Changing SIDs is unsupported. It is extremely likely that you will get
strange results when you do it since it has never been tested and was not
supposed to be done.
The reason you are running into the error is very likely because there are
portions of their registry hive that users themselves do not have full
It seems like a much better option would be to try to avoid the SID change
altogether. While there are tools that can let you do it, it is much better
to avoid it. Instead of doing that, see if you can't just migrate profiles
and documents. I have used Roaming Profiles for this. I just copy the user's
existing profile to some network share, give the user permissions to it, and
set the user account to use that profile.
It should never be necessary to replace domains when swapping DCs. Jeff's
swing method is neat, but really no different than what big IT has been doing
for years. What he did, which is genius, is figure out how to do it on SBS. I
did my first "swing" migration on non-SBS in 1996, from NT 3.51 to 4.0, long
before I had ever heard of the term "swing," at least in that context. If you
do that you won't have the SID problems. If you use roaming profiles and
redirected user folders, you can even wipe a client with virtually no effect
Your question may already be answered in Windows Vista Security:
"Carl Farrington" wrote:
> For a long time, many years, I have been manually migrating user's profiles
> if/when their SID changes, for example an unknowledgable person might setup
> the user as a local user and not join the computer to the domain, so I will
> join the computer to the domain and migrate the user's existing profile
> over, or when replacing a server where a new domain will be created and
> everybody in the organisation gets new SIDs (although I accept that Jeff's
> 'swing' migration seems to be a better way of doing this with SBS), or when
> moving a non-domain user from one computer to another.
> To do this migration I update ProfileImagePath in the registry and point it
> back at the original profile folder, I correct the NTFS permissions on that
> folder, and I manually load that user's NTUSER.DAT into the registry and
> give the new user full permissions including all child objects. I then
> unload the registry and either reboot or logoff/on, and all is well with the
> exception of the Protected Storage System (network and web/email passwords).
> I have not figured out the PSS thing yet, and instead I use a PSS viewer to
> dump all the passwords beforehand. I suspect PSS is encrypted against the
> user's SID or something like that.
> Anyway, this all works fine on NT/2000/XP apart from the above exception
> which I can and have lived with.
> It does *not* work on Vista though. The symptoms afterwards (from memory)
> Internet Explorer broken - Phishing filter doesn't work. Tools -> Internet
> Options doesn't work, although Internet control-panel works via the
> Windows Defender reports problems and doesn't start.
> Network Connections are reported to be broken/unavailable or something (I
> can't remember exactly).
> Various other oddities and instabilities.
> I found that when applying the registry permissions on the user's hive I was
> told that some keys could not be updated, and I have not been able to get
> around this. Perhaps this is the cause? I do not know which keys are
> inaccessible, but I should imagine as usual that the Protected Storage
> System Provider will only be accesible by SYSTEM, but this didn't matter in
> XP as a new key was created under there upon logging on with the new SID.
> My plan is to try running regedit as SYSTEM (via use of the task scheduler's
> /interactive switch) and see if this enables me to override all registry
> permissions, and then see if this makes any difference to the actual
> problem. Re-writing all registry permissions isn't a good plan so I'd really
> like to know exactly what is/was inaccessible.
> Does anybody know what's going on? Is it really simple? Am I simply missing
> some NTFS ACLs somewhere?
> This Vista thing is very odd. It's so cumbersome and awkward to administer.
> Folders that aren't really folders, folders that I can't copy to from the
> network (I have to copy to the desktop first), and more.. No real "Run As"
> option if UAC is turned off. Thankfully I send most of my customers to Dell
> now for their machines, and they still give the option to buy with XP. I
> would still appreciate some assistance with this profile prolem though since
> it's inevitable that I will be dealing with Vista more frequently as time
> goes on.
> Thanks for your time,