Convert Profile
As of the 2.0.0 release of the ADMU, the tool will migrate profiles without the option to copy data using the User State Migration Tool. In prior versions of the tool this behavior was set behind the ConvertProfile parameter. Migrating profiles through the ADMU without the User State Migration Tool offers several notable advantages:
- Migrated accounts are redirected from the to previous domain profile.
- AppData and profile data should remain intact.
- Previous user Universal Windows Platform (UWP) apps are re-registered to the migrated account.
- Copying data from one user directory to another is no longer required.
- The convert process does NOT require a healthy secure channel on a system. A system can be disconnected from a domain controller past 30 days and user profiles can still converted.
At a high level, account migration will copy the selected domain user's registry into a net new account. The selected domain user's profile including preferences, AppData and general personalizations are made available to the newly created local account after migration.
Using the executable GUI version of the tool, users can be migrated by selecting a user and clicking "Migrate Profile"
At a minimum, a user needs to be selected and a "Local Account Username" & "Local Account Password" needs to be specified to run the application.
Optionally, the "Force Reboot", "Leave Domain", "Install JC Agent", "Autobind JC User" and/ or "Bind As Admin" parameters can be set.
Users on systems with a 'broken secure channel' can still be migrated. A system in this state could also display a SID instead of a username. Given this scenario, the 'local path' of a user can be used to identify the profile intended to be converted.
An account eligible for conversion must not be loaded. In other words, the account can not be logged in or it's user hives loaded in HKEY_USERS. The first step of the conversion process will make a backup of the users registry hives. If this step does not complete the conversion process will exit without making changes. If the account to migrate is loaded the NTUSER.DAT and UsrClass.dat files can not be copied and the ADMU will throw an error message.
The following files are checked before conversion:
- "C:\Users\userToConvert\NTUSER.DAT"
- "C:\Users\userToConvert\AppData\Local\Microsoft\Windows\UsrClass.dat"
They are saved to:
- "C:\Users\userToConvert\NTUSER.DAT.BAK"
- "C:\Users\userToConvert\AppData\Local\Microsoft\Windows\UsrClass.dat.bak"
Just before overwriting the registry files NTUSER.DAT and UsrClass.dat a final backup of the original files is made. Those files are saved to:
- "C:\Users\userToConvert\NTUSER_original_yyyy-mm-dd-HHMMSS.BAK"
- "C:\Users\userToConvert\AppData\Local\Microsoft\Windows\UsrClass_original_yyyy-mm-dd-HHMMSS.bak"
Where yyyy-mm-dd-HHMMSS is the year, month, day, hours, minutes, seconds in which the backup file was made.
Converted of failed account migrations can be reverted by following directions account reversion directions
The process of converting a user account requires several changes to the registry. After running the tool the following keys will be created:
- HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\ADMU-AppxPackage
- HKU:\theSIDOfTheNewLocalUser\SOFTWARE\JCADMU
The HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\ADMU-AppxPackage key is used to update the universal windows applications (UWP) on the first login post-migration.
The HKU:\theSIDOfTheNewLocalUser\SOFTWARE\JCADMU key will contain the migrated users previous home directory path and SID.
To migrate the previous domain user's UWP apps to the new local user, we create the following registry key: HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\ADMU-AppxPackage
This key contains a link to the uwp_jcadmu.exe. This exe is the uwp_jcadmu.ps1 file wrapped as an exe and stored in your C:\Windows directory. During account conversion, the ADMU records the UWP apps registered to the selected user being migrated. After migration the uwp_jcadmu.exe application restores these windows applications for the newly migrated account.
On first login, Windows checks to see if this installed component key exists in the user hive, if it doesn't, windows calls the uwp_jcadmu.exe and sets the version to "1,0,00,0" or whichever version is set under the HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\ADMU-AppxPackage key.
The uwp_jcadmu.exe will only execute if a the current user hive contains the HKCU:\SOFTWARE\JCADMU\ key. This key is only set on new accounts created converted with the ADMU. Those converted account will take a bit longer to boot when they are first logging in as windows registers UWP apps from the previous domain account to the local account.
All other accounts on the system will run the uwp_jcadmu.exe but immediately exit since those accounts will not have the HKCU:\SOFTWARE\JCADMU\ key in their registry hive. This key on the converted user account will contain links to the previous domain profile path location and SID.
