ForensiT Homepage
Forum Home Forum Home > ForensiT Support > Domain Migration
  New Posts New Posts RSS Feed - Multiple Issues Profwiz Corporate
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Multiple Issues Profwiz Corporate

 Post Reply Post Reply Page  12>
Author
Message
yarno View Drop Down
Newbie
Newbie


Joined: 08 Jul 2013
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote yarno Quote  Post ReplyReply Direct Link To This Post Topic: Multiple Issues Profwiz Corporate
    Posted: 31 Jan 2014 at 1:54pm
Hi,

Today I tested the software with a domain 'A' and a domain 'B'.
Unfortunatly I ran into some serious problems.

Problem 1:
The user accounts in domain A have local profiles. In domain B we want users to have a roaming profile. So in theory, Profwiz should migrate the profiles, and after the reboot and a logon/logoff from a migrated user the profile should be copied to the roaming path as configured in the new domain on the user. This does not happen! (Windows XP and Windows 7.)I tried many things, but nothing works. What works is change in User Profiles the type from Local to Roaming. But this is not an option with 150 computers. What can we do about it? Is there a registry trick we can do in the new domain?

Problem 2: (REALLY SERIOUS)
When a Windows 7 machine is migrated to the new domain, the group domain admins is not member of the local group Administrators. Also many security things fail. When logging on with the local administrator account, and add domain admins to the administrators group, and logon with a non administrative user, it's not possible to run programs with the UAC. Programs fail to start with a no acces message. This is really odd cause the domain administrator is member of the domain admins but Windows ignores this.

My config (Passwords are not secret, it's for testing:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ForensiTUserProfileWizard xmlns="http://www.ForensiT.com/schemas">
<Parameters>
    <!-- ForensiT User Profile Wizard run options -->
    <!-- Note: options set here are overridden by parameters passed on the command line -->
    <Domain>B</Domain>
    <AdsPath>OU=B,DC=b,DC=com</AdsPath>
    <ForceJoin>False</ForceJoin>
    <NoJoin>False</NoJoin>
    <NoDefault>False</NoDefault>
    <Delete>False</Delete>
    <Disable>False</Disable>

    <!-- Credentials -->
    <DomainAdmin>B\Administrator</DomainAdmin>
    <DomainPwd>54747BF0CDA401671455CF0A4AEBC7F90392F6D3EE06B10B</DomainPwd>
    <LocalAdmin>a\administrator</LocalAdmin>
    <LocalPwd>42AC6ED26B58BE8D8A725A9A024E26421F76F800B451BDD2</LocalPwd>
    <SetsIDHistory>False</SetsIDHistory>
    <OldDomainAdmin></OldDomainAdmin>
    <OldDomainPwd></OldDomainPwd>
    <Key>2j-TZ%7riE</Key>

    <!-- Corporate Edition Settings -->
    <Silent>False</Silent>
    <NoMigrate>False</NoMigrate>
    <NoReboot>False</NoReboot>
    <RemoveAdmins>False</RemoveAdmins>
    <MachineLookupFile></MachineLookupFile>
    <Log>C:\Migrate.Log</Log>

    <!-- Script Settings -->
    <RunAs></RunAs>
    <Hash></Hash>
    <RunScriptPerUser>False</RunScriptPerUser>

    <!-- Settings for migrating all profiles -->
    <All>True</All>
    <OldDomain>A</OldDomain>
    <UserLookupFile>C:\Users\Administrator\Desktop\user.csv</UserLookupFile>
    <Exclude>ASPNET,Administrator</Exclude>

    <!-- Advanced Settings -->
    <Persist>False</Persist>
    <NoGUI>True</NoGUI>
    <SkipOnExistingProfile>False</SkipOnExistingProfile>
    <SkipOnDisabledAccount>False</SkipOnDisabledAccount>
    <FailOnMachineNameNotFound>False</FailOnMachineNameNotFound>
    <ShareProfile>False</ShareProfile>
    <RenameProfileFolder>True</RenameProfileFolder>
    <ProtocolPriority></ProtocolPriority>
    <DC></DC>
    <CopyProfile>False</CopyProfile>
    <DeepScan>1</DeepScan>

    <!-- Outlook Settings -->
    <MigrateExchServer>False</MigrateExchServer>
    <MigrateExchCachedMode>True</MigrateExchCachedMode>
    <MigrateExchModify>True</MigrateExchModify>
    <MigrateExchPromptForProfile>False</MigrateExchPromptForProfile>

    <!-- VPN Settings -->
    <VPN>False</VPN>
    <DefaultUserPwd></DefaultUserPwd>
</Parameters>

<!-- Script Settings - do not edit -->
<ScriptLocation>C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\Migrate.vbs</ScriptLocation>

<!-- Licensing Information -->
<licensing>REMOVED</licensing>
</ForensiTUserProfileWizard>

I create a single file after the config is build.

Migrate log:

ForensiT User Profile Wizard v3.7.1190
Licensed to REMOVED
Copyright (c) 2002-2013 ForensiT Ltd
www.ForensiT.com
Done.
Creating migration service... Done.
Starting migration service... Done.
Migrating user account "test1"
User not found in lookup file.
Finding Domain Controller for domain B... Done.
Using Domain Controller: \\server02.b.com.
Binding to Active Directory... Done.
Getting FQDN for user "test1"... Done.
Getting Domain SID... Done.
SID is S-1-5-21-3748469404-428546989-2830596787-1103
Checking for roaming profile...Fails.
Cannot check roaming profile.
Forcing local profile.
Setting Registry ACLs... Done.
Set Registry ACLs in 0.50 seconds.
Setting Profile ACL... Done.
Set Profile ACL in 0.631 seconds.
Creating Profile registry keys... Done.
Renaming Profile Folder... Done.
Adding domain account to local groups... Done.
Migrating user account "test2"
User not found in lookup file.
Finding Domain Controller for domain B... Done.
Using Domain Controller: \\server02.b.com.
Binding to Active Directory... Done.
Getting FQDN for user "test2"... Done.
Getting Domain SID... Done.
SID is S-1-5-21-3748469404-428546989-2830596787-1104
Checking for roaming profile...Fails.
Cannot check roaming profile.
Forcing local profile.
Setting Registry ACLs... Done.
Set Registry ACLs in 0.50 seconds.
Setting Profile ACL... Done.
Set Profile ACL in 0.560 seconds.
Creating Profile registry keys... Done.
Renaming Profile Folder... Done.
Adding domain account to local groups... Done.
Migrating user account "test3"
User not found in lookup file.
Finding Domain Controller for domain B... Done.
Using Domain Controller: \\server02.b.com.
Binding to Active Directory... Done.
Getting FQDN for user "test3"... Done.
Getting Domain SID... Done.
SID is S-1-5-21-3748469404-428546989-2830596787-1105
Checking for roaming profile...Fails.
Cannot check roaming profile.
Forcing local profile.
Setting Registry ACLs... Done.
Set Registry ACLs in 0.60 seconds.
Setting Profile ACL... Done.
Set Profile ACL in 0.571 seconds.
Creating Profile registry keys... Done.
Renaming Profile Folder... Done.
Adding domain account to local groups... Done.
Migrating user account "test4"
Finding Domain Controller for domain B... Done.
Using Domain Controller: \\server02.b.com.
Binding to Active Directory... Done.
Getting FQDN for user "jantje"... Done.
Getting Domain SID... Done.
SID is S-1-5-21-3748469404-428546989-2830596787-1106
Checking for roaming profile...Fails.
Cannot check roaming profile.
Forcing local profile.
Setting Registry ACLs... Done.
Set Registry ACLs in 0.51 seconds.
Setting Profile ACL... Done.
Set Profile ACL in 0.420 seconds.
Creating Profile registry keys... Done.
Renaming Profile Folder... Done.
Rename on reboot.
Adding domain account to local groups... Done.
Setting jantje as default logon... Done.
Finding Domain Controller for domain B... Done.
Using Domain Controller: \\server02.b.com.
Binding to Active Directory... Done.
Joining to domain "B" ... Done.
Migration Complete!

Please help!!!
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 01 Feb 2014 at 5:01am
Hi,

If you look in the log you can see the issue with roaming profiles:

Checking for roaming profile...Fails.
Cannot check roaming profile.
Forcing local profile.

User Profile Wizard cannot determine whether a roaming profile already exists for the user, so it forces the use of a local profile instead. This is a safety measure: if a roaming profile already existed, it would overwrite the local profile leading to the loss of all local profile data.

You need to ensure that the <DomainAdmin> account you are using can both read the profilePath attribute on the user account object in AD, and check whether the profile specified actually exists on file server. Practically this means the account needs read access to the location where the profiles are stored.

With regards to the second problem, User Profile Wizard does not explicitly add the new Domain Admins group to the local Admins group. This is done automatically by the Windows API that the software calls to join the machine to the domain. If this is not happening, you should check whether some other factor is at work, for example a Group Policy that defines membership of the local admins group.



Edited by Support - 01 Feb 2014 at 5:06am
Back to Top
yarno View Drop Down
Newbie
Newbie


Joined: 08 Jul 2013
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote yarno Quote  Post ReplyReply Direct Link To This Post Posted: 02 Feb 2014 at 3:07am
Hi,

I think that the following problem occurs:
The old domain has no roaming profiles, so Profwiz creates a local profile. When the profile is created (local), the client ignores the setting for roaming profile in the new domain.
I don't think it's a acces problem to the profile (administrator should be able to acces everything right?)

Or do I something wrong in the wizard? Or do I need to config a setting manually?

I work with snapshots, so I set the VM back before migrating and migrated the VM manually, but still the domain admins group is not member of the local administrators. I guess something is wrong with the OS, I'm creating a new VM right now to test again. The Windows XP VM works great.

Can you tell me what to do about the roaming profiles?

Regards, Jarno
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 03 Feb 2014 at 4:41am
Profwiz does not create a local profile because the old domain does not have any roaming profiles. As I explained, Profwiz is not able to determine whether a roaming profile already exists for the new domain user account, so it defaults to a local profile in order to protect the local profile data.

You are right to say that a domain administrator account should be able to read the profilePath attribute on the user account object in AD, but there is no guarantee that it will have read access to the folder containing the profiles. It depends how the folder was set up.
Back to Top
yarno View Drop Down
Newbie
Newbie


Joined: 08 Jul 2013
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote yarno Quote  Post ReplyReply Direct Link To This Post Posted: 03 Feb 2014 at 12:01pm
Hi,

I solved the issue in Windows 7 that the domain admins is not member of the local administrators. What happened? I created a clone from the 2008R2 VM, and VirtualBox asks me if I want to use it for a new machine or want to keep the VM untouched. I choosed for new machine and assumed the VM would create a sysprep, what probably not happened. The SID's where from the 2 old DC's the same, what created the issue. Only the mac adress of the network card has changed. So I build up 2 new DC's from scratch what solved the issue.

So now I only have a issue with the roaming profiles.
I tried the following. In domain A no user has a roaming profile. In domain B 2 users have a roaming profile. I logged in with both the accounts with a roaming profile but the profile is not being saved as a roaming profile.
I created a new user in domain B. This user has no roaming profile. After login and logout, I gave the user a roaming profile path. What happened? The profile changed from local to roaming and the profile is being saved on the share.

Why is this not working with a migrated profile? Is there something different?
Back to Top
yarno View Drop Down
Newbie
Newbie


Joined: 08 Jul 2013
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote yarno Quote  Post ReplyReply Direct Link To This Post Posted: 07 Feb 2014 at 2:10pm
Hi,

I have figured it out. It has to do with the registry.
Windows has 3 options to decide what kind of profile it needs to deal with it.
Option 1 (Default): Let Windows decide if there is a local or roaming profile. This way there is no UserPreference key in the registry. Windows checks the ProfilePath to decide if the user has a local profile (ProfilePath empty) or has a roaming profile (ProfilePath configured in the AD).
Option 2: User has configured manually a local profile.
Userpreference has the value of 0. Windows does not check the ProfilePath.
Option 3: User has configured manually a roaming profile.
Userpreference has the value of 1. Windows checks the ProfilePath to load and save the profile.

For some reason Profwiz is changing the default option and checks the current domain if there is a local or roaming profile. If there is a local profile it is changing the registry for option 2, if there is a roaming profile it is changing the registry for option 3.

I do not understand why Profwiz is doing this? The only reason I can think of is precaution if someone has changed the setting manually to roaming but in the new domain there is no roaming profile. I think this can be solved in a different way?

The solution is to delete the UserPreference key in everyone's ProfileList. Or Profwiz changes there software so it it not creating the UserPreference keys and let Windows decide what to do.

Is this possible? Or do you have a script I can use in Profwiz to delete all the UserPreference keys what Profwiz has created? In Windows XP the key is in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList\**SID**\UserPreference , in Windows 7 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ProfileList\**SID**\Preference\UserPreference

I like to hear from you soon.
Many thanks, Jarno

Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 08 Feb 2014 at 4:11am
You say you do not understand why Profwiz is changing the default option for the profile type, but we have already explained twice already. It is because it cannot determine whether a roaming profile already exists and so has to protect the local profile data from the possibility of being overwritten.
Back to Top
yarno View Drop Down
Newbie
Newbie


Joined: 08 Jul 2013
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote yarno Quote  Post ReplyReply Direct Link To This Post Posted: 08 Feb 2014 at 11:05am
So how can I fix this? The old domain has no roaming profiles. In the new domain I want to use roaming profiles. Tell me. What do I wrong? Is something wrong in the config?
Back to Top
Support View Drop Down
Moderator Group
Moderator Group


Joined: 09 Nov 2006
Location: United Kingdom
Status: Offline
Points: 1844
Post Options Post Options   Thanks (0) Thanks(0)   Quote Support Quote  Post ReplyReply Direct Link To This Post Posted: 10 Feb 2014 at 5:03am
You need to ensure that Profwiz can check whether the existing profile exists on the network share.

Check the Profile Path on the "Profiles" tab of the user account object in AD: it is probably going to be something like \\Server\Share\Username Go to a workstation and logon as the <DomainAdmin> account you have specified in Profwiz.config, go to Start\Run and type \\Server\Share - you should be able to see the contents of the share, but not have access to any roaming profiles.
Back to Top
yarno View Drop Down
Newbie
Newbie


Joined: 08 Jul 2013
Status: Offline
Points: 8
Post Options Post Options   Thanks (0) Thanks(0)   Quote yarno Quote  Post ReplyReply Direct Link To This Post Posted: 10 Feb 2014 at 8:56am
Hi,
So you mean the profiles do exist in the old domain?
Or do they need to exist in the new domain?
 
Because either way will not work. In the old domain no user has a roaming profile, and in the new domain the profile path is configured but is emtpy because Windows needs to save the profile for the first time after the migration.
 
How can I solve this?
 
 
Back to Top
 Post Reply Post Reply Page  12>
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 12.03
Copyright ©2001-2019 Web Wiz Ltd.

This page was generated in 0.188 seconds.