Copy Local Users?

Posted on 2003-10-22
Last Modified: 2010-04-14
I have a w2k server running IIS, using it as an ftp server, with many local users.  

I want to build a backup machine.  I can backup and restore the data files (on a different partition from the OS) to a new machine, but how do I move the users over to the new machine, so that the file permissions are still valid for the same set of local users?

Question by:gateguard

Expert Comment

ID: 9601389
Set up the server as a Backup Domain Controller. As far as the users are concerned, Open Active Directory and then right-click the domain that's there now and click Operations Masters. It may be different as I am using Windows 2003 server and point the PBC to your Backup PC. That should make a duplicate for your users. Enjoy!
LVL 51

Expert Comment

ID: 9601432
Join the new computer to the domain.  All accounts in AD will replicate to the new DC.

Either leave it up and idle or shut it down.

If you decide to shut it down, then at least once a week you should start it to allow AD to replicate all changes to this DC.

LVL 51

Expert Comment

ID: 9601436
Ooops...should have added to join the server to the Domain by running DCPROMO.EXE


Author Comment

ID: 9601691
This is not a domain server and the users accessing the FTP site all have LOCAL user accounts, on the standalone server.  The server is part of the domain, but it's not domain users that are accessing the FTP folders, but outside users coming in with FTP connections and gaining access to files based on local-user-account logons to this stand-alone server.  

I want the new server (the back-up server) to have the same set of local users (including GUIDs).

Here's the setup:

Server A, a standalone server in Domain D, has two hard drives: C & E.

C is the operating system, with w2k server & IIS.

E contains all the folders in the ftproot.

Now I have a new server B, that I want to use as a backup (only bringing it online if A fails).  B has identical hardware to A.

I can easily backup and restore the ftproot folders on the second hard drive, maintaining all the file permissions... but how do I get the LOCAL USER database from A -> B, so that people FTPing into the new server still have the same set of permissions they had on the old server?
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.


Author Comment

ID: 9601699
Corollary questions:

1.  Where is the user account database stored on w2k server (not active directory)?

2.  Can I backup the system state on Server A and restore it on Server B and get the same set of local users on B as I have on A?
LVL 11

Accepted Solution

adonis1976 earned 250 total points
ID: 9602026
the best way to do this would be to create an image of your server A and then deploy it on server B. You can use symantec's ghost software for this, or any another software if you wish. Ghost, Altiris Deployment solution and I guess you can use SMS from microsoft to do this. I have used Ghost and it is pretty good. Altiris is extremely good but very expensive. But they do have a 30 day fully functional trial though.

here are the links:
for ghost:

for altiris:

Your corollary questions:
1. I'm not sure if I understood the question properly here, But you can see the users in the control panel --> user profiles

2. If the system hardware is exactly same, then you should be able to do it.
LVL 41

Assisted Solution

graye earned 250 total points
ID: 9604111
Whoa... slow down.

If you want to copy a local group from one standalone PC to another, then the Group Copy tool in the Win2k Resource Kit will do the trick. However, as you probably have already figured out...  A local account named "Bob" on Server1 doesn't have any relationship to a local account named "Bob" on Server2 (regardless of how the Account was created or copied).  So copying local groups only really makes sense if those local groups contain Domain User accounts... not local accounts.

Local Accounts are always stored in the registry (whether AD or stand-alone)

Backing up the system state from one PC to another is tricky... first of all, you can't have both up and running at the same time (because the domain controller won't allow two PCs with the same name... and will further freak out when it discovers that the SIDs are the same).  Another issue, is that the hardware will have to be pretty-darn similar to each other for the "transplant" to work.

We routinely "clone" PC with Norton Ghost (probably do 2-3 a day!).  We use the free utility called NewSID (from to change the SIDs so that we don't have any duplicates.  We *never* clone a server, since their hardware requirements are almost always unique.

I'd recommend that you just do a normal install onto a new server, copy over your files, create duplicate accounts/passwords, and spend a few minutes with XACLS replacing the old account SIDs with the new account SIDs.  Yeah, it's slow and painful, but it will produce something that you can run side-by-side.

Another (very reasonable suggestion) would be to redo your account management strategy.  There is a reason that Microsoft wanted you to put Accounts into Global Groups, but Global Groups into Local Groups, and then assign permissions via the Local Group.

Author Comment

ID: 9606773

Very wise advice, in everything you say.  And I'm going to lobby to make the changes that you suggest, especially change the way groups are organized.  And I might end up taking your suggestion on  using XACLS... but I'm going to try the system state first.  Here's why:

The online IIS server is going down for special hardware maintenance and I just need a duplicate up and running.  I'll be careful not to have two machines with the same SID online at the same time.  As for Norton, I might use Norton but the problem is, to do the first ghost I have to take the online server offline and I'd like to be able to perform this switchover with as close to zero downtime as I can get.

But anyway, your suggestions are very thorough and complete and I thank you for them.


Thanks to you too.  As weird as it might seem, I want to see if this system state backup-restore trick really works!

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Describes a method of obtaining an object variable to an already running instance of Microsoft Access so that it can be controlled via automation.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now