Deploy Roaming User Profiles.docx
《Deploy Roaming User Profiles.docx》由会员分享,可在线阅读,更多相关《Deploy Roaming User Profiles.docx(10页珍藏版)》请在冰豆网上搜索。
DeployRoamingUserProfiles
DeployRoamingUserProfiles
10outof17ratedthishelpful-Ratethistopic
Published:
September12,2012
Updated:
August7,2013
AppliesTo:
Windows8,Windows8.1Preview,WindowsServer2012,WindowsServer2012R2Preview
ThistopicdescribeshowtouseWindowsServertodeployRoamingUserProfilestoWindowsclientcomputers.
Inthisdocument
∙Prerequisites
∙Step1:
Createaroaminguserprofilessecuritygroup
∙Step2:
Createafileshareforroaminguserprofiles
∙Step3:
OptionallycreateaGPOforRoamingUserProfiles
∙Step4:
OptionallysetupRoamingUserProfilesonuseraccounts
∙Step5:
OptionallysetupRoamingUserProfilesoncomputers
∙Step6:
EnabletheRoamingUserProfilesGPO
∙Step7:
TestRoamingUserProfiles
∙AppendixA:
ChecklistfordeployingRoamingUserProfiles
Prerequisites
Hardwarerequirements
RoamingUserProfilesrequireanx64-basedorx86-basedcomputer;itisnotsupportedbyWindows®RT.
Softwarerequirements
RoamingUserProfileshasthefollowingsoftwarerequirements:
∙IfyouaredeployingRoamingUserProfileswithFolderRedirectioninanenvironmentwithexistinguserprofiles,deployFolderRedirectionbeforeRoamingUserProfilestominimizethesizeofroamingprofiles.Aftertheexistinguserfoldershavebeensuccessfullyredirected,youcandeployRoamingUserProfiles.
∙ToadministerRoamingUserProfiles,youmustbesignedinasamemberoftheDomainAdministratorssecuritygroup,theEnterpriseAdministratorssecuritygroup,ortheGroupPolicyCreatorOwnerssecuritygroup.
∙ClientcomputersmustrunWindows8.1Preview,Windows8,Windows 7,Windows Vista,Windows XP,WindowsServer2012R2Preview,WindowsServer2012,WindowsServer 2008 R2,WindowsServer 2008,orWindowsServer 2003.Windows XPandWindowsServer 2003donotsupportenablingRoamingUserProfilesonaper-computerbasis.
∙ClientcomputersmustbejoinedtotheActiveDirectoryDomainServices(AD DS)thatyouaremanaging.
∙AcomputermustbeavailablewithGroupPolicyManagementandActiveDirectoryAdministrationCenterinstalled.
∙Afileservermustbeavailabletohostroaminguserprofiles.
oIfthefileshareusesDFSNamespaces,theDFSfolders(links)musthaveasingletargettopreventusersfrommakingconflictingeditsondifferentservers.
oIfthefileshareusesDFSReplicationtoreplicatethecontentswithanotherserver,usersmustbeabletoaccessonlythesourceservertopreventusersfrommakingconflictingeditsondifferentservers.
Note
TousenewfeaturesinRoamingUserProfiles,thereareadditionalclientcomputerandActiveDirectoryschemarequirements.Formoreinformation,seeFolderRedirection,OfflineFiles,andRoamingUserProfilesoverview.
Step1:
Createaroaminguserprofilessecuritygroup
IfyourenvironmentisnotalreadysetupwithRoamingUserProfiles,thefirststepistocreateasecuritygroupthatcontainsallusersand/orcomputerstowhichyouwanttoapplyRoamingUserProfilespolicysettings.
∙Administratorsofgeneral-purposeroaminguserprofilesdeploymentstypicallycreateasecuritygroupforusers.
∙AdminsitratorsofRemoteDesktopServicesorvirtualizeddesktopdeploymentstypicallyuseasecuritygroupforusersandthesharedcomputers.
TocreateasecuritygroupforRoamingUserProfiles
1.OpenServerManageronaWindowsServer2012R2PrevieworWindowsServer2012computerwithActiveDirectoryAdministrationCenterinstalled.
2.OntheToolsmenu,clickActiveDirectoryAdministrationCenter.ActiveDirectoryAdministrationCenterappears.
3.Right-clicktheappropriatedomainorOU,clickNew,andthenclickGroup.
4.IntheCreateGroupwindow,intheGroupsection,specifythefollowingsettings:
oInGroupname,typethenameofthesecuritygroup,forexample:
RoamingUserProfilesUsersandComputers.
oInGroupscope,clickSecurity,andthenclickGlobal.
5.IntheMemberssection,clickAdd.TheSelectUsers,Contacts,Computers,ServiceAccountsorGroupsdialogboxappears.
6.Ifyouwanttoincludecomputeraccountsinthesecuritygroup,clickObjectTypes,selecttheComputerscheckboxandthenclickOK.
7.Typethenamesoftheusers,groups,and/orcomputerstowhichyouwanttodeployRoamingUserProfiles,clickOK,andthenclickOKagain.
Step2:
Createafileshareforroaminguserprofiles
Ifyoudonotalreadyhaveafileshareforroaminguserprofilesthatisseparatefromredirectedfolders(topreventinadvertantcachingoftheroamingprofilefolder),usethefollowingproceduretocreateafileshareonaserverrunningWindowsServer2012.
Note
SomefunctionalitymightdifferorbeunavailableifyoucreatethefileshareonaserverrunninganotherversionofWindowsServer.
TocreateafileshareonWindowsServer2012
1.IntheServerManagernavigationpane,clickFileandStorageServices,andthenclickSharestodisplaytheSharespage.
2.IntheSharestile,clickTasks,andthenclickNewShare.TheNewShareWizardappears.
3.OntheSelectProfilepage,clickSMBShare–Quick.IfyouhaveFileServerResourceManagerinstalledandareusingfoldermanagementproperties,insteadclickSMBShare-Advanced.
4.OntheShareLocationpage,selecttheserverandvolumeonwhichyouwanttocreatetheshare.
5.OntheShareNamepage,typeanamefortheshare(forexample,UserProfiles$)intheSharenamebox.
Tip
Whencreatingtheshare,hidethesharebyputtinga$afterthesharename.Thishidesthesharefromcasualbrowsers.
6.OntheOtherSettingspage,optionallyselecttheEnableaccess-basedenumerationandEncryptdataaccesscheckboxes.
7.OnthePermissionspage,clickCustomizepermissions….TheAdvancedSecuritySettingsdialogboxappears.
8.ClickDisableinheritance,andthenclickConvertinheritedpermissionsintoexplicitpermissiononthisobject.
9.SetthepermissionsasdescribedTable1andshowninFigure1,removingpermissionsforunlistedgroupsandaccounts,andaddingspecialpermissionstotheRoamingUserProfilesUsersandComputersgroupthatyoucreatedinStep1.
Figure1 Settingthepermissionsfortheroaminguserprofilesshare
10.IfyouchosetheSMBShare-Advancedprofile,ontheManagementPropertiespage,selecttheUserFilesFolderUsagevalue.
11.IfyouchosetheSMBShare-Advancedprofile,ontheQuotapage,optionallyselectaquotatoapplytousersoftheshare.
12.OntheConfirmationpage,clickCreate.
Table1Requiredpermissionsforthefilesharehostingroaminguserprofiles
UserAccount
Access
Appliesto
System
Fullcontrol
Thisfolder,subfoldersandfiles
Administrators
FullControl
Thisfolderonly
Creator/Owner
FullControl
Subfoldersandfilesonly
Securitygroupofusersneedingtoputdataonshare(RoamingUserProfilesUsersandComputers)
Listfolder/readdata1
Createfolders/appenddata1
Thisfolderonly
Othergroupsandaccounts
None(remove)
1Advancedpermissions
Step3:
OptionallycreateaGPOforRoamingUserProfiles
IfyoudonotalreadyhaveaGPOcreatedforRoamingUserProfilessettings,usethefollowingproceduretocreateanemptyGPOforusewithRoamingUserProfiles.ThisGPOallowsyoutoconfigureRoamingUserProfilessettings(suchasprimarycomputersupport,whichisdiscussedseparately),andcanalsobeusedtoenableRoamingUserProfilesoncomputers,asistypicallydonewhendeployinginvirtualizeddesktopenvironmentsorwithRemoteDesktopServices.
TocreateaGPOforRoamingUserProfiles
1.OpenServerManageronacomputerwithGroupPolicyManagementinstalled.
2.FromtheToolsmenuclickGroupPolicyManagement.GroupPolicyManagementappears.
3.Right-clickthedomainorOUinwhichyouwanttosetupRoamingUserProfilesandthenclickCreateaGPOinthisdomain,andLinkithere.
4.IntheNewGPOdialogbox,typeanamefortheGPO(forexample,RoamingUserProfileSettings),andthenclickOK.
5.Right-clickthenewlycreatedGPOandthencleartheLinkEnabledcheckbox.ThispreventstheGPOfrombeingapplieduntilyoufinishconfiguringit.
6.SelecttheGPO.IntheSecurityFilteringsectionoftheScopetab,selectAuthenticatedUsers,andthenclickRemove.
7.IntheSecurityFilteringsection,clickAdd.
8.IntheSelectUser,Computer,orGroupdialogbox,typethenameofthesecuritygroupyoucreatedinStep1(forexample,RoamingUserProfilesUsersandComputers),andthenclickOK.
Step4:
OptionallysetupRoamingUserProfilesonuseraccounts
IfyouaredeployingRoamingUserProfilestouseraccounts,usethefollowingproceduretospecifyroaminguserprofilesforuseraccountsinActiveDirectoryDomainServices.IfyouaredeployingRoamingUserProfilestocomputers,asistypicallydoneforRemoteDesktopServicesorvirtualizeddesktopdeployments,insteadusetheproceduredocumentedinStep5ofthistopic.
Note
IfyousetupRoamingUserProfilesonuseraccountsbyusingActiveDirectoryandoncomputersbyusingGroupPolicy,thecomputer-basedpolicysettingtakesprecendence.
TosetupRoamingUserProfilesonuseraccounts
1.InActiveDirectoryAdministrationCenter,navigatetotheUserscontainer(orOU)intheappropriatedomain.
2.Selectalluserstowhichyouwanttoassignaroaminguserprofile,right-clicktheusersandthenclickProperties.
3.IntheProfilesection,selecttheProfilepath:
checkboxandthenenterthepathtothefilesharewhereyouwanttostoretheuser’sroaminguserprofile,followedby%username%(whichisautomaticallyreplacedwiththeusernamethefirsttimetheusersignsin).Forexample:
\\\UserProfiles$\%username%
Tospecifyamandatory
升级会员 