| Author |
Message |
Rich Roller
Guest
|
 Posted:
Tue Oct 18, 2005 8:51 am Post subject:
Moveuser.exe "error 5 - access denied" |
|
|
In my test environment I was able to use MOVEUSER.EXE to migrate user local
profiles from an old NT domain to a new AD (WS2003) domain.
But in the production environment I am getting the error: "Move Failed.
Error 5 Access Denied."
The syntax I've been using is typically "moveuser old-domain\user
new-domain\user /k /y"
I've tried it so many ways. I've tried it with just "/y" or with no
switches at all. I've tried it logged in as new-domain/admin, as
old-domain/admin, as XPcomputername/admin.
I've got two-way trusts between the domains. I've got Domain Admins of AD
as a member of Admins of NT, and visa versa.
What would likely be causing this "access denied" error. Permissions?
Something else??
Thanks.
-Rich |
|
| Back to top |
|
 |
Vincent Xu [MSFT]
Guest
|
| Posted:
Tue Oct 18, 2005 8:51 am Post subject:
RE: Moveuser.exe "error 5 - access denied" |
|
|
Hi Rich,
Based on my experience, the possibility that the "access denied" was caused
by registry permissions. Especially the permissions on
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\(Problem User
SID)
To verify this, I suggest you use Regmon to monitor the registry key during
the command runs. You may download it from
http://www.sysinternals.com/Utilities/Regmon.html
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
| Quote: | Reply-To: "Rich Roller" <rich@*REMOVE-THIS*r2c.com
From: "Rich Roller" <rich@*REMOVE-THIS*r2c.com
Subject: Moveuser.exe "error 5 - access denied"
Date: Tue, 18 Oct 2005 02:08:39 -0400
Lines: 25
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
X-RFC2646: Format=Flowed; Original
Message-ID: <#G9Qjp60FHA.3000@TK2MSFTNGP12.phx.gbl
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: ool-4356307b.dyn.optonline.net 67.86.48.123
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1 |
2.phx.gbl
| Quote: | Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12357
X-Tomcat-NG: microsoft.public.windows.server.migration
In my test environment I was able to use MOVEUSER.EXE to migrate user
local
profiles from an old NT domain to a new AD (WS2003) domain.
But in the production environment I am getting the error: "Move Failed.
Error 5 Access Denied."
The syntax I've been using is typically "moveuser old-domain\user
new-domain\user /k /y"
I've tried it so many ways. I've tried it with just "/y" or with no
switches at all. I've tried it logged in as new-domain/admin, as
old-domain/admin, as XPcomputername/admin.
I've got two-way trusts between the domains. I've got Domain Admins of AD
as a member of Admins of NT, and visa versa.
What would likely be causing this "access denied" error. Permissions?
Something else??
Thanks.
-Rich
|
|
|
| Back to top |
|
|
Olaf Engelke [MVP Windows
Guest
|
| Posted:
Tue Oct 18, 2005 12:50 pm Post subject:
Re: Moveuser.exe "error 5 - access denied" |
|
|
Hi Rich,
Rich Roller wrote:
| Quote: | In my test environment I was able to use MOVEUSER.EXE to migrate user
local profiles from an old NT domain to a new AD (WS2003) domain.
But in the production environment I am getting the error: "Move
Failed. Error 5 Access Denied."
The syntax I've been using is typically "moveuser old-domain\user
new-domain\user /k /y"
I've tried it so many ways. I've tried it with just "/y" or with no
switches at all. I've tried it logged in as new-domain/admin, as
old-domain/admin, as XPcomputername/admin.
I've got two-way trusts between the domains. I've got Domain Admins
of AD as a member of Admins of NT, and visa versa.
What would likely be causing this "access denied" error. Permissions?
Something else??
did you already move the computer to the new domain? |
I have seen this behaviour often, if the user was logged in and logged out,
but the Administrator did not reboot before trying to run the command. If
this is the case, boot the PC and log in instantly as domain admin of the
domain, to which the computer currently belongs (so that you have the local
Administrator permissions).
Ensure, that nothing is kept open from the users profile (like an Autostart
application) and that the Administrator you have logged in has control to
the profile folder.
Best greetings from Germany
Olaf. |
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Tue Oct 18, 2005 12:50 pm Post subject:
Re: Moveuser.exe "error 5 - access denied" |
|
|
Hmm... interesting. I will try that. Thanks for your
ime/comments! -Rich
"Olaf Engelke [MVP Windows Server]" <oenews01@mvps.org> wrote in message
news:eFVEHz80FHA.1028@TK2MSFTNGP12.phx.gbl...
| Quote: | Hi Rich,
Rich Roller wrote:
In my test environment I was able to use MOVEUSER.EXE to migrate user
local profiles from an old NT domain to a new AD (WS2003) domain.
But in the production environment I am getting the error: "Move
Failed. Error 5 Access Denied."
The syntax I've been using is typically "moveuser old-domain\user
new-domain\user /k /y"
I've tried it so many ways. I've tried it with just "/y" or with no
switches at all. I've tried it logged in as new-domain/admin, as
old-domain/admin, as XPcomputername/admin.
I've got two-way trusts between the domains. I've got Domain Admins
of AD as a member of Admins of NT, and visa versa.
What would likely be causing this "access denied" error. Permissions?
Something else??
did you already move the computer to the new domain?
I have seen this behaviour often, if the user was logged in and logged
out, but the Administrator did not reboot before trying to run the
command. If this is the case, boot the PC and log in instantly as domain
admin of the domain, to which the computer currently belongs (so that you
have the local Administrator permissions).
Ensure, that nothing is kept open from the users profile (like an
Autostart application) and that the Administrator you have logged in has
control to the profile folder.
Best greetings from Germany
Olaf. |
|
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Tue Oct 18, 2005 12:50 pm Post subject:
Re: Moveuser.exe "error 5 - access denied" |
|
|
Thanks. In your experience, is there some specific permissions that may
need to be added?
It might be easier/faster to just try/add those permissions than to
get/run/analyze regmon.
-Rich
"Vincent Xu [MSFT]" <v-xuwen@online.microsoft.com> wrote in message
news:vRM0AD80FHA.1144@TK2MSFTNGXA01.phx.gbl...
| Quote: | Hi Rich,
Based on my experience, the possibility that the "access denied" was
caused
by registry permissions. Especially the permissions on
HKLM\Software\Microsoft\Windows NT\CurrentVersion\ProfileList\(Problem
User
SID)
To verify this, I suggest you use Regmon to monitor the registry key
during
the command runs. You may download it from
http://www.sysinternals.com/Utilities/Regmon.html
Best regards,
Vincent Xu
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security
--------------------
Reply-To: "Rich Roller" <rich@*REMOVE-THIS*r2c.com
From: "Rich Roller" <rich@*REMOVE-THIS*r2c.com
Subject: Moveuser.exe "error 5 - access denied"
Date: Tue, 18 Oct 2005 02:08:39 -0400
Lines: 25
X-Priority: 3
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2527
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2527
X-RFC2646: Format=Flowed; Original
Message-ID: <#G9Qjp60FHA.3000@TK2MSFTNGP12.phx.gbl
Newsgroups: microsoft.public.windows.server.migration
NNTP-Posting-Host: ool-4356307b.dyn.optonline.net 67.86.48.123
Path:
TK2MSFTNGXA01.phx.gbl!TK2MSFTNGXA03.phx.gbl!TK2MSFTNGP08.phx.gbl!TK2MSFTNGP1
2.phx.gbl
Xref: TK2MSFTNGXA01.phx.gbl
microsoft.public.windows.server.migration:12357
X-Tomcat-NG: microsoft.public.windows.server.migration
In my test environment I was able to use MOVEUSER.EXE to migrate user
local
profiles from an old NT domain to a new AD (WS2003) domain.
But in the production environment I am getting the error: "Move Failed.
Error 5 Access Denied."
The syntax I've been using is typically "moveuser old-domain\user
new-domain\user /k /y"
I've tried it so many ways. I've tried it with just "/y" or with no
switches at all. I've tried it logged in as new-domain/admin, as
old-domain/admin, as XPcomputername/admin.
I've got two-way trusts between the domains. I've got Domain Admins of
AD
as a member of Admins of NT, and visa versa.
What would likely be causing this "access denied" error. Permissions?
Something else??
Thanks.
-Rich
|
|
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Wed Oct 19, 2005 12:50 am Post subject:
Re: Moveuser.exe "error 5 - access denied" |
|
|
Thanks again Olaf. You were absolutely correct! I rebooted and moveuser
ran without error.
EXCEPT that I then encountered one more "access denied" problem. Perhaps
you have an idea about this also?
After I did the moveuser and logged in as new-domain\user, when I went to
open a file that was in My Docs I got "access denied". Have you ever had
this problem.
FYI, one other thing I did after move user was to rename the profile folder
from user.old-domain to user.new-domain, and then edited the registry to
change the ProfileImagePath value to match the new folder name. I assume
that's safe and not related, but I wanted to mention it just in case.
I was planning on relying on MOVEUSER for my production user migrations I
need to do ASAP. But I'm holding off because if they get "access denied" on
their My Docs it will be a disaster, unless I can fix it somehow.
-Rich
"Olaf Engelke [MVP Windows Server]" <oenews01@mvps.org> wrote in message
news:eFVEHz80FHA.1028@TK2MSFTNGP12.phx.gbl...
| Quote: | Hi Rich,
Rich Roller wrote:
In my test environment I was able to use MOVEUSER.EXE to migrate user
local profiles from an old NT domain to a new AD (WS2003) domain.
But in the production environment I am getting the error: "Move
Failed. Error 5 Access Denied."
The syntax I've been using is typically "moveuser old-domain\user
new-domain\user /k /y"
I've tried it so many ways. I've tried it with just "/y" or with no
switches at all. I've tried it logged in as new-domain/admin, as
old-domain/admin, as XPcomputername/admin.
I've got two-way trusts between the domains. I've got Domain Admins
of AD as a member of Admins of NT, and visa versa.
What would likely be causing this "access denied" error. Permissions?
Something else??
did you already move the computer to the new domain?
I have seen this behaviour often, if the user was logged in and logged
out, but the Administrator did not reboot before trying to run the
command. If this is the case, boot the PC and log in instantly as domain
admin of the domain, to which the computer currently belongs (so that you
have the local Administrator permissions).
Ensure, that nothing is kept open from the users profile (like an
Autostart application) and that the Administrator you have logged in has
control to the profile folder.
Best greetings from Germany
Olaf. |
|
|
| Back to top |
|
|
Olaf Engelke [MVP Windows
Guest
|
| Posted:
Wed Oct 19, 2005 8:51 pm Post subject:
Re: Moveuser.exe "error 5 - access denied" |
|
|
Hi Rich,
Rich Roller wrote:
| Quote: | I just had a thought... could it be that I needed to reboot after
running moveuser??
Unfortunately I have left the customer-site and cannot test that
theory right now. But do you know if the user's "access denied"
problem when opening a MyDocs file, might be cured by doing a reboot?
Is it similar my having to do a reboot right before I ran run
moveuser to cure another "access denied" error?
not really sure. We had redirected My Documents to the home drive, where we |
adjusted the NTFS permissions with xcacls.vbs, so that was never a point for
me. Also I never did rename the profile, so I cant tell about the experience
here (oldstyle named profiles will die with the time anyway).
But you easily could check the NTFS permissions of the My Documents folder
(and files) and adjust them if necessary. And My Documents is in the default
location in the local profile folder or also redirected in it's properties?
In this case moveuser will almost surely not take care.
Best greetings from Germany
Olaf |
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Wed Oct 19, 2005 8:51 pm Post subject:
Re: Moveuser.exe "error 5 - access denied" |
|
|
I just had a thought... could it be that I needed to reboot after running
moveuser??
Unfortunately I have left the customer-site and cannot test that theory
right now. But do you know if the user's "access denied" problem when
opening a MyDocs file, might be cured by doing a reboot? Is it similar my
having to do a reboot right before I ran run moveuser to cure another
"access denied" error?
-Rich
"Rich Roller" <rich@*REMOVE-THIS*r2c.com> wrote in message
news:O6$mKQE1FHA.2792@tk2msftngp13.phx.gbl...
| Quote: | Thanks again Olaf. You were absolutely correct! I rebooted and moveuser
ran without error.
EXCEPT that I then encountered one more "access denied" problem. Perhaps
you have an idea about this also?
After I did the moveuser and logged in as new-domain\user, when I went to
open a file that was in My Docs I got "access denied". Have you ever had
this problem.
FYI, one other thing I did after move user was to rename the profile
folder from user.old-domain to user.new-domain, and then edited the
registry to change the ProfileImagePath value to match the new folder
name. I assume that's safe and not related, but I wanted to mention it
just in case.
I was planning on relying on MOVEUSER for my production user migrations I
need to do ASAP. But I'm holding off because if they get "access denied"
on their My Docs it will be a disaster, unless I can fix it somehow.
-Rich
"Olaf Engelke [MVP Windows Server]" <oenews01@mvps.org> wrote in message
news:eFVEHz80FHA.1028@TK2MSFTNGP12.phx.gbl...
Hi Rich,
Rich Roller wrote:
In my test environment I was able to use MOVEUSER.EXE to migrate user
local profiles from an old NT domain to a new AD (WS2003) domain.
But in the production environment I am getting the error: "Move
Failed. Error 5 Access Denied."
The syntax I've been using is typically "moveuser old-domain\user
new-domain\user /k /y"
I've tried it so many ways. I've tried it with just "/y" or with no
switches at all. I've tried it logged in as new-domain/admin, as
old-domain/admin, as XPcomputername/admin.
I've got two-way trusts between the domains. I've got Domain Admins
of AD as a member of Admins of NT, and visa versa.
What would likely be causing this "access denied" error. Permissions?
Something else??
did you already move the computer to the new domain?
I have seen this behaviour often, if the user was logged in and logged
out, but the Administrator did not reboot before trying to run the
command. If this is the case, boot the PC and log in instantly as domain
admin of the domain, to which the computer currently belongs (so that you
have the local Administrator permissions).
Ensure, that nothing is kept open from the users profile (like an
Autostart application) and that the Administrator you have logged in has
control to the profile folder.
Best greetings from Germany
Olaf.
|
|
|
| Back to top |
|
|
Rich Roller
Guest
|
| Posted:
Sat Oct 22, 2005 12:50 am Post subject:
Re: Moveuser.exe "error 5 - access denied" |
|
|
Just thought I'd post back with my results:
Yes a reboot AFTER running moveuser is apparently very helpful. I had no
more MyDocs "access denied" problems when I booted up the machine and went
back into the previously problematic profile.
So, the rule of thumb for MOVEUSER seems to be REBOOT BEFORE AND AFTER
running it.
Another thing I found out that might be interesting about renaming profile
folders. Although it does work for many applications, for any which keep
hard-coded paths to their data or settings files it can be a problem. For
example, OUTLOOK... after the rename, its link to PST was broken. It was a
simple fix but who knows what other software might have problems, which I
might be less familiar with.
So, for that reason alone I would say that renaming profile folders is
probably not worth the risk of applications being possibly broken. I guess
we just have to live with the old profile folder names, even if they are out
of date and misleading. Hopefully no-one would ever be so stupid as to
delete an active profile folder just because it has the old domain, e.g.
user.olddomain.
-Rich
"Olaf Engelke [MVP Windows Server]" <oenews01@mvps.org> wrote in message
news:e9Up0KO1FHA.2008@TK2MSFTNGP10.phx.gbl...
| Quote: | Hi Rich,
Rich Roller wrote:
I just had a thought... could it be that I needed to reboot after
running moveuser??
Unfortunately I have left the customer-site and cannot test that
theory right now. But do you know if the user's "access denied"
problem when opening a MyDocs file, might be cured by doing a reboot?
Is it similar my having to do a reboot right before I ran run
moveuser to cure another "access denied" error?
not really sure. We had redirected My Documents to the home drive, where
we adjusted the NTFS permissions with xcacls.vbs, so that was never a
point for me. Also I never did rename the profile, so I cant tell about
the experience here (oldstyle named profiles will die with the time
anyway).
But you easily could check the NTFS permissions of the My Documents folder
(and files) and adjust them if necessary. And My Documents is in the
default location in the local profile folder or also redirected in it's
properties? In this case moveuser will almost surely not take care.
Best greetings from Germany
Olaf |
|
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in