Solved

Robocopy correct syntax for copying user profiles

Posted on 2010-08-23
21
9,855 Views
1 Endorsement
Last Modified: 2012-06-27
I am trying to 'Robocopy' user profiles from our 'old' Domain Controller, to the new one (old = SBS 2003, new = Server 2008 X64).  When I use Robocopy, it fails on the NTUSER.DAT file, saying access is denied.

What syntax would I need to complete this operation.  I am trying to copy all of the user files from d:\data\home to p:\Profiles

P: is a network drive, I need to copy *.* from the home directory to the P: drive.
1
Comment
Question by:-Juddy-
  • 8
  • 6
  • 3
  • +3
21 Comments
 
LVL 17

Expert Comment

by:sgsm81
ID: 33499525
0
 
LVL 83

Expert Comment

by:oBdA
ID: 33499545
You can NOT migrate user profiles into another domain like this. The user's registry contains security settings as well, and these will NOT be migrated to the new domain simply by copying over the user's registry file (ntuser.dat).
If you want the profiles to work without issues in the new domain, you'll need to resort to something like Microsoft' USMT or MoveUser.exe, or a third-party tool like ForensIT's User Profile Wizard.

Windows User State Migration Tool (USMT) Version 3.0.1
http://www.microsoft.com/downloads/details.aspx?familyid=799ab28c-691b-4b36-b7ad-6c604be4c595&displaylang=en

Windows Server 2003 Resource Kit Tools
http://www.microsoft.com/downloads/details.aspx?FamilyID=9D467A69-57FF-4AE7-96EE-B18C4790CFFD&displaylang=en

User Profile Wizard 3.0
http://www.forensit.com/domain-migration.html
0
 
LVL 6

Expert Comment

by:CorpComp
ID: 33499548
I imagine permissions are not an issue because you are moving the files to a new domain.

If so, try this:
robocopy d:\data\home p:\Profiles /E /W:5 /R:1

/E - recurse through subdirectories
/W:5 wait 5 seconds on retry
/R:1 retry 1 time

This will copy all files including subdirectories.  When it hits a file that it cannot copy (NTUSER.DAT) it will pause for 5 seconds, try one more time (I do this to make sure the copy is not hampered by a temporary network problem) then move on to the next file.

Good luck.
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 33499558
I didn't make myself clear, apologies......the new server will become the new DC and the old one will be retired.  DO I need to complete this operation AFTER the new server becomes the primary?
0
 
LVL 3

Expert Comment

by:kevdines
ID: 33499739
Looks like you've got the command correct, but as oBdA points out, this isn't necessarily going to work for you in the end. I'm guessing that these are Roaming Profiles, if they're on a DC? (if they're local profiles that you use to log onto the SBS machine for Admin, you probably won't need to migrate these at all). The other assumption is that you are just moving the location of these Roaming Profiles within a domain (if you're trying to move them into another domain, take a look at oBdA's suggestions for tools as this way won't work).

Assuming that they *are* Roaming Profiles and that you're just moving the location of them, the NTUser.dat file gets locked when a user logs onto the network and the lock doesn't always get released. If you can do this out-of-hours, simply rebooting the server will close all of the open handles and the robocopy commands you already have will work, provided no users log on again in the meantime. If downtime is going to be an issue, you can force the handles to be closed with a third-party app like Unlocker (http://ccollomb.free.fr/unlocker/), but I wouldn't recommend doing it this way.

Lastly, you'll need to update the location that the user's accounts look for their Roaming Profile when they log on (either in the AD User object, or in a/the GPO that overrides this).

I'd recommend doing all this *before* you move DCs and retire SBS, as you can get this working in advance, which means one less thing to panic about when you remove SBS later :)

HTH,

Kev
0
 
LVL 2

Accepted Solution

by:
zsaurabh earned 84 total points
ID: 33499757
Robocopy "Source" "Destination" /MIR

it will Mirror the same data in the target or else

Robocopy.exe "source" "Dest" /copy:DOTS /z /s /e /R:5 /W:10 /LOG:c:\copy.log /TEE
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 33499865
Thanks, I'll have a go at migrating these roaming profiles over this evening.
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 33503550
I had a look forensit.com, but the pricing is a little O.T.T.  We only have about 10 users with roaming profiles, all the laptop users had it switched to local only.  With that in mind, I may just switch the 10 to local then when I have the new Domain Controller setup, change the path on AD to point to the new location then switch them back on again.  Any draw backs to doing it this way you can see?  
0
 
LVL 83

Expert Comment

by:oBdA
ID: 33503639
It would help tremendously if you would let us know whether you're doing a migration into another domain, or a domain upgrade (with the W2k8 machine being a DC in the SBS domain).
0
 
LVL 3

Expert Comment

by:kevdines
ID: 33503668
From your first post, it sounds like you're just installing another DC into your SBS domain (not migrating from one domain to another). If that's the case, then copying the profiles will work fine without any 3rd party tools. Provided that the user can access their Roaming Profile over the network at logon via a network share, neither the user's PC nor the DC will care where the share is located.

Tell me if I've misunderstood, but if this is the case it should be fairly straight forward :)

Cheers,

Kev
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Author Comment

by:-Juddy-
ID: 33503819
No Kev, I will be REPLACING the SBS server with a new Windows 2008 Domain Controller.  Our domain will then be 2008 based and I'm going to beat the SBS server to death with a shovel.
0
 
LVL 83

Expert Comment

by:oBdA
ID: 33503859
-Juddy-,
again: "replacing" doesn't mean anything. Are you UPGRADING your domain (is the W2k8 currently a DC in the SBS domain?) or are you MIGRATING into a NEW domain created from scratch on the W2k8 machine?
Oh, and btw., the Personal Edition of the ForensIT tool is free; it lacks the scripting capabilities, but they're not really required for 10 accounts.

kevdines,
please read my comment at http:#33499545 again: registry permissions will NOT be magically changed if the registry file is copied using any file copy tool; that's why the "Copy Profile" mini-wizard in the local profile settings and tools like MoveUser.exe exist.
Start regedit, go to HKCU, right-click any key and open the permissions. You *will* find your account in there, and this account's SID *will* *remain* if ntuser.dat is copied into the profile folder of another domain's user account, where it will be an *unknown* account.
This will only work if all users are local administrators on their machines, but even then it's certainly not good practice.
The profile can/should be copied only if the location is moved to another server in the *same* domain, which is why I'm asking whether this is a migration or an upgrade.
0
 
LVL 2

Expert Comment

by:zsaurabh
ID: 33503919
What about the points for this question?
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 33503923
Our domain is my-company.com, the Win 2K8 server is currently a member server, I'm going to promote the 2K8 server to be the new DC and keep the my-company.com domain, but it will now be run from the new 2K8 server.  The SBS server will then be demoted and binned.
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 33503999
zsaurabh, what do you mean?
0
 
LVL 83

Assisted Solution

by:oBdA
oBdA earned 83 total points
ID: 33504082
In this case, you can just copy the profile folders over, since the users don't change.
All users should be logged out for this.
If any handles are still open, you can force them in compmgmt.msc under System\Shared Folders.
You might have to take ownership of the profile folders before you're able to copy over the profiles (works for W2k3 as well), and you should make the users owners of the new profile folders as well:
How to take ownership of a file or a folder in Windows XP
http://support.microsoft.com/kb/308421

And just in case you haven't seen these yet:
Prepare a Windows 2000 or Windows Server 2003 Forest Schema for a Domain Controller That Runs Windows Server 2008 or Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/cc753437(WS.10).aspx

Upgrading Active Directory Domains to Windows Server 2008 and Windows Server 2008 R2 AD DS Domains
http://technet.microsoft.com/en-us/library/cc731188(WS.10).aspx
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 33504111
So when I try to copy the profile and I get errors like access is denied to NTUSER.DAT this is becuase the user is logged in, yes?
0
 
LVL 83

Expert Comment

by:oBdA
ID: 33504187
No, a roaming profile is copied to the client machine on user logon, and only copied back when the user logs off. In between, you usually can do anything you want with the server copy (but these changes will be undone when the user logs off and replicates his local copy back to the server).
Access denied can either happen because there is still a handle left open from the copy (shouldn't be) or because you really don't have access. Check the security settings of the files and folders in question.
0
 
LVL 3

Author Comment

by:-Juddy-
ID: 33504552
For the sake of argument, just indulge me!! If I were to change the ten accounts to local profiles, change the path of the profile folders in AD then switch the profiles back to roaming...would this work?
0
 
LVL 83

Expert Comment

by:oBdA
ID: 33504644
I'd try that with a test account first ... I've seen too many strange things happening with roaming profiles to rely on anything.
Copying the profile folders during a server migration usually worked for me (permissions assumed).
0
 
LVL 3

Assisted Solution

by:kevdines
kevdines earned 83 total points
ID: 33506349
Sorry - was watching the football.

I'm pretty sure that the open handles on the NTUser.Dat files aren't locks held by the users, and they won't show up in compmgmt.msc | System | Shared Folders. I must admit I don't know why these locks aren't always released automatically at logoff, but it's no biggie.

On the plus side, a quick reboot will solve it and you can just copy the roaming profile folders over to the new location. Then share the folder, set the appropriate permissions (NTFS and share permissions), and point the users' roaming profiles to the new locations (either in their AD user object properties or in your GPO, depending on how you do it in your domain).

Apologies to oBdA for any confusion - I thought I'd been clearer in my earlier posts that my instructions were only for moving the location of the roaming profiles within a domain. Need to work on my clarity :)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now