Why can saved passwords stop working after a Windows domain migration?

Saved passwords can stop working after a Windows domain migration when DPAPI-protected credentials remain tied to the original source-domain user account and the related DPAPI master keys are not migrated.

Which data can CopyRight2 help preserve with DPAPI migration?

CopyRight2 can help preserve access to saved browser passwords, saved Remote Desktop credentials, user certificate private keys and third-party application data protected through Windows DPAPI.

Is DPAPI migration the same as password migration?

No. Password migration helps users continue signing in with their existing password after the account migration. DPAPI migration helps preserve access to DPAPI-protected data stored inside the migrated Windows user profile.

Active Directory Migration, User Profile Migration

How to Migrate DPAPI-Protected Data During Windows Profile Migration

Q: How can you migrate DPAPI-protected data during Windows profile migration?

CopyRight2 can migrate DPAPI-protected data during Windows profile migration by decrypting the user's DPAPI master keys with the source-domain password and re-encrypting them for the migrated target-domain account.

Tuesday, June 2, 2026

CopyRight2 now includes a Migrate DPAPI option for Computer Migration and Profile Migration jobs. This feature helps preserve access to DPAPI-protected data by decrypting the user's DPAPI master keys with the source-domain password and re-encrypting them for the target user account after migration.

When organizations migrate computers or user profiles to a new Windows domain, many visible settings and files can be moved successfully while some user-protected data remains tied to the original account. A common reason is Windows Data Protection API, or DPAPI, which applications use to protect sensitive user data with keys associated with the user's Windows profile and credentials.

Why DPAPI Matters During Migration

DPAPI is used by Windows and many applications to protect user-specific secrets and encrypted data. During a domain or profile migration, that protected data may still depend on keys created under the source user account.

If those keys are not migrated correctly, users may find that some saved credentials or protected items are no longer available after the migration, even when their profile and files were moved.

The Migrate DPAPI option is designed to address this migration gap for data protected through Windows DPAPI, including:

Browser-stored passwords for Chrome, Edge, and Internet Explorer
Saved Remote Desktop Protocol credentials
User certificates and their certificate private keys
Data encrypted by third-party applications through DPAPI

How the Migrate DPAPI Option Works

Administrators can enable Migrate DPAPI as part of a CopyRight2 Computer Migration or Profile Migration job.

When the option is enabled, CopyRight2 installs an additional program on the client computer. The program runs when the user first logs on with the migrated profile in the target environment.

At first logon, the user is prompted to enter the password they used in the source domain. The correct source-domain password is required to decrypt the user's existing DPAPI master keys. CopyRight2 then uses that password to decrypt the user's DPAPI master keys and re-encrypt them for the target user account. If CopyRight2 password migration was also used, this may be the same password the user already uses after migration.

What Users Experience

From the end user's perspective, the process happens after migration at first logon with the migrated profile. The user sees a prompt asking for the password from the source domain.

After the correct source-domain password is provided, the DPAPI master keys are decrypted and re-encrypted for the target account. If the password is incorrect or unavailable, those keys cannot be migrated by this prompt, and affected DPAPI-protected data may remain inaccessible.

When completed successfully, this helps preserve access to DPAPI-protected items that applications rely on, such as saved browser passwords, saved RDP credentials, user certificate private keys, and other DPAPI-protected application data.

For administrators, this creates a clearer migration workflow: enable the option in the migration job, prepare users for the first-logon password prompt, and help reduce the likelihood that DPAPI-protected data becomes inaccessible after the move.

Migration Planning Notes for Administrators

The new option is most relevant for migrations where users rely on saved credentials, certificates, browser password stores, or applications that protect local user data through DPAPI.

Before enabling it broadly, administrators should include it in migration planning and user communications so users know which password is required at first logon. This is especially important when the source-domain password differs from the user's target-domain password.

A More Complete User Profile Migration

The Migrate DPAPI option strengthens CopyRight2's Computer Migration and Profile Migration workflows by addressing a specific but important part of the Windows user profile: DPAPI-protected data.

For organizations planning domain migrations, workstation refreshes, or profile moves, this helps reduce post-migration disruption around saved credentials, certificates, and application-protected data that users expect to keep working.