Wednesday, May 11, 2011

What's new in User Profile Wizard 3.5?

A lot is the answer! Here are the headlines.

Migrating over a VPN
The ablity to migrate a computer to a new domain over a VPN has probably been our number one request from customers in recent years. If you have ever tried it, you will know that the problem is not so much with the migration itself, but what happens afterwards.

Most VPN connections are made by the user when they are logged on to Windows using software such as Cisco’s VPN client. When a machine is migrated to a new domain it needs to reboot: however, as soon as it reboots the VPN connection is lost. The problem is that after the machine reboots the user cannot logon again – there is no VPN connection to authenticate to the domain and Windows cannot cache the user's logon credentials (so they can logon offline) until the user does authenticate.

User Profile Wizard 3.5 fixes this by caching the user's credentials at the time of the migration. You can either have User Profile Wizard prompt the user for their password during the migration, or set a default password for all users. To enable credential caching you just set the 'vpn' value to 'True' in Profwiz.config. For more details - on this and the other features discussed here - please see the version 3.5 User Guide.

Security Permissions
There are two areas where User Profile Wizard 3.5 changes the way that we handle security permissions. The first is in the way the application is launched on Windows 7. As I described what seems a long time ago, Microsoft's implimentation of User Account Control (UAC) prompts the logged on user for permission to run a program even when that program has been started explicitly with Administrator credentials. Only if the program is started with the local Administrator account (which is disabled by default) or the domain Administrator account does the application run without the UAC "elevation" prompt.

In previous versions of User Profile Wizard we took the decision to force you to use one of the Administrator accounts or run your migration in a different way. In retrospect this was the wrong way to go. People running a migration with administrator credentials that worked fine on XP couldn't understand why they got "Access denied" when running on Windows 7. As a result, if you run User Profile Wizard 3.5 with Administrator credentials (but not the Adminstrator credentials) you will see the UAC prompt in the normal way.


Cue customers asking how to run User Profile Wizard without the prompt :-) The answer being, of course, to use one of the methods previously discussed.

The second change to the way user Profile Wizard handles security permissions in in relation to the user profile itself. By default User Profile Wizard sets security for the new user account at the top of the profile structure (C:\Users\Username on Windows 7, or C:\Documents and Settings\Username on XP) and leaves it to Windows to cascade the security changes through the profile folder structure via inheritance. With version 3.5 you now have another option.

Version 3.5 introduces the 'DeepScan' Profwiz.config value. If the DeepScan value is set to 1, User Profile Wizard will check every folder in the profile structure to see whether the security settings are inherited and, if not, set security on individual folders where inheritance is broken.

In deciding which level to choose, keep in mind that, by default, security on profile folders is inherited and that in most environments setting DeepScan to level 1 will have minimal practical effect. Checking the security on every folder also takes more time, of course. You should test in your own environment to decide which level is best for you.

There is another consequence of setting the DeepScan value to 1. A small number of customers have questioned why User Profile Wizard does not remove the old user account SID (Security IDentifier) from the ACLs (Access Control Lists) of files and folders in the user profile. The simple reason is that removing the old user permissions is principally cosmetic. If you are migrating from an existing domain, the original account loses access when the machine is joined to the new domain; if you are migrating from a local account, the account can be disabled or removed. Leaving the old permissions in place does not cause any security or functionality problems with the profile.


Setting DeepScan to 1, and checking the security on every folder in the profile, allows User Profile Wizard to remove ACL entries for the user’s old user account. This has the effect of cleaning up the permissions on the profile.



Copy Profiles
There is a mantra at ForensiT which we incant (almost) daily: User Profile Wizard does not move, copy or delete any data. Instead it configures the profile in place so that it can be used by the user’s new domain account. This makes the process both very fast and very safe... However, some folks just want to see a copy of the original profile for the new user account. The new 'CopyProfile' setting in Profwiz.config allows you to do just that.

We still believe that you should think carefully before setting the CopyProfile value to ‘True’. There is usually no need at all to create a copy of the original profile and by creating a copy you will make the migration process much slower.

However, there are circumstances where you may need to create copy profiles. For example, on shared workstations which are not already joined to a domain, users may all logon with one account. If you want to move the machine into Active Directory, you can create a copy of the profile for each user account so that each user can logon with their own username, but still retain their familiar desktop.

And more...
There are of course a number of smaller usability and functionality enhancements. These are based mainly on the feedback that we have had from our customers who, between them, have migrated hundreds of thousands of workstations using User Profile Wizard. Thank you to you all!

If you are a customer with maintenance and support, can download User Profile Wizard 3.5 using the link you recieved when you purchased the software.