Adding to Eugene's comments about capture and restore when disconnected from the domain.
The situation identified by Eugene in the first paragraph can be mitigated by including only users from the desired domain. In GUI mode these can be selected visually. For command line migration you can specify a domain filter in the migration template xml file.
I'd also like to clarify a comment made about security. The correct security is maintained where domain user restoration is forced.
To obtain domain information about a particular user, at present, we use a windows api called
LookupAccountSid. The reason we use this function is to ensure that accounts which have been deleted from the domain or local machine are not included in the capture. Although for domain accounts, this information must be obtained from the domain - windows does cache this information locally. The call to LookupAccountSid will initially cause the local sid cache to be checked. If the entry required is not present, the call goes out to the domain.
If you have entries for all domain users in the local sid cache - no problem.
Various workarounds are possible to populate the windows sid cache with the required users prior to disconnection from the domain and prior to the capture process.
Eugene identifies two:
a) Log on as the user you wish to migrate and perform the capture in that context
b) Log on/log off as each user you wish to migrate (this populates the sid cache), then log on as an administrator and perform the capture
There are also a couple more:
c) Start the wizard and advance to the Users page (this populates the windows sid cache), then disconnect from the domain, and perform the capture.
d) For commandline capture create a minimal template in order to cause virtually nothing to be captured, then execute (this populates the sid cache), then disconnect from the domain and perform the capture.
I'd also guess it is possible to create a script to populate the cache independently without these workarounds. I've yet to try that.
As an aside, I've read opinion that suggests the windows sid cache life is about 5 minutes. Experimentation indicates this is longer. Other opinion indicates the cache has a maximum number of entries. I'd guess this to be fairly high, but it is something to bear in mind.
Back to the problem at hand. From your previous post I'd guess that granting your contractors access to the domain as administrator isn't actually a problem in your environment. Is there any barrier to utilizing a portable mini-hub to connect both source and target machines to the network at the same time?
Another possible method is to capture the user data to an encrypted package stored on the network, then plug in the new machine and restore the data from there.
Thanks for your input on this one. We really appreciate it.
Regards
Xan