How to recover a ‘disassociated’ Windows NT user account’s files and settings into a new profile when the SAM ID is no longer valid on the machine or domain

Microsoft, Software

System Requirements:

  • Windows Vista
  • Windows Server 2008, R2
  • Windows 7

The Problem:

Take the hypothetical situation: Windows 7 fails to boot, you don’t want to lose your user data so you install 7 onto a clean partition. However your old user profile is associated with the random SAM ID from the old installation and the new Windows installation cannot mount the profile. You can copy your data files back over, but you really don’t want to configure the start menu settings for the 1,000,000th time.

Or how about: Your only domain controller failed leaving disassociated roaming profiles on a roaming profile share and you want to recover as much of the user settings and data as possible for use on the newly build AD forest. <– That actually happened to Matt, hence I day dreamed this up.

More Information:

NT user accounts are associated to a Security Account Manager (SAM) ID. The SAM ID is Windows’s SAM or the Active Directory domain user services way of identifying a user, in effect the SAM ID is a super key that identifies a user account on a windows system, acting as a GUID for that profile.

The user name itself is irrelevant and plays no part in identifying the user account apart from being used to performing a reverse lookup to get to the SAM ID, on which Windows bases its logon activities and security token generation in AD.

When you reinstall Windows, the new installation has no awareness of any of the accounts, so if you copy the profiles back into the Windows users directory you will be unable to re-associate that profile with the local SAM database.

The Fix

The simplest way of restoring user data and crucially environment settings (such as desktop wallpaper, window settings and the like) is to follow this process:

  1. Create a new user account for the user you want to migrate onto the new domain/installation
  2. Set the accounts roaming profile settings (if dealing with a roaming profile)
  3. Logon to the machine with Administrator rights
  4. Load Regedit
  5. Click on HKEY_USERS
  6. From the File menu, select Load Hive…
  7. Browse to the NTUser.dat from the previous install/roaming profile for the profile that you are trying to recover and click OK e.g.
    d:\rescued_users\Matt\NTUser.dat
  8. When prompted for a name just enter temp and click OK
  9. Expand and click on:
    HKEY_USERS\temp
  10. From File select export and save the export file as:
    c:\temp.reg
  11. From File, select Unload Hive…
  12. Exit Regedit
  13. Open c:\temp.reg
  14. From the Edit menu select Replace…
  15. In Find What: enter:
    HKEY_USERS\temp
    In Replace With: enter:
    HKEY_CURRENT_USER
    Press Replace All
  16. Save the reg file and exit notepad
  17. Log off of Administrator
  18. Log on as the new user
  19. Double click on c:\temp.reg and import the reg file into the new (completely default) user account. If you are using a system with UAC you will need to import the reg file using an administrators account.
  20. Immediately log off
  21. Log back in as Administrator
  22. Go to the recovered profile folder e.g.
    d:\rescued_users\matt\
  23. Select all files in the folder apart from NTUser.dat, NTUser.ini and NTUser.dat.log and copy them
  24. Paste the data into the new user profile e.g.
    c:\users\matt
  25. The data and the profile settings have now been recovered. Logging back in as the recovered user will restore much of the user profile and all of their data.

Note: It may be necessary to reset folder permissions and ownership on all of the files pasted into the folder to match that of the new user account.

Thanks to Matt Gillard of MGComputing for some testing of my theory.