In a domain environment, domain users can log in on any client computers in the domain, because the ordinary domain user privileges is relatively low, in most cases only for your own user profile has full control, so big most domain user data is stored directly in the user profile. User profile is actually a folder, the default location on the C drive (system disk) under the root directory called "Users (Users)" folder, each domain user logged in on this computer, will be in create a folder in the "users" file and a user name themselves the same file folder, such as "zhangsan". Configuration includes the "Desktop" folder in the user profile, the "Documents", "Favorites" and other personal data, users on the "Desktop" or "Documents" files are actually stored in the user profile.
The default settings are stored in the user profile on the client computer, but first, this way there is a certain security risk, and second, when a domain user logs on to another computer, the contents of these configuration files to see it. There are two ways to implement roaming user profiles follow domain: One way is to set up user attributes on the DC, unified user profile stored on a remote server; Another way is to set group policies on the DC, the user configuration file storage path is redirected to a remote server. Both methods can achieve the same effect, but whether the distinction between them? Which method is preferable in practice it? This article describes the configuration of these two methods are by way of example, and analyze the characteristics of a comparison between them.
Experimental environment used in the domain name "WorldSkills2017.china", DC computer named R_Server2. In the domain has been created called "test" of the OU, OU created in the two domain user accounts: "Joe Smith (zhangsan)", "John Doe (lisi)", DC and the client uses Windows Server 2012 R2 system.
First, configure the roaming profile
Roaming profile is necessary to provide a user attribute domain, the following domain user "John Doe" as an example, the configuration process.
① Create a shared folder
First, create a file named profile shared folder on DC, and read and write permissions set to Everyone. (In a production environment, you should set up shared folders on a dedicated file server, rather than on the DC.)
② Configure User Attributes
to open the "Active Directory Users and Computers" in DC, open the "John Doe" in property interface, in the "profile" tab "profile path" set to \ DC \ profile \% username% ( path% username% parameter automatically replaces the user's login name). As shown in Figure 1. 1 Set roaming profile ③ test client on the client computer to log on to the domain identity of John Doe, a shared directory on the client where the client computer at this time Joe Smith would go to the server to download zhangsan profile. But this time on the server and not zhangsan profile, so Joe Smith would create a local configuration file on the local disk. After the desktop or on the favorites and other settings, the user logs off, the customer at this time where the client computer zhangsan local profile will be uploaded to the server you just created. Open the shared folder on the DC clamp profile, you will be found more than a file called "zhangsan.V2" folder, since this is a local backup configuration file, so the names will be added "V2". Figure 2 uploaded to the server in the user profile and then replace another computer log in with the identity of Joe Smith, Joe Smith will first put all their user profiles are downloaded from the file server's shared folder, it is found that just made Configuring have been roaming over. ④ Summary
Roaming profiles will actually do a backup configuration file in a shared folder of the server when the client logs on domain users will download the configuration file to start the server when the user logs off the domain will then modified configuration file to the server's shared folders.
Second, configure folder redirection
文件夹重定向需要在组策略中配置,下面以“test”OU为例,说明组策略的配置过程。
① 创建共享文件夹
首先仍是在DC上建立一个名为“folder”的共享文件夹,赋予Everyone“读取/写入”权限。
② 配置组策略对象GPO
打开“组策略管理”工具,在“组策略对象”中新建一个名为“文件夹重定向”的GPO,并对其进行编辑。
在组策略编辑器中依次展开“用户配置\策略\Windows设置\文件夹重定向”,其中列出了可以被重定向的配置文件目录。通常重定向最多的是“桌面”和“文档”文件夹,下面就将域用户的“桌面”文件夹改为集中存储在域控制器上。
在“桌面”上单击右键,选择“属性”,打开“桌面属性”设置界面。
首先在“目标”选项卡的“设置”项中选择“基本-将每个人的文件夹重定向到同一个位置”,并在“目标文件夹位置”中选择“在根目录路径下为每一用户创建一个文件夹”,在“根路径”中输入文件夹重定向后的存放位置,也就是在DC上所设置的共享文件夹的UNC路径\DC\folder。如图3所示。这样,系统就会在共享文件夹中自动为每一位登录的用户分别创建一个专属文件夹。
图 3 将“桌面”重定向
③ 将GPO链接到OU
关闭组策略编辑器后,将配置好的组策略对象“文件夹重定向”拖动到“test”OU上,这样,组策略便会对“test”OU中的所有域用户生效。
④ 在客户端测试
以用户李四的身份在客户端计算机上登录,打开用户的本地配置文件夹后,发现里面已经没有了“桌面”文件夹,这是由于“桌面”文件夹的位置已经被重定向到了服务器中。
在DC上打开folder文件夹,可以看到里面自动创建了一个名为“lisi”的文件夹,其中包括了“Desktop”子文件夹。
注意,如果组策略未生效,可以在客户端执行“gpupdate /force”命令强制刷新组策略。
下面以李四的身份在客户端的桌面上创建一个测试文件,然后将李四用户注销(可以看到在注销时对文件进行了同步)。然后再到另一台客户端计算机上以李四的身份重新登录,可以看到刚才在“桌面”上创建的测试文件也随之出现了。
⑤ 小结
将用户配置文件中的文件夹重定向之后,在客户端看到的相应文件夹就只是一个指向服务器中共享文件夹的路径,数据是直接存储在服务器中。这样当域用户在客户端登录或注销时,就不再需要向服务器中上传或是从服务器中下载文件数据了。
三、两种操作的比较
通过实例比较可以发现,漫游配置文件是将配置文件在服务器中做了备份,而文件夹重定向则是直接将配置文件存储在了服务器中。这两种方式孰优孰劣呢?
我们可以试想一下,如果域用户在配置文件中放置的数据量很大,那么采用漫游配置文件的方式,就会造成域用户登录和注销的速度变得很慢,而文件夹重定向则不会出现这样的问题。因而在实践应用中,还是文件夹重定向更具备可操作性。
最后总结一下,文件夹重定向的作用主要体现在以下两个方面:
一是可以利用该功能对相关文件或者文件夹进行统一备份。由于把分散在各个主机上的文件都重定向到一台服务器上,如此管理员只需要对这台服务器的文件夹进行备份,就可以达到对员工各台电脑的资料进行备份的目的,从而保障数据的安全。
二是用户访问文件夹的位置将不受限制。若桌面或者我的文档等资料保存在本地的话,则用户只有登录本机才能够访问这些文件。而对文件夹进行重定向之后,则只需要员工登录到域,就都可以访问此文件夹。
Transfer: https://blog.51cto.com/yttitan/2061840