We're trying to move domain profiles on workstation computers to another domain. All users are running Win 7 64-bit Pro. So far, we can't get them to work without disabling UAC. Perhaps someone could offer a solution to get everyone's profile working with UAC enabled. Here are the steps we took to migrate the existing profiles: Disjoin the computer from the existing domainTake ownership of the user's folder and all subfolders/files with <LocalComputer>\AdministratorsJoin the computer to the new domainRestart workstation computerAdd Full Control permissions for new domain user to existing user's folder and all subfolders/files in \Users\<oldprofile> using inherited permissionsAdd Full Control permissions to user's registry entries by mounting ntuser.dat to regedit and replacing all permissions on key/subkeys with Full Control for new domain profile for that user (using a Domain Admin account to do this)Dismount the registry file to save changesRename old \Users\<profile> folder to \Users\<oldprofile>.oldAdd new domain user to <LocalComputer>\Administrators using mmcLog in with new domain user account to create \Users\<newprofile> folderRestart computerDelete \Users\<newprofile>Rename \Users\<oldprofile>.old to \Users\<oldprofile> (and it's the same username as in new domain, so it's really \Users\<newprofile>)Log in with new domain user The problem comes with when we log in with the new user account; the user profile does not load fully. Desktop background is missing, all Start Menu and Desktop items are missing, the Win 7 Aero interface is disabled and reverts to Classic, and clicking on standard links such as Computer and Control Panel results in an error message (which I cannot recall completely at the moment, but basically said you don't have permissions to access this resource). The LocalService account seems to be broken as well, as DHCP doesn't work at all, and trying to start services that run using that account results in Error 5: Access denied. Here comes the weird part: Disabling UAC fixes everything. User profile loads properly, all Start Menu shortcuts are there, including Recent Items, and the LocalService account works, causing all services to start correctly. Currently, we've just switched UAC off on every computer, just to get them up and running for now, although this is not a configuration we feel comfortable running for too long. Also: Logging in with any brand-new domain accounts (that create a new \Users\<userprofile> folder) causes everything to work properly as well, even with UAC enabled. On some of the workstations, we can leave UAC enabled, and everything works fine. We cannot find a common variable that causes the user profile issues. I know I'm forgetting some of the steps that we've taken to try and get this to work (since we've tried many things), so please ask questions and I'll be able to say if we've tried that or not. Thank you in advance for any help you can provide in solving this issue!

Use Active Directory Migration Tool http://www.microsoft.com/en-us/download/details.aspx?id=8377 For migration details look into ADMT Guide. This topic is more closer to Active Directory in Server forum. If you have any problems with ADMT, refer to this forum http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads Regards Milos

This has nothing to do with my question. The AD object was migrated successfully. I can log in with any user that was moved over to the new domain. I'm wondering why I can't migrate the profile that resides on the user's workstation.

Hi, See whether it is the following situation. http://social.technet.microsoft.com/Forums/is/smallbusinessserver/thread/ce5c1a4b-e36d-4f6b-8fbe-f17d2fd04b6cJuke Chou TechNet Community Support

Is it possible that we need to take ownership of the user profile folder using the User account instead of the Administrators group? This is the only spot in our steps where the admin group is used instead of the domain user account. Also, even if the user is a member of Administrators and Administrators have Full Control on a folder, if the user account also has Full Control, won't they be able to use those user permissions to access the folder?

Hi, Based on split token used when UAC is enabled, you may try to remove all the groups on User regiesty hive and profile folder, only leave System and this user in that list with full control. Juke Chou TechNet Community Support

Hi, See whether it is the following situation. http://social.technet.microsoft.com/Forums/is/smallbusinessserver/thread/ce5c1a4b-e36d-4f6b-8fbe-f17d2fd04b6cJuke Chou TechNet Community Support

Is it possible that we need to take ownership of the user profile folder using the User account instead of the Administrators group? This is the only spot in our steps where the admin group is used instead of the domain user account. Also, even if the user is a member of Administrators and Administrators have Full Control on a folder, if the user account also has Full Control, won't they be able to use those user permissions to access the folder?

Hi, Based on split token used when UAC is enabled, you may try to remove all the groups on User regiesty hive and profile folder, only leave System and this user in that list with full control. Juke Chou TechNet Community Support