Sunday, January 29, 2012

Building an enterprise-ready replacement for MoveUser.exe and Win32_UserProfile.ChangeOwner

Moveuser.exe

Back in the early days of Windows XP, Microsoft released a tool for changing the owner of a user profile from one user to another. Moveuser.exe came in the Windows Resource Kit, and for the most part did an OK job.

The most common use was for taking profiles that belonged to local user accounts, and attaching them to domain user accounts. It could also be used for migrating profiles from one domain to another, although the Active Directory Migration Tool (ADMT) was more commonly used for this task.

The command line was simple enough;

moveuser.exe oldusername newusername

It took usernames in format of COMPUTER\username or DOMAIN\username. Once of the other nice things about moveuser.exe is that it also copied a user’s group membership on the local machine.

Moveuser wasn't without its problems;

  1. Error messages returned by the tool were generally unhelpful. A single Win32 error code can't tell you a lot about why a profile migration might have failed.
  2. Moveuser.exe was limited to using account names that the local PC could resolve. This was problematic when trying to move a user profile from one domain user to another, without having a trust relationship between the two domains.

However, support for moveuser.exe was dropped in Windows Vista, and replaced by a WMI method on the Win32_UserProfile class called 'ChangeOwner'.

Win32_UserProfile.ChangeOwner


ChangeOwner was a little trickier to use. Firstly, you have to delve into the world of WMI and scripting. While not too difficult, it requires knowledge of WMI and an appropriate scripting language such as VBScript.

Secondly, the method requires you to pass it the SID of the user accounts involved in the migration. You need to be able to translate your account names in advance into the user's corresponding SIDs. This adds quite a bit more scripting complexity. However, the benefit of this approach, is that if you know the SIDs in advance, the local computer does not need to know about the source or destination username at all.

However, the ChangeOwner function dropped support for copying the user's local group membership, so once again, we are having to do more scripting to perform this function.

Then, as mentioned previously, Microsoft have the ADMT tool, that can be used to perform profile migrations within domains. However, there is no support for migrating workgroup-based computers and local accounts.

So the situation we are left with, is having three completely different tools, each with their own capabilities and caveats, to use across different operating system generations.

ADWMT was born

At the organisation I work for, we just moved 16,000 users from a Novell-based workgroup to an Active Directory domain. I needed a solution that I could reliably push out to all supported operating systems, join all workgroup-based computers to the AD, as well as consolidate 9 other AD domains into a new central domain. None of these tools were going to cut it! We had to come up with our own solution.

After several months of solid development and testing, we had a tool that would reliably migrate the whole fleet of workstations, without user interaction, and provide us with detailed management reporting. The Active Directory Workstation Migration Tool (ADWMT) was born. It was capable of;

  1. Joining workstations to the domain
  2. Automatically mapping local user accounts to user accounts in the domain
  3. Automatically mapping user accounts in one domain to user accounts in another domain
  4. Migrating local user profiles to domain accounts
  5. Migrating profiles from one domain to accounts in another domain
  6. Keeping local group membership in tact
  7. Working without any user interaction
  8. Providing detailed reporting
  9. Running on Windows XP, Vista and 7
  10. Performing migrations over a wired or wireless network
  11. Auto-repairing network configuration issues (especially where no lanmanserver or lanmanworkstation installed)
  12. Running custom scripts at any stage throughout the migration
  13. Being able to be run by a user without admin rights, and auto-elevate using a predefined list of admin accounts

If you are interested in using the ADWMT tool for use in your organisation, send me an email to discuss licensing options.

Lithnet.MoveUser

I decided to extract the profile migration engine from ADWMT, and make it available for anyone to use. It is designed as a replacement for moveuser.exe and ChangeOwner, combining the benefits of both tools, with some additional enhancements.

  1. A single command line tool, that takes either usernames (as moveuser.exe does), or SIDs (as ChangeOwner does)
  2. Runs on XP, Vista, and Windows 7
  3. Provides detailed logging and reporting
The tool requires .NET framework 3.5 to be installed. See this post for full details including a download link.

No comments :