Situatie
Mai intai de toate trebuie sa stiti ca roaming profile functioneaza pe windows x86 si x64 dar nu si pe RT.
- Daca vreti sa configurati Roaming User Profiles cu Folder Redirection intr-o infrastructura unde exista deja profile de utilizatori locale, mai intai configurati Folder Redirection inainte de Roaming User Profiles pentru a micsora marimea profilelor. Dupa ce utilizatorii existenti au fost redirectati cu success, puteti incepe sa configurati Roaming User Profiles.
- Pentru a administra Roaming User Profiles, trebuie sa te loghezi cu un cont membru al Domain Administrators, Enterprise Administrators sau Group Policy Creator Owners.
- Calculatoarele client trebuie sa aiba Windows 10, Windows 8.1, Windows 8, Windows 7, Windows Vista, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2, or Windows Server 2008.
- Calculatoarele client trebuie sa fie bagate in domeniu AD.
- Un computer va trebui sa aiba instalat Group Policy Management si Active Directory Administration Center.
- Un server de fisiere (file server) va trebui sa fie disponibil pentru profile.
- Daca file share-ul foloseste DFS Namespaces, folderele DFS (links) trebuie sa aiba un singur target pentru a impiedica un eventual conflict pe diferite servere.
- Daca se utilizeaza DFS Replication pentru a replica continutul altui server, utilizatori trebuie sa acceseze doar serverul sursa, pentru a impiedica eventualele conflicte de editare pe diferite servere.
- Daca file share-ul este in cluster, dezactiveaza continuous availability pe file share pentru a impiedica problemele de performantas.
Backup
1. Prepare the domain | |
– Join computers to the domain | |
– Enable the use of separate profile versions | |
– Create user accounts | |
– (Optional) Deploy Folder Redirection | |
2. Create a security group for Roaming User Profiles | |
– Group name: | |
– Members: | |
3. Create a file share for Roaming User Profiles | |
– File share name: | |
4. Create a GPO for Roaming User Profiles | |
– GPO name: | |
5. Configure Roaming User Profiles policy settings | |
6. Enable Roaming User Profiles: | |
– Enabled in AD DS on user accounts? | |
– Enabled in Group Policy on computer accounts? | |
7. (Optional) Specify a mandatory Start layout for Windows 10 PCs | |
8. (Optional) Enable primary computer support | |
– Designate primary computers for users
– Location of user and primary computer mappings: |
|
– (Optional) Enable primary computer support for Folder Redirection
– Computer-based or User-based? |
|
– (Optional) Enable primary computer support for Roaming User Profiles | |
9. Enable the Roaming User Profiles GPO | |
10. Test Roaming User Profiles |
Each profile has a profile version that corresponds roughly to the version of Windows on which the profile is used. For example, Windows 10, version 1703 and version 1607 both use the .V6 profile version. Microsoft creates a new profile version only when necessary to maintain compatibility, which is why not every version of Windows includes a new profile version.
The following table lists the location of Roaming User Profiles on various versions of Windows.
Operating system version | Roaming User Profile location |
---|---|
Windows XP and Windows Server 2003 | \<servername><fileshare><username> |
Windows Vista and Windows Server 2008 | \<servername><fileshare><username>.V2 |
Windows 7 and Windows Server 2008 R2 | \<servername><fileshare><username>.V2 |
Windows 8 and Windows Server 2012 | \<servername><fileshare><username>.V3 (after the software update and registry key are applied)
\<servername><fileshare><username>.V2 (before the software update and registry key are applied) |
Windows 8.1 and Windows Server 2012 R2 | \<servername><fileshare><username>.V4 (after the software update and registry key are applied)
\<servername><fileshare><username>.V2 (before the software update and registry key are applied) |
Windows 10 | \<servername><fileshare><username>.V5 |
Windows 10, version 1703 and version 1607 | \<servername><fileshare><username>.V6 |
Solutie
Pasi de urmat
Pas 1: Activati utilizarea separata a versiunilor de profile
Daca configurezi Roaming User Profiles pe calculatoare cu 8.1, Windows 8, Windows Server 2012 R2, sau Windows Server 2012, se recomanda cateva modificari ca mai jos:
Activati utilizarea de separare a profilelor pentru diferite versiuni de Windows
- Instalati update-uri pe toate calculatoarele care vor utiliza roaming, mandatory, super-mandatory sau domain default profiles:
- Pe calculatoare cu Windows 8.1, Windows 8, Windows Server 2012 R2, sau Windows Server 2012 pe care veti utiliza Roaming User Profiles, utilizati Registry Editor sau Group Policy pentru a create registry key DWORD Value si setati
1
.HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesProfSvcParametersUseProfilePathExtensionVersion 3. Restartati calculatoarele
Pas 2: Creati un grup de securitate Roaming User Profiles
- Open Server Manager on a computer with Active Directory Administration Center installed.
- On the Tools menu, click Active Directory Administration Center. Active Directory Administration Center appears.
- Right-click the appropriate domain or OU, click New, and then click Group.
- In the Create Group window, in the Group section, specify the following settings:
- In Group name, type the name of the security group, for example: Roaming User Profiles Users and Computers.
- In Group scope, click Security, and then click Global.
- In the Members section, click Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.
- If you want to include computer accounts in the security group, click Object Types, select the Computers check box and then click OK.
- Type the names of the users, groups, and/or computers to which you want to deploy Roaming User Profiles, click OK, and then click OK again.
Pas 3: Creati un file share pentru roaming user profiles
- In the Server Manager navigation pane, click File and Storage Services, and then click Shares to display the Shares page.
- In the Shares tile, click Tasks, and then click New Share. The New Share Wizard appears.
- On the Select Profile page, click SMB Share – Quick. If you have File Server Resource Manager installed and are using folder management properties, instead click SMB Share – Advanced.
- On the Share Location page, select the server and volume on which you want to create the share.
- On the Share Name page, type a name for the share (for example, User Profiles$) in the Share name box.
Tip When creating the share, hide the share by putting a $
after the share name. This hides the share from casual browsers. - On the Other Settings page, clear the Enable continuous availability checkbox, if present, and optionally select the Enable access-based enumeration and Encrypt data access checkboxes.
- On the Permissions page, click Customize permissions…. The Advanced Security Settings dialog box appears.
- Click Disable inheritance, and then click Convert inherited permissions into explicit permission on this object.
- Set the permissions as described Table 1 and shown in Figure 1, removing permissions for unlisted groups and accounts, and adding special permissions to the Roaming User Profiles Users and Computers group that you created in Step 1.
Figure 1 Setting the permissions for the roaming user profiles share
- If you chose the SMB Share – Advanced profile, on the Management Properties page, select the User Files Folder Usage value.
- If you chose the SMB Share – Advanced profile, on the Quota page, optionally select a quota to apply to users of the share.
- On the Confirmation page, click Create.
Table 1 Required permissions for the file share hosting roaming user profiles
User Account | Access | Applies to |
System | Full control | This folder, subfolders and files |
Administrators | Full Control | This folder only |
Creator/Owner | Full Control | Subfolders and files only |
Security group of users needing to put data on share (Roaming User Profiles Users and Computers) | List folder / read data1
Create folders / append data1 |
This folder only |
Other groups and accounts | None (remove) |
1 Advanced permissions
Pas 4: Optional creati un GPO pentru Roaming User Profiles
- Open Server Manager on a computer with Group Policy Management installed.
- From the Tools menu click Group Policy Management. Group Policy Management appears.
- Right-click the domain or OU in which you want to setup Roaming User Profiles and then click Create a GPO in this domain, and Link it here.
- In the New GPO dialog box, type a name for the GPO (for example, Roaming User Profile Settings), and then click OK.
- Right-click the newly created GPO and then clear the Link Enabled checkbox. This prevents the GPO from being applied until you finish configuring it.
- Select the GPO. In the Security Filtering section of the Scope tab, select Authenticated Users, and then click Remove to prevent the GPO from being applied to everyone.
- In the Security Filtering section, click Add.
- In the Select User, Computer, or Group dialog box, type the name of the security group you created in Step 1 (for example, Roaming User Profiles Users and Computers), and then click OK.
- Click the Delegation tab, click Add, type Authenticated Users, click OK, and then click OK again to accept the default Read permissions.
This step is necessary due to security changes made in MS16-072.
Pas 5: Optional configurati Roaming User Profiles pe conturile de utilizator
- In Active Directory Administration Center, navigate to the Users container (or OU) in the appropriate domain.
- Select all users to which you want to assign a roaming user profile, right-click the users and then click Properties.
- In the Profile section, select the Profile path: checkbox and then enter the path to the file share where you want to store the user’s roaming user profile, followed by
%username%
(which is automatically replaced with the user name the first time the user signs in). For example:\fs1.corp.contoso.comUser Profiles$%username%
To specify a mandatory roaming user profile, specify the path to the NTuser.man file that you created previously, for example,
fs1.corp.contoso.comUser Profiles$default
. For more information, see Create mandatory user profiles. - Click OK.
Pas 6: Optional configurati Roaming User Profiles pe calculatoare
- Open Server Manager on a computer with Group Policy Management installed.
- From the Tools menu click Group Policy Management. Group Policy Management appears.
- In Group Policy Management, right-click the GPO you created in Step 3 (for example, Roaming User Profiles Settings), and then click Edit.
- In the Group Policy Management Editor window, navigate to Computer Configuration, then Policies, then Administrative Templates, then System, and then User Profiles.
- Right-click Set roaming profile path for all users logging onto this computer and then click Edit.
- In the Properties dialog box, click Enabled
- In the Users logging onto this computer should use this roaming profile path box, enter the path to the file share where you want to store the user’s roaming user profile, followed by
%username%
(which is automatically replaced with the user name the first time the user signs in). For example:\fs1.corp.contoso.comUser Profiles$%username%
To specify a mandatory roaming user profile, which is a preconfigured profile to which users cannot make permanent changes (changes are reset when the user signs out), specify the path to the NTuser.man file that you created previously, for example,
\fs1.corp.contoso.comUser Profiles$default
. For more information, see Creating a Mandatory User Profile. - Click OK.
Pas 7: Optional configurati un Start layout pentru calculatoarele cu Windows 10
- Update your Windows 10 PCs to Windows 10 version 1607 (also known as the Anniversary Update) or newer, and install the March 14th, 2017 cumulative update (KB4013429) or newer.
- Create a full or partial Start menu layout XML file. To do so, see Customize and export Start layout.
If you specify a full Start layout, a user can’t customize any part of the Start menu. If you specify a partial Start layout, users can customize everything but the locked groups of tiles you specify. However, with a partial Start layout, user customizations to the Start menu won’t roam to other PCs. - Use Group Policy to apply the customized Start layout to the GPO you created for Roaming User Profiles. To do so, see Use Group Policy to apply a customized Start layout in a domain.
- Use Group Policy to set the following registry value on your Windows 10 PCs. To do so, see Configure a Registry Item.
Action Update Hive HKEY_LOCAL_MACHINE Key path SoftwareMicrosoftWindowsCurrentVersionExplorer Value name SpecialRoamingOverrideAllowed Value type REG_DWORD Value data 1 (or 0 to disable) Base Decimal - (Optional) Enable first-time logon optimizations to make signing in faster for users. To do so, see Apply policies to improve sign-in time.
- (Optional) Further decrease sign-in times by removing unneccesary apps from the Windows 10 base image you use to deploy client PCs. Windows Server 2016 doesn’t have any pre-provisioned apps, so you can skip this step on server images.
To remove apps, use the Remove-AppxProvisionedPackage cmdlet in Windows PowerShell to uninstall the following applications. If your PCs are already deployed you can script the removal of these apps using the Remove-AppxPackage.- Microsoft.windowscommunicationsapps_8wekyb3d8bbwe
- Microsoft.BingWeather_8wekyb3d8bbwe
- Microsoft.DesktopAppInstaller_8wekyb3d8bbwe
- Microsoft.Getstarted_8wekyb3d8bbwe
- Microsoft.Windows.Photos_8wekyb3d8bbwe
- Microsoft.WindowsCamera_8wekyb3d8bbwe
- Microsoft.WindowsFeedbackHub_8wekyb3d8bbwe
- Microsoft.WindowsStore_8wekyb3d8bbwe
- Microsoft.XboxApp_8wekyb3d8bbwe
- Microsoft.XboxIdentityProvider_8wekyb3d8bbwe
- Microsoft.ZuneMusic_8wekyb3d8bbwe
Pas 8: Activati Roaming User Profiles GPO
- Open Group Policy Management.
- Right-click the GPO that you created and then click Link Enabled. A checkbox appears next to the menu item.
Pas 9: Testati Roaming User Profiles
- Sign in to a primary computer (if you enabled primary computer support) with a user account for which you have enabled Roaming User Profiles enabled. If you enabled Roaming User Profiles on specific computers, sign in to one of these computers.
- If the user has previously signed in to the computer, open an elevated command prompt, and then type the following command to ensure that the latest Group Policy settings are applied to the client computer:
GpUpdate /Force
- To confirm that the user profile is roaming, open Control Panel, click System and Security, click System, click Advanced System Settings, click Settings in the User Profiles section and then look for Roaming in the Type column.
Leave A Comment?