-
Notifications
You must be signed in to change notification settings - Fork 7
Revert ADMU Migration
It is possible to revert an account migration manually. In some cases, ADMU migration can fail if interrupted by AntiVirus or through other means. If that's the case, after logging into what should be the migrated account, a message stating that Windows "Can't sign into your account" may be displayed.
If Windows is unable to access the "NTUSER.DAT" file assigned to the account security identifier (SID), a temporary profile will be created. Files or changes saved to this account are removed upon logout.
To revert a migration (failed or successful) two files must be renamed and one registry key updated. During ADMU Migration, a backup of the original account user hive files are created:
- C:\Users\UserToMigrate\NTUSER_original_2023-04-19-120351.DAT
- C:\Users\UserToMigrate\AppData\Local\Microsoft\Windows\UsrClass_original_2023-04-19-120351.dat
This backup step precedes migration steps, if the backup of the original AD user's registry hive isn't made, the ADMU migration will exit before modifying files/ registry. Both of those files represent the registry hive for the original AD User.
The two backup files must be renamed to their original file names to allow the original AD user to login:
Rename C:\Users\UserToMigrate\NTUSER.DAT
-> C:\Users\UserToMigrate\NTUSER_migrated.DAT
Rename C:\Users\UserToMigrate\NTUSER_original_2023-04-19-120351.DAT
-> C:\Users\UserToMigrate\NTUSER.DAT
Rename C:\Users\UserToMigrate\AppData\Local\Microsoft\Windows\UsrClass.dat
-> C:\Users\UserToMigrate\AppData\Local\Microsoft\Windows\UsrClass_migrated.dat
Rename C:\Users\UserToMigrate\AppData\Local\Microsoft\Windows\UsrClass_original_2023-04-19-120351.dat
-> C:\Users\UserToMigrate\AppData\Local\Microsoft\Windows\UsrClass.dat
In these locations only the backup file should be renamed to NTUSER.DAT & UsrClass.dat which windows will reference with the user logs on.
Open Registry Editor as an Admin
Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
Identify the SID of the AD User who was migrated in this screenshot that user's SID is underlined and their ProfileImagePath Circled.
Change their ProfileImagePath to the original location of the user profile, in this screenshot the ProfileImagePath is updated to C:\Users\ChetAtikns. This was the user's home profile path before ADMU Migration.
Lastly, update the new local user SID to point to a null location so that the profileImagePaths are not in conflict. In this screenshot the user SID with .bak denotes that the user profile who was signed in as a temporarily profile, their ProfileImagePath was updated to be C:\Users\null
to ensure it's not in conflict with the AD user.
If the system was unbound from AD, bind the system back to AT to allow the AD user to login.
At this point in time, you should be able to login as the AD user using their AD credential set prior to ADMU migration.