Skip to main content

Spellman Consulting

Information Systems Consulting
Home  About Us  Solutions  Tips and Tricks  Contact Us  Site Map   
Tips and Tricks
Below are some tricks that may be helpful for you. 
  • Missing Windows Taskbar and Desktop icons
  • Moving a Windows local user profile to a domain user profile
  • Reconnecting an outdated domain controller 


Missing Windows Taskbar and Desktop icons

Only the desktop wallpaper was displayed.  This happened to one of my clients Windows XP computers after a failed uninstall of Norton Internet Security 2006 followed by a system restore.  Explorer.exe is the application that runs the taskbar and it was not found in the process list in the task manager.  I could run applications from the task manager but it would not load explorer.exe or iexplore.exe. 
I ran through the Microsoft recommendations including a Windows XP repair installation without success.

I did a search for explorer.exe and iexplore.exe and found them in \windows\system32\dllcache, apart from the original files found in \windows\system32 and \Program files\Internet Explorer. I was able to run them from the dllcache folder so I renamed the original explorer.exe and iexplore.exe files and copied the two files from dllcache to the system32 folder. This resolved the issue.


Moving a Windows local user profile to a domain user profile 
Note - this works reliably with Windows XP but is a gamble with Vista.  It may cause Vista to BSOD so I advise against using it with Vista.
When you remove a computer from a domain the user profiles are then no longer associated with any user accounts. You generally have to copy the old profiles into the newly created ones. 

This trick reassociates the old profile to the new one. You no longer need to copy the profile. It saved me from having to copy a profile with 60+ Gb of mpg’s and photos. It is also useful if the profile is larger than the available disk space which would prevent it from being copied.
I also used this trick to reassociate a domain profile to a local user account, and it works to move a profile from one domain to another.
  1. After successfully logging in as your new user, immediately log out and log back in as the local machine administrator.

    Go to Documents and Settings and you’ll see two profile folders with similar names. One will probably have .DOMAIN appended to the end. This is the new profile.

    3. Move the new profile folder to another location.  Remember where it is and what it’s called.

    4. Add the new user account to the local administrators group on the computer.

    5. Go Start\Run and type regedit then click OK.

    6. Choose Edit\Find from the menu and type the name of the folder you just moved. It’ll be somewhere like: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID number> and the key is called ProfileImagePath. The string will look like “%SystemDrive%\Documents and Settings\

    7. Change the value of this key to the path of your original profile folder.

    8. Then go into regedit, highlight HKEY_USERS, and go to File\load hive, then find the users NTUSER.DAT (ensure you have hidden files visible), and load this file. The NTUSER.DAT file will be found in the new profile folder - the one you moved.  Regedit will prompt for a name. Type anything for the name as this is just the subkey that the user’s registry hive will appear under.

    9. Then right-click on that subkey and choose Permissions. You will see the old SID which can no longer be resolved to a user account name because it belongs to the old domain, to which the machine is no longer joined. Delete that SID, and add the user again from the new domain with full permissions. Then unload the hive from the file menu (otherwise the file will be locked/in use and you won’t be able to use it).

    10. Also remove the old SID and add the new user (same user, but new SID, so a new user as far as Windows is concerned) as the owner or full-permissions for \documents and settings\username. Do all of this while logged in as a domain administrator of the new domain.

    11. Now reboot and log in as the user.  All the settings will be there as before.

Reconnecting an outdated domain controller 


I've had great success in reconnecting Windows 2000 and 2003 domain controllers that have been offline past the forest tombstone lifetime by using the netdom.exe utility to reset the DC's machine account password. 


from Microsoft

You cannot change the machine account password using the Active Directory Users and Computers snap-in, but you can reset the password using the Netdom.exe tool included in the Windows Support Tools.

The Netdom tool resets the account password on the computer locally (known as a "local secret") and writes this change to the computer's computer account object on a Windows domain controller that resides in the same domain. Simultaneously writing the new password to both places ensures that at least the two computers involved in the operation are synchronized, and starts Active Directory replication so that other domain controllers receive the change.

The following procedure describes how to use the netdom command to reset a machine account password. This procedure is most commonly used on domain controllers, but also applies to any Windows machine account.

Because you cannot use Netdom remotely, you must run the tool from the Windows-based computer whose password you want to change. In addition, you must have administrative permissions locally and on the computer account's object in Active Directory to run Netdom.

Using Netdom to Reset a Machine Account Password

  1. Install the Windows Support Tools from the Support\Tools folder on the Windows CD-ROM on the domain controller whose password you want to reset.

    2. If you are attempting to reset the password for a Windows domain controller, it is necessary to stop the Kerberos Key Distribution Center service and set its Startup type to Manual prior to continuing with step 3.

    Note: After you restart and verify that the password has been successfully reset, you can restart the Kerberos Key Distribution Center service and set its Startup type back to Automatic. Doing this forces the domain controller with the bad computer account password to contact another domain controller for a Kerberos ticket.

    At a command prompt, type the following command:

    netdom resetpwd /server:Replication_Partner_Server_Name /userd:domainname\administrator_id /passwordd:*

    where Replication_Partner_Server_Name is the fully qualified DNS or NetBIOS name of a domain controller in the same domain as the local computer, and domainname\administrator_id is the NetBIOS domain name and administrator ID respectively, in the Security Accounts Manager (SAM) account name credentials format.

    The "*" value to the /PasswordD: parameter specifies that the password should be typed using hidden characters when the command is submitted. For example, the local computer (which happens to be a domain controller) is Server1 and the peer Windows domain controller name is Server2. If you run Netdom on Server1 with the following parameters, the password is changed locally and is simultaneously written on Server2, and replication propagates the change to other domain controllers:

    netdom resetpwd /server:server2 /userd:mydomain\administrator /passwordd:*

    Restart the server whose password was changed (in this example, Server1).



Also see Reconnecting a Domain Controller After a Long-Term Disconnection


Some great tools for troubleshooting Active Directory replication include replmon, netdiag, dcdiag and adcheck.