" folder of the assigned profile folder. Vice versa it seems to be similar: Currently the new account using the migrated profile folder is member of "Administrators" group, but the "My Documents" folder of the "real" admin account does not show up in "My Computer" ("Arbeitsplatz"). May be this is an explicit registry setting which is usually set up automatically.
 
Hint: My process was to create an account (but do not log in!), copy the profile folder and then assign it to be used by the new & clean account. This way Windows could not know in advance the "My Documents" folder of the new account since there was none before assigning the profile folder to the account.
--Z
Back to Top
 Post Reply Post Reply

Forum Jump Forum Permissions View Drop Down



This page was generated in 0.031 seconds.