Renaming Users’ Profiles

I was recently engaged by a customer of mine who had to rename all its logins (sAMAccountName) due to a company acquisition.

First of all, the thing to keep in mind is that, from an Operating System point of view, renaming the sAMAccountName attribute has no impact on users’ ability to logon to their assigned computers maintaining their usual profiles. The problem resides on the home folder name (the one you see if/when you open a command prompt, for example) and is essentially aesthetic.

To address this issues, Microsoft has published an article to deal with the rename process:

http://support.microsoft.com/kb/2454362

what the article does not say, is that the user’s registry hive contains a lot of links to the absolute home folder path as, for example but not limited to, the desktop background (the one that fortunately let me discover this at the very first logon).

Searching the registry hive, I discovered that a lot of applications refer to absolute paths. One of the most critical for users are Outlook with its PSTs. So, following the article, a lot of applications may have problems once the rename procedure is done.

To address the situation, I saw only two ways, the first of them was to mount the user’s registry hive – ntuser.dat – and search every value in every key to replace the old path with the new one: not my favorite choice due to the complexity and the time required to perform the operation programmatically.

I then started exploring the second option: creating a symbolic link.

the problem was that I never created such a link with powershell and I discovered that it’s not really immediate since there is no built-in CMDlet to do this, but fortunately I found this blog:

Creating a Symbolic Link using PowerShell

integrating the new type in my original script I was finally able to:

  1. rename the local profile folder
  2. update the imagepath registry value with the new file system path
  3. create a symbolic link with the name of the original path pointing the the new one.

(yes, in this order)

Done! Applications were following the Junction without complaining!

The additional step was adding some automation piece of code to let the script find out autonomously the new sAMAccountName to rename the home folder after.

in the ProfileList registry key (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList), there is a sub-key for every user that ever logged on the machine. The key is named after the user’s SID so to permit the script to be launched as, for example, a computer startup script via GPO; I wrote it to search Active Directory for the SAMAccountName corresponding to the users’ SID if present (some users that logged on to the client may have been deleted from AD over time). If the sAMAccountName differs from home folder name, than the three steps procedure described above is triggered.

N.B. users’ clients usually do not have the Active Directory powershell module. So I had to query AD without using ADs CMDlet (sigh):

Function QuerySID ($UserSID){
    #retrieve the domain
    $domain = [System.DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain()           
    $root = $domain.GetDirectoryEntry()           
    $search = [System.DirectoryServices.DirectorySearcher]$root
    #search for user objects filtering based on the given SID           
    $search.filter = “(&(objectclass=user)(objectSid=$UserSID))”           
    $Temp = $search.findall() | foreach-object{$_.GetDirectoryEntry()}
    #retrieve the sAMAccountName, the renamed attribute.
    $SamAccountName = $Temp.sAMAccountName
    #return the attribute to be assigned to the variable in the main portion of the script.
    $SamAccountName
}

Advertisements

One thought on “Renaming Users’ Profiles

  1. We also need to rename a number of user accounts. Can you make your script available to help uswith this?
    Thanks,
    Jan

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s