Convert Profile
As of the 2.0.0 release of the ADMU the tool will migrate profiles without the option to copy data using the User State Migration Tool. In prior versions of the tool this behavior was set behind the ConvertProfile parameter. Migrating profiles through the ADMU without the User State Migration Tool offers several notable advantages:
- Migrated account are simply redirected from the to previous domain profile
- AppData and profile data should remain intact
- Previous user Universal Windows Platform (UWP) are re-registered to the migrated account
- Storage space is no longer a concern since the domain user's data is not copied to a new profile
- The convert process does NOT require a healthy secure channel on a system. A system can be disconnected from a domain controller past 30 days and user profiles can still converted.
At a high level, account migration will copy the selected domain user's registry into a net new account. The selected domain user's profile including preferences, AppData and general personalizations are made available to the newly created local account after migration.
Select a domain profile and enter the new local account username in the text-box. The temporary Local account password will be used until the new account is bound to JumpCloud via the console. Alternatively the AutoBind JC User parameter could be marked to auto bind the local user to JumpCloud - the account must exist in JumpCloud before migration.
Users on systems with a 'broken secure channel' can be converted using the ADMU "Convert Profile" feature by identifying the user's SID. The System account could also show as a SID if it can't be resolved by the local cache on the system, in that case you can still see the 'local path' to identify the profile you are converting.
An account eligible for conversion must not be loaded. In other words, this account can not be logged in or it's user hives loaded in HKEY_USERS. The first step of the conversion process will make a backup of the users registry hives. If this step does not complete the conversion process will exit without making changes. If the account to migrate is loaded the NTUSER.DAT and UsrClass.dat files can not be copied and thus the ADMU will exit.
The following files are checked before conversion:
- "C:\Users\userToConvert\NTUSER.DAT"
- "C:\Users\userToConvert\AppData\Local\Microsoft\Windows\UsrClass.dat"
They are saved to:
- "C:\Users\userToConvert\NTUSER.DAT.BAK"
- "C:\Users\userToConvert\AppData\Local\Microsoft\Windows\UsrClass.dat.bak"
Just before overwriting the registry files NTUSER.DAT and UsrClass.dat a final backup of the original files is made. Those files are saved to:
- "C:\Users\userToConvert\NTUSER_original_yyyy-mm-dd-HHMMSS.BAK"
- "C:\Users\userToConvert\AppData\Local\Microsoft\Windows\UsrClass_original_yyyy-mm-dd-HHMMSS.bak"
Where yyyy-mm-dd-HHMMSS is the year, month, day, hours, minutes, seconds in which the backup file was made.
Default applications, such as browser preferences will be reset after conversion. There may exist a method to pass user default application preferences to the migrated account but more work is required before rolling that into a ADMU release.
Converted of failed account migrations can be reverted by following directions account reversion directions
The process of converting a user account requires several changes to the registry. After running the tool you can expect the following keys to be created:
- HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\ADMU-AppxPackage
- HKU:\theSIDOfTheNewLocalUser\SOFTWARE\JCADMU
The HKU:\theSIDOfTheNewLocalUser\SOFTWARE\JCADMU key will contain the migrated users previous home directory path and SID.
To migrate the previous domain user's UWP apps to the new local user, we create the following registry key: HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\ADMU-AppxPackage
This key contains a hard link to the uwp_jcadmu.exe. This exe is nothing more than the uwp_jcadmu.ps1 file wrapped as an exe and stored in your C:\Windows directory. During account conversion, the tool takes stock of the UWP apps registered to the selected user for conversion. There should be about 100 or so of these UWP apps registered to any one account.
On first login, Windows checks to see if this installed component key exists in the user hive, if it doesn't, windows calls the uwp_jcadmu.exe and sets the version to "1,0,00,0" or whichever version is set under the HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\ADMU-AppxPackage key.
The uwp_jcadmu.exe will only execute if a the current user hive contains the HKCU:\SOFTWARE\JCADMU\ key. This key is only set on new accounts created converted with the ADMU. Those converted account will take a bit longer to boot when they are first logging in as windows registers UWP apps from the previous domain account to the local account.
All other accounts on the system will run the uwp_jcadmu.exe but immediately exit since those accounts will not have the HKCU:\SOFTWARE\JCADMU\ key in their registry hive. This key on the converted user account will contain links to the previous domain profile path location and SID.
