Ask the Directory Services Team

I ran into a few problems trying to use this script.  First, the variable strDomainDN was not defined in your DIM statements. Second, the quote marks on line 41 - strDomainDN=”dc=contoso,dc=com” are the wrong type and generate an error.  And third, on line 117 you have the "_" to indicate that the command is continued on the next line, but there is no carraige return so the script errors out again there.  Once I changed those three items and edited the appropiate variables for the user I was wanting to move, the script ran - and I saw the info for all the users scroll through the command window - However, the user's profile wasn't moved.  When I logged in using the AD account, it created a new profile rather than using the one I tried to move.  What I put in for variable looks mostly like this:

strComputer ="."

strSourceAcct="fred"

strSourceAcctDomain="Test-MigVista01"

strTargetAcct="wilsonf"

strTargetAcctDomain="UNIVERSITY"

strDomainDN="dc=university,dc=edu"

The script runs without errors but the profile doesn't seem to move.  But when I log the computer in using 'wilsonf@university.edu' it generates a new profile.

Am I missing something?

==Ron.

That fixed it.  Migrated the profile perfectly, just like the old moveuser.exe did with XP.

Thank you very much.  I really needed a script like this right now - and from what I found on the 'net, lot's of other people are looking for it, as well.

==Ron.

By adding the ability to accept command line arguments, and a few lines of code to process them, I made the script function nearly identically to the previous exe version - and I don't have to edit the script every time I run it. ( you still have to edit one master variable - strDomainDN="dc=Contoso,dc=com"

and make it whatever your domain is - but that would probably be a one-time edit for most admins.)  So now, I can launch the command prompt (as admin, of course) and simply type:

 Moveuser user1 DOMAIN\user1

just as before. (this way runs with wscript instead of cscript but it still works.)

Here is what I added:

'/========================

DIM strDomAcctLength, strCompName, strSlashPos

DIM strDomainAcct, strLocalAcct, strLocalAcctLength

If WScript.Arguments.Count = 2 Then

strLocalAcct = WScript.Arguments.Item(0)

strDomainAcct = WScript.Arguments.Item(1)

 Else

  Wscript.Echo "Usage 1: Moveuser.vbs LocalUsername Domain\Username" _

  & VBNewLine & "or..." _

  & VBNewLine & "Usage 2: Moveuser.vbs Domain\Username Domain\Username"

  Wscript.Quit

End If

'Process arg 1'

If InStr (strLocalAcct, "\") = 0 Then

 Set strCompName = WScript.CreateObject("WScript.Network")

 strSourceAcctDomain = strCompName.ComputerName

 strSourceAcct = strLocalAcct

 Else

   strLocalAcctLength = Len(strLocalAcct)

   strSlashPos = InStr (strLocalAcct, "\")

   strSourceAcctDomain = Left(strLocalAcct,strSlashPos - 1)

   strSourceAcct = Right(strLocalAcct,strLocalAcctLength - strSlashPos)

End If

 'Process arg 2'

 strDomAcctLength = Len(strDomainAcct)

 strSlashPos = InStr (strDomainAcct, "\")

 strTargetAcctDomain = Left(strDomainAcct,strSlashPos - 1)

 strTargetAcct = Right(strDomainAcct,strDomAcctLength - strSlashPos)

'/=== the lines below resume from the original ===

strComputer ="."

strDomainDN="dc=Contoso,dc=com"

strTargetAcctSID=""

I ran across another problem...  When I try to run the script to change an account from a Domain to a local user (instead of the other way around...), I get the following error:

(116, 13) SWbemObjectEx: The parameter is incorrect.

What I have for the variables is similar to before, but in reverse:

strComputer ="."

strSourceAcct="wilsonf"

strSourceAcctDomain="UNIVERSITY"

strTargetAcct="fred"

strTargetAcctDomain="Test-MigVista20"

strDomainDN="dc=university,dc=edu"

It's almost as if the "ObjProfile.ChangeOwner" doesn't work in this direction.

Any ideas?

Where Rob spells out the description for each of the variables above, it "sounds" like it should work.  Not sure if it worked with the old Moveuser.exe or not.  Perhaps I'll test that out...

Just tested the Moveuser.exe under XP and was able to successfully revert a user from the domain back to being a local user.

Hey Ron,

So the problem here is not functionality of the WMI Provider.  The issue here is the script.  

So the issue with the script is that it is hard coded to look at active directory for the Target account.

If you read the comments around the objProfile.ChangeOwner method in the script it requires a string representation of the users SID i.e. "S-1-5-21....." then it needs a flag setting.

=============================

      ' ChangeOwner method requires to String SID of Target Account and a Flag setting

       ' Flag 1 = Change ownership of the source profile to target account even if the target account  already has a profile on the system.

       ' Flag 2 = Delete the target account Profile and change ownership of the source user account profile to the target account.

==============================

The script shown above assumes that the target account is a domain based account, since that is what most customers reqire.  That is why the script does an LDAP query for the user in question and gets a HEX representation of the users SID.  It then converts the HEX SID to a Text SID.

So here is the rub, the script would have to be modified to look at the local SAM acocunt database and search it for the users SID to make it work.  Otherwise if you know off the top of you head the users SID you can use that as the first parameter in the method.

Now you could connect to the WINNT provider to find the users local account or the WMI provider of Win32_UserAccount

http://msdn.microsoft.com/en-us/library/aa394507.aspx

I hope that this helps.

Rob Greene

Thanks for the info.  I understand now why it doesn't work in the reverse direction.  Now I need to decide if I want to go through the work of adding that functionality for something that really will rarely (if ever) be used.

Hey Ron,

I totally understand that.  However, if you do choose to do this we would be glad to have the code added to the comments sectoin  ;)

I might tackle this later...  I've been editing the script to make it closer to the old MoveUser.exe because we are going to begin a 'mass migration' next week, converting ~600 remaining users from Novell to AD.  I wanted my instructions for the team to be as close to identical for both XP and Vista as I could get them.  I've made so many changes now that simply posting a code-snip wouldn't work very well.  I'm telling our team to get the file from:

http://tacklebox.cns.ohiou.edu/Moveuser/

If you want to check out the changes in the file, let me know what you think... (and if you see any problems that I've missed.)

Converting profiles back really isn't an issue right now - but in a University environment we get piles of requests that make all of us say "Why would they want to do that?" - But we aren't generally able to say 'no' unless it's trully imposible (and sometimes not even then...) So while I would like to have the 'ability' to move them back, I don't have the time to write and test that before we begin. And I doubt I'll have the need right away.

So,... here we go........

Hey Ron,

So I took a look at you site listed above.  Top notch, I really like how you took the concept of the script and totally made it into something that you as well as other customers can use.  

I have to give you the extra kodos of adding all the documentation around how to use the script on the website.  

Thank you for taking interest in our blogging efforts and giving back to the community with the additions to the script.

Auch das Active Directory Team betreibt ein Blog , dass ich interessant zu lesen finde. Gestolpert darüber

We’ve been at this for over a year (since August 2007), with more than 100 posts (127 to be exact), so

I know it has been a while, and this thread is likely dead - but I recently tested my current version of the script on a Windows 7 beta installation and after a couple of minor tweaks to the error checking bits, it now works with Windows 7 just fine. (Though I still haven't gone back to try to fit in the 'move back to a local account' option...)

Oh,... and our mass migration of the Novell users went beautifully.

For what it's worth, I ran into some trouble with the VBScript replacement and ended up using the following PowerShell script instead.  As Rob Greene suggested, I pulled the SIDs from Win32_UserAccount.  

[code]

$original_user = get-wmiobject -class "Win32_UserAccount" -namespace "root\cimv2" -filter "Name='user1' AND LocalAccount=True"

$new_user = get-wmiobject -class "Win32_UserAccount" -namespace "root\cimv2" -filter "Name='user1' AND Domain='CONTOSO'"

$profile = get-wmiobject -class "Win32_UserProfile" -namespace "root\cimv2" -filter "SID='$($original_user.SID)'"

$profile.ChangeOwner($new_user.SID, [uint32]0)

[/code]

Which could be even shorter:

[code]

$original_user = get-wmiobject "Win32_UserAccount WHERE Name='user1' AND LocalAccount=True"

$new_user = get-wmiobject "Win32_UserAccount WHERE Name='user1' AND Domain='CONTOSO'"

$profile = get-wmiobject "Win32_UserProfile WHERE SID='$($original_user.SID)'"

$profile.ChangeOwner($new_user.SID, 0)

[/code]

Hey perennialmind,

Thats great coding.

I am sorry to hear that you had issues with the VBScript.

Rob Greene

thank's a lot, i will try your script Rob, but if it's doesn't works with my park, this powerShell Scritp works ? (I just change in row 2 "Domain='Tralala'"

[code]

$original_user = get-wmiobject "Win32_UserAccount WHERE Name='user1' AND Domain='Tralala'"

$new_user = get-wmiobject "Win32_UserAccount WHERE Name='user1' AND Domain='CONTOSO'"

$profile = get-wmiobject "Win32_UserProfile WHERE SID='$($original_user.SID)'"

$profile.ChangeOwner($new_user.SID, 0)

[/code]

And i have a another question for both script (vbs and PowerShell), when do I run the script ? when I'm the admin of the first domain (source) or the final domain (target), after created a user profil in the new domain ?

by default, your script doesn't delete the source account I guess ?

Rob, Do you marry me ?

I have no further question.

the shrimp's stell