Changing windows Profile ownership

I’ve learned a lot about how windows profiles and the registry work today. In the interests of unlearning it quicker, I am going to write it down so I no longer need to know it.

First: The windows registry is a terrible thing. It is a full ACL’d filesystem, except with retarded files. Further, it supports mounting loopback files, but only at one level below the predefined roots. And, yet, despite that, it is one of the most unix-like and useful parts of windows. *Facepalm*

So, you’ve got a user profile, and you’re, say, migrating your entire corporation from a primitive LDAP solution to a primitive AD solution. You want those user profiles to transfer over to the new domain. All the user profiles are stored as local profiles.

There’s three things of import: Change the permissions of the directory, change the permissions of the registry, and deal with all the little nitpicks that come up.

The directory is simple: Just log in as admin, remove the permissions from the old domain user, and add full access as the new. Should be set to propagate by default, and things will just work out.

The registry permissions are a little more complex. First, they can’t be edited while either the new or old user is logged in. Second, we’ll need to detach the registry hive: I recommend just rebooting, first, because windows has a tendency to not allow you to detach that hive.

The first thing you need to do is find the new user’s profile in the windows Profiles List, and point that at the old location, while deleting the old profile list entry for that profile. You can find the profile list in HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Under there should be a list of SID’s; You can lookup the SID and do it that way, or just find the ones that are pointing to the old and new profiles. First, copy the profile location of the old user SID, and then (for safety) export that key and it’s subkeys, then delete it. Now, paste the profile location of the old profile into the new SID’s

Then, you need to mount the old user’s hive, and alter the permissions. Open up regedit, and then select HKEY_USERS. You’ll then want to go to File -> Load Hive. Browse to the user directory, then select the user’s NTUSER.DAT file. This is their personal registry hive. Open that, and name it what you will; it’s irrelavent for now (though naming it with the users SID can avert problems if you forget to unmount it).

Change the permissions on the root of the user hive, as well as in HKEY_CURRENT_USER\Software\Policies (The only exception I’ve found); They’ll have previous ACL’s for the old SID for full access and read-only, respectively.