Wednesday, April 08, 2015

What’s new in User Profile Wizard 3.9 - Migrating from domain to local accounts.

Here at ForensiT we have been helping customers migrate their computers to new Windows domains for more than ten years (ten years!) In the early days many customers were migrating from Novell NDS to Active Directory, nowadays it is usually from one Windows domain to another, or perhaps from a workgroup to domain. However, in the last eighteen months or so, we have had more and more enquiries about migrating from a domain back to a workgroup.

The reason, of course, is Office 365. As Office 365 and other cloud based services increase in popularity, more people are finding they no longer need to run their own domain, and want to migrate their computers back to a workgroup. This isn’t just happening for companies with just a few employees, either. We had an email recently from a someone looking to take more than 150 workstations off their domain.

You have always been able to migrate domain account profiles to local accounts using User Profile Wizard, but it is fair to say that this has not been a core feature of its functionality; User Profile Wizard has not, up to now, been able to unjoin a computer from a domain, for example. That changes with version 3.9.

With version 3.9 you can automatically migrate a workstation from a domain to a workgroup, migrating the user profiles from domain to local user accounts at the same time. If you have the Corporate or Professional Edition you can specify the new workgroup name. If you have the Corporate Edition you can automate the migration of all the user profiles on a machine, just like you can from one domain to another: for example, by using a lookup file to map the user account names. For more information please see the updated User Guide.

There is one other change that we hope you may not even notice. The order of the pages when using the GUI has changed: you now select the user profile first, and then enter the user account to which the profile will be assigned. This small alteration opens up a whole new path of development for us, which you should see quite soon with the release of User Profile Wizard 3.10.

Wednesday, March 07, 2012

What's new in User Profile Wizard 3.6?

Maintaining SID History
One of the big advantages of using User Profile Wizard over other migration tools, including ADMT, is that User Profile Wizard does not need access to the old domain. There may be a number of reasons why the old domain is not available: your company may have taken over a division of another company, and you do not have access to their domain; the old domain may have crashed; there may not even be an old domain, and you need to migrate machines from Novell or from a workgroup. More subtly, even if the old domain is accessible you may not have domain administrator permissions. In fact, this goes for the target domain too: User Profile Wizard can migrate a workstation to a specific OU without you needing to have admin permissions to the whole domain.

The reason other migration tools need access to the old domain is because they work by setting the SID history attribute on the new domain user account. As a domain administrator you cannot just set the SID history for a user yourself. Instead, you have to introduce two domain controllers to one another, then they go off and do something secret in private, and a new sIDHistory attribute on a user account object in AD in born. For the union to be blessed in this way you need to supply domain administrator credentials for both domains.

Nevertheless, if you do happen to have administrator permissions to both the old (source) domain and the new (target) domain, maintaining the user's SID history across their user accounts is a powerful mechanism for ensuring that the user will not lose access to resources when they logon with their new domain account. User Profile Wizard 3.6 gives you that option. Let me just emphasize that again: this is an option. You do not have to migrate workstations in this way: User Profile Wizard can still migrate machines and user profiles if you have no access to the old domain, or if you only have access to a particular OU in the new domain. Have I made that clear enough? I only ask because someone, sometime is going to ask. Let's move on...

Changing Outlook Exchange Settings
This falls under the "top requests from customers" category. Not everyone uses Outlook and Exchange, not everyone changes Exchange servers when they migrate to a new domain. (In fact, in a large organization that is a pretty scary proposition.) However, if you do need to update a user's Outlook settings for a new Exchange server, 3.6 can do it.

User Profile Wizard is not meant to be a fully-fledged Outlook configuration utility. Rather, we have tried to include some basic functionality that you may find useful. User Profile Wizard gets the user's new Exchange server name and mailbox name directly from their user account object in AD. There is no option to override this behaviour. By default the existing Outlook profile is modified; this ensures that any personal Outlook data file (.pst) settings are preserved. So, for example, if you have created a mail archive, this will still be available after Outlook has been reconfigured. Cached Exchange Mode is also enabled by default. You can change these things by by changing the values under “Outlook Settings” in Profwiz.config. Please see the User Guide for more details.

Version 3.6 gives you the option to call an additional script after each user profile is migrated - not just at the end of the migration when the machine has been joined to the new domain. What is cool about this is that User Profile Wizard will call your script passing two parameters: the new user account name and the new user account SID. You can then use these parameters to do additional configuration. In the User Guide we describe a script that adds the new domain user account to the local Administrators group.

User Profile Wizard 3.6 will be released shortly.

Saturday, March 03, 2012

1,000,000 Licenses Sold

This is a personal opinion, but I don’t believe in looking back. Of course, Santayana was completely right when he wrote "Those who cannot remember the past are condemned to repeat it", but that is no justification for nostalgia.We should always be looking forward to the future, we should always be trying to grow our ideas, grow what we do; grow ourselves. Nevertheless, sometimes you just have to take notice of a milestone along the way. We have now sold one million User Profile Wizard licenses. To sell a million of anything is an achievement - it means you must be providing something your customers find valuable. I am proud of what we have done at ForensiT.

We passed the one million mark a day after Microsoft released Windows 8 Consumer Preview. (User Profile Wizard works fine with Windows 8, by the way: migrating your personal Metro “Home screen” settings along with the rest of your profile.) User Profile Wizard 3.6 will be released in a few weeks with two major new features and some solid enhancements to existing functionality… Here’s to the future.

Wednesday, May 11, 2011

What's new in User Profile Wizard 3.5?

A lot is the answer! Here are the headlines.

Migrating over a VPN
The ablity to migrate a computer to a new domain over a VPN has probably been our number one request from customers in recent years. If you have ever tried it, you will know that the problem is not so much with the migration itself, but what happens afterwards.

Most VPN connections are made by the user when they are logged on to Windows using software such as Cisco’s VPN client. When a machine is migrated to a new domain it needs to reboot: however, as soon as it reboots the VPN connection is lost. The problem is that after the machine reboots the user cannot logon again – there is no VPN connection to authenticate to the domain and Windows cannot cache the user's logon credentials (so they can logon offline) until the user does authenticate.

User Profile Wizard 3.5 fixes this by caching the user's credentials at the time of the migration. You can either have User Profile Wizard prompt the user for their password during the migration, or set a default password for all users. To enable credential caching you just set the 'vpn' value to 'True' in Profwiz.config. For more details - on this and the other features discussed here - please see the version 3.5 User Guide.

Security Permissions
There are two areas where User Profile Wizard 3.5 changes the way that we handle security permissions. The first is in the way the application is launched on Windows 7. As I described what seems a long time ago, Microsoft's implimentation of User Account Control (UAC) prompts the logged on user for permission to run a program even when that program has been started explicitly with Administrator credentials. Only if the program is started with the local Administrator account (which is disabled by default) or the domain Administrator account does the application run without the UAC "elevation" prompt.

In previous versions of User Profile Wizard we took the decision to force you to use one of the Administrator accounts or run your migration in a different way. In retrospect this was the wrong way to go. People running a migration with administrator credentials that worked fine on XP couldn't understand why they got "Access denied" when running on Windows 7. As a result, if you run User Profile Wizard 3.5 with Administrator credentials (but not the Adminstrator credentials) you will see the UAC prompt in the normal way.

Cue customers asking how to run User Profile Wizard without the prompt :-) The answer being, of course, to use one of the methods previously discussed.

The second change to the way user Profile Wizard handles security permissions in in relation to the user profile itself. By default User Profile Wizard sets security for the new user account at the top of the profile structure (C:\Users\Username on Windows 7, or C:\Documents and Settings\Username on XP) and leaves it to Windows to cascade the security changes through the profile folder structure via inheritance. With version 3.5 you now have another option.

Version 3.5 introduces the 'DeepScan' Profwiz.config value. If the DeepScan value is set to 1, User Profile Wizard will check every folder in the profile structure to see whether the security settings are inherited and, if not, set security on individual folders where inheritance is broken.

In deciding which level to choose, keep in mind that, by default, security on profile folders is inherited and that in most environments setting DeepScan to level 1 will have minimal practical effect. Checking the security on every folder also takes more time, of course. You should test in your own environment to decide which level is best for you.

There is another consequence of setting the DeepScan value to 1. A small number of customers have questioned why User Profile Wizard does not remove the old user account SID (Security IDentifier) from the ACLs (Access Control Lists) of files and folders in the user profile. The simple reason is that removing the old user permissions is principally cosmetic. If you are migrating from an existing domain, the original account loses access when the machine is joined to the new domain; if you are migrating from a local account, the account can be disabled or removed. Leaving the old permissions in place does not cause any security or functionality problems with the profile.

Setting DeepScan to 1, and checking the security on every folder in the profile, allows User Profile Wizard to remove ACL entries for the user’s old user account. This has the effect of cleaning up the permissions on the profile.

Copy Profiles
There is a mantra at ForensiT which we incant (almost) daily: User Profile Wizard does not move, copy or delete any data. Instead it configures the profile in place so that it can be used by the user’s new domain account. This makes the process both very fast and very safe... However, some folks just want to see a copy of the original profile for the new user account. The new 'CopyProfile' setting in Profwiz.config allows you to do just that.

We still believe that you should think carefully before setting the CopyProfile value to ‘True’. There is usually no need at all to create a copy of the original profile and by creating a copy you will make the migration process much slower.

However, there are circumstances where you may need to create copy profiles. For example, on shared workstations which are not already joined to a domain, users may all logon with one account. If you want to move the machine into Active Directory, you can create a copy of the profile for each user account so that each user can logon with their own username, but still retain their familiar desktop.

And more...
There are of course a number of smaller usability and functionality enhancements. These are based mainly on the feedback that we have had from our customers who, between them, have migrated hundreds of thousands of workstations using User Profile Wizard. Thank you to you all!

If you are a customer with maintenance and support, can download User Profile Wizard 3.5 using the link you recieved when you purchased the software.

Friday, September 10, 2010

Changing the Default Profile on Windows 7

It has become increasingly obvious to us in recent months that people are downloading and installing our User Profile Manager software just in order to use the “Set As Default Profile” feature on Windows 7. Presumably they are then uninstalling the software again afterwards…

The problem is that Windows 7 has greyed out the “Copy To…” feature in the “User Profiles” dialog box that admins have used for years to set up a default profile for users logging onto a Windows workstation.

Why Microsoft have done this is not altogether clear. Responses on the Microsoft’s support forums say things like “There were many issues with it in the prior OSes, even though those issues were not always apparent…” (Mmm… the old invisible problem problem) and that this is “due to the User Account Control (UAC) and other security settings of the user account…” - which doesn’t really ring true either. I suspect that the problem is more to do with the profile folder structure and its reliance on junction points which cannot simply be copied over. But whether this is the case or not, why didn’t Microsoft just fix it? The most likely answer to that is that they just didn’t think it was important enough to spend any time on – which betrays a certain disconnect between Microsoft and those tasked with installing Windows on company machines around the globe.

However, installing User Profile Manager just to set the default profile is like going to a movie just to eat the popcorn. So what we’ve done is to take the "set default profile" code out of User Profile Manager and put it is a small command line utility – DefProf – that you can download for free.

How does it work?
DefProf does not simply delete the old “Default” profile folder and copy over a profile that you specify. Instead it keeps the existing Default profile in place and empties it; this preserves the folder structure with all junctions points and folder security settings. DefProf then copies over the files and settings from another profile that you specify. Additionally, DefProf loads the registry for the specified profile and cleans it up so that any user specific settings (that we know about) are removed.

It is worth emphasizing here that DefProf uses the existing folder structure. This means that if you have already messed up the Default user profile folder, DefProf won't fix it.

Using DefProf
Using DefProf is very easy. Firstly you setup a profile to the way you want just like you always do. Say you create a ‘Setup’ account to do this, and Windows creates a C:\Users\Setup profile folder when you logon. When you’re done making the profile look the way you want, you open a Command Prompt as an Administrator and just type the folder name:

c:\>Defprof setup

That’s it!

We’ve done our testing, and DefProf seems to be working fine on Windows 7, 32 and 64-bit, and in a variety of languages. However, if you think we have missed anything please post a comment on the Forum and we'll do our best to fix it.

You can download DefProf here.

Labels: ,

Tuesday, October 21, 2008

User Profile Wizard 3.0 RC1

We're nearly there... The User Profile Wizard 3.0 "Release Candidate" is now available for download here. We regard RC1 as extremely stable, and we do not foresee any major changes to the code between now and when the product is fully released. There have, for example, been no changes to the core profile migration code since BETA 2.

So what's changed? We have been doing a lot of testing in what might be called "sub prime" environments ;-) Not that we would ever suggest our customers would have such things! So, slow machines on slow connections; client machines that are under load - particularly on boot up. When we were only concerned with "pull" migrations this was not a problem: the client workstation could run the migration at its own pace. Doing a "push" migration, however, involves the "console"machine having to wait for the target workstation to respond to its requests. We've beefed up the code in RC1 to make this communication process more robust.

There have also been some minor enhancements to the functionality User Profile Wizard 3.0 provides. One of the things we get asked about a lot is removing user's Administrator rights when their workstations are migrated to a new domain. This is now really easy: you just need to set the new “RemoveAdmins” attribute in the profwiz.config file to "True".

The other new attribute in the profwiz.config file is "Exclude". This is just a comma-seperated list of user accounts that you don't want to be migrated to the new domain. By default the profwiz.config file lists


but you can list any accounts that you want.

Last but definitely not least, the "Deployment Kit" has been completely rewritten for version 3.0. You can now use the Deployment Kit to create or edit a profwiz.config file, meaning you don't have to edit the profwiz.config by hand. What's more the migration scripts that the Deployment Kit now generates are much cleaner because the majority of settings are held in the config file.

So what's left to do? Mainly it's documentation. We still don't have a User Guide for version 3.0. Once that is completed we should be ready for the final release.

Tuesday, August 26, 2008

Vista Annoyances

I came across this article somewhat optimistically entitled "Vista Annoyances Resolved" It's worth reading because the author, Koroush Ghazi, does try to address some of the - er - quirks of the Vista experience.

The first "annoyance" he tackles is that of constantly changing folder views. This really struck a chord with me: why is it that when I open a folder full of c++ source and header files, Vista has suddenly decided to list them as music - complete with "Artist", "Genre" and "Rating" columns?

Ghazi goes on to discuss eight more annoyances, including User Account Control (for which I don't think there is a resolution), Bad Driver Support (which I don't think is the issue some would have us believe), and constant hard drive activity. The last is quite interesting. Ghazi highlights SuperFetch - the Vista "feature" that loads as much of your RAM as possible with stuff that you might need, so that it doesn't need to be fetched from your hard drive when you do need it. SuperFetch kicks in shortly after Vista boots, which unfortunately is also when you are trying to start Outlook, or whatever, and do some work. My solution to this is a simple one: never turn off your laptop. My Dell D630 now only ever sleeps.

There are problems Ghazi doesn't mention, however. As Paul Thurrott writes, "How about the weird folder/file deletion bugs where you somehow can't get the proper privileges to delete something even though you've navigated through all the required UAC prompts?" This is something I came across early on, and which has never been fixed. Still, at least people are classifying these issues now - the rest is up to Microsoft.