One of the projects I’m working on, is actually laughable, because that situation should’ve never happened in the first place, but I can’t take responsibility for that, since I inherited it. I have 3000 users in Active Directory that have a username including a space in it. That’s right, John Doe’s username is actually domain\john doe. If you ever write any scripts, or do anything related to accounts, you will immediately realize that it is a nightmare to maintain user accounts with spaces; for the most part, because it is industry standard to create user accounts without spaces.
So, that is my challenge. My project involves taking every user account in Active Directory, and change the John Doe into a jdoe. Sounds simple at first glance, but when there are tons of John Does, and James Doe, there is a bit of a complexity introduced in creating a username algorithm, not to mention notifying the users of this change, and maintaining these changes in a databases. I won’t get into that piece in this article. I’ll save it for another post.
The main purpose for this though, is the result of my research to successfully rename a user account full, all the way from Active Directory to the user’s profile name on their workstation.
The challenge with profile names and AD accounts, is that a lot of scripts running on user’s workstations call the “%USERNAME%” or the “%HOMEPATH%” environment variable, and in general, scripting usually refers to the %USERNAME% variable, which will end up not matching the actual home path of the user in case of an account name change.
Changing an account name in Active Directory, will only change the actual name, but does not change the SID of the account.
Let’s look at a quick example:
If we rename username: john doe in active directory to jdoe, the profile name on the user workstation is still c:\documents and settings\john doe. When the user logs in with the new username, the profile c:\documents and settings\john doe will in fact load, and the user will not see a difference, but there is now a discrepancy in the username and the user home path.
If we just rename the folder from c:\documents and settings\john doe to c:\documents and settings\jdoe, you would think the problem will get resolved. However, in reality it won’t, the reason being that the account is connected to a Sid, and looking at specific profile image path which, according to the reference to the profile pointing to the old folder, no longer exists. Windows’ mechanism at this point creates a new profile for the user and names it: jdoe.domain, in which non of that user’s data / settings exists. That is because windows believes that the original profile with the data had been deleted.
So, what’s the fix for this? Actually, it’s very simple, there’s a registry change that needs to be made in addition to the user profile name change that will take care of this problem. The key to this is knowing the Sid that corresponds to a particular user. For this, using the getsid.exe utility from the Windows 2003 Support tools will help get that information.
Once the Sid is found, then open your registry, and navigate to:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\Current Version\ProfileList\<Sid>\ProfileImagePath
Note that the name of the folder needs to be changed while not logged in to it the following error will pop up:
Documents and Settings is a Windows system folder and is required for Windows to run properly. It cannot be moved or renamed
The value of ProfileImagePath needs to be changed to the new username, after the actual folder name has been changed as well. Once this is done, log off the session, and log back on, and note that all the names are now synced, and things are back to normal.
For additional details on this issue, or some variants for it, you can check out Microsoft’s kb314843.