Don't think this is possible - but need doc's to prove it!

JdotQ · May 2007

Hello fellow TechExam members

So, as the title of the thread suggests, I don't think this scenario is possible - but I can't find any documentation to directly support it. The scenario is a little convoluted, so I'll try to explain the best I can.

Fast Facts
- Windows 2000 AD network
- Windows XP SP2 clients
- No roaming profiles or folder redirection used

Story
So, there is a main home site (HQ) where most employees are stationed. There are often times when several users have to go to remote sites across the U.S. for certain job functions -- the assignments are seemingly random for the users.

At these remote sites there will be a group of several laptops shipped out from HQ with our firm image -- but none of the users at the remote site have logged into these machines before. So, when the laptops arrive, and the users attempt to log in, they get a message stating 'The domain cannot be found....' (because they do not have the user profile on the machines).

Through all my tests, I have not discovered a way to copy a users profile from one machine to another, emulating that they have already logged into the 'new' machine. Yes, I can copy all the user data without a problem - but it still does not allow for a new users to log into a 'clean' machine.

The current workaround is to setup a PPTP VPN connection on the laptop, and checkbox the "log in over dial up connection..." checkbox below the drop-down for "Log On To:" -- This allows the user to connect to the VPN, then pull the user profile and user credentials across the VPN and allows them to log on when disconnected from the domain.

Another work around is to have the user log into the machine before it leaves HQ to the remote site, so when it gets to the remote site (off the domain) their profile is already present and they are able to log in. Obviously, this becomes very redundant when we have hundreds of staff at several remote sites and machines are getting recycled and re-imaged constantly.

Question
Is there any way to copy a user's login profile from a machine which they have already logged into, to a new 'clean' machine which they have never touched, to allow them to log in when off the domain?

It is my understanding that this cannot be copied, as there is some sort of random key that is stored somewhere (similar to a GUID) that cannot be copied (not stored in registry nor on filesystem -- at least that I could find)

----

Has anyone encountered this type of scenario before? I do not believe it is possible to copy the user profile to allow log in when off the domain on a clean system, but some of the 'higher ups' don't like to my word, and need to see some proof

Glad they had me testing if they need to see it on paper

garv221 · May 2007

I have got a few beers in me and I'm sure I can answer this question in the morning but have you thought about copying their current domain profile to the local profile on the computer? Also, the "all users" profile would work for this.

ajs1976 · May 2007

I believe you can use scripts to configure most of the profile. This is the kind of scenario where I install a Citrix Presentation Server at the main site and the remote users just connect to it.

sprkymrk · May 2007

The problem is in the authentication. When you log on, you cache not only your profile, but your credentials as well. It involves a response from the DC on login using Kerberos v5 (assuming W2K and higher) before the hash of the users password (or smart card PIN or whatever) is cached (in other words, not the actual password, but a hash of it) on the client machine.

When a user first logs in, he is granted an access token which contains a lot of information such as the user SID, SIDs for security groups to which the user belongs, the source that caused the access token to be created, statistics about the access token that are used internally by the operating system, etc. This information is stored encrypted/hashed in a protected area of the OS itself and not necessarily in the user profile.

JdotQ · May 2007

ajs1976 wrote:

I believe you can use scripts to configure most of the profile. This is the kind of scenario where I install a Citrix Presentation Server at the main site and the remote users just connect to it.

Good suggestion on the Citrix. We are actually in the process of setting one up, but not quite ready for production yet; so we were just looking into other methods

sprkymrk wrote:

The problem is in the authentication. When you log on, you cache not only your profile, but your credentials as well. It involves a response from the DC on login using Kerberos v5 (assuming W2K and higher) before the hash of the users password (or smart card PIN or whatever) is cached (in other words, not the actual password, but a hash of it) on the client machine.

When a user first logs in, he is granted an access token which contains a lot of information such as the user SID, SIDs for security groups to which the user belongs, the source that caused the access token to be created, statistics about the access token that are used internally by the operating system, etc. This information is stored encrypted/hashed in a protected area of the OS itself and not necessarily in the user profile.

Thanks for the info, sprkymrk! I thought it was something along these lines. And I assume that all the hashed information would be different on each machine (ex. User1 logging into Machine1 would be different than User1 logging into Machine2)?

And there is no way to capture this hashed info (and possibly redistribute it to other machines)?

Is there any Microsoft documents that state this info? -- not that I don't believe you, but I'm interested to read more on this topic

Thanks again for all the replies!

sprkymrk · May 2007

JdotQ wrote:

[And I assume that all the hashed information would be different on each machine (ex. User1 logging into Machine1 would be different than User1 logging into Machine2)?

And there is no way to capture this hashed info (and possibly redistribute it to other machines)?

Is there any Microsoft documents that state this info? -- not that I don't believe you, but I'm interested to read more on this topic

I spent about 20 minutes on google and didn't find anything specific. Good question though.

I personally think that what your management wants to do, if it is indeed possible, is going to be more difficult than just having a user log in to a laptop prior to leaving for the remote site. Why don't they issue a laptop direct to the user before he leaves rather than send it to the remote location seperately I wonder?

mrhaun03 · May 2007

What if you were to reset the user's password and login as them to create their profile. Just make the password something user specific. Something like a combination of their initials and employee number.

JdotQ · May 2007

sprkymrk wrote:

I spent about 20 minutes on google and didn't find anything specific. Good question though.

I personally think that what your management wants to do, if it is indeed possible, is going to be more difficult than just having a user log in to a laptop prior to leaving for the remote site. Why don't they issue a laptop direct to the user before he leaves rather than send it to the remote location seperately I wonder?

Thanks for looking around -- it seems to be an elusive topic

I agree that it would be more work/more difficult to capture a user's info (if even possible) than to just have the user log in prior to the shipment leaving.

But then again, it's management, they're paid the big bucks to make the good decisions, right?

RussS · May 2007

Basically, without roaming profiles I think you will fiod this can not be done. As a standard business model for this kind of scenario I would recommend using Terminal Services - the best portability I can think of.

Don't think this is possible - but need doc's to prove it!

Comments