Information Technology Reference
In-Depth Information
As you saw in previous activities, user profiles can be managed in the User Profiles dialog box
(shown previously in Figure 5-14) with these three buttons:
•
Change Type
—Click to change a profile from roaming to local. This setting applies only when
the user logs on to the computer where the profile has been changed. In other words, chang-
ing the profile from roaming to local makes the profile local only on that computer. The user's
profile remains roaming on every other computer. If the profile had been roaming but is now
local on the computer, it can be changed back to roaming (unless the profile path has been
deleted from the user account's properties). Mandatory profiles can't be changed here.
•
Delete
—Click to delete the profile from the local computer; if the profile is roaming, its cached
copy on the local computer is deleted. Roaming profile files on the server aren't deleted.
•
Copy To
—Click to copy a profile, whether local, roaming, or mandatory, to a new loca-
tion, usually a network server. By default, only the user whose profile you copy has access
to the profile. However, you can use the Change button in the Copy To dialog box to
specify other users or groups allowed to use the profile. If multiple users will use the same
copy of the profile, you should configure the profile as mandatory. Specifying users who
can use the profile sets permissions for only those users to access the profile. You must still
set the path in the Profile tab of the user account's Properties dialog box.
5
You can also manage many aspects of user profiles by using group policies. For example,
certain computers can be configured to always use local profiles, and the profile's locally cached
copy can be deleted automatically when the user logs off the computer. More than 20 profile set-
tings can be configured with group policies. Many of them are covered in Chapter 7.
Roaming profiles are a convenient way to provide a consistent working environment for users.
However, they come with a cost. Profiles can grow to be very large when users store a lot of files
in different document folders. When a user logs on to a computer for the first time or if Windows
detects that the profile on the server is newer than the locally cached copy, the profile must be
copied from the server to the local computer. Similarly, if a user makes changes to his or her pro-
file, the profile must be copied to the server when the user logs off. Whether the profile is copied
to the workstation or the server (or both), profiles containing a lot of data can use considerable
network bandwidth and cause long delays during logon and logoff.
Folder redirection can reduce some problems caused by roaming profiles. This feature
redirects certain folders normally contained in the profile to a network server location. It
effectively takes the folders out of the profile, excluding them from the copying process that
takes place when a user logs on or off. For example, a network share called Redirected contains
a folder for each user, and under each user folder are the user's redirected folders. Folders
that can be redirected include Desktop, Start Menu, Documents, Pictures, Music, Videos,
Download, and Favorites. Other folders can be redirected, and Chapter 7 covers redirection
more thoroughly.
Active Directory group objects are the main security principal administrators use to grant rights
and permissions to users. Using groups to assign user rights and permissions is preferable to
using separate user accounts, mainly because groups are easier to manage. Users with similar
access requirements to resources can be made members of a group, and instead of creating ACEs
for each user in a network resource's DACL, you can make a single entry for the group.
Furthermore, if a user changes departments or positions in the company, you can remove the user
from one group and place the user in another group that meets his or her new access require-
ments. With a single administrative action, you can completely alter a user's access to resources.
If permissions are assigned to a single user account, the administrator must find each resource
for which the user has an ACE, make the necessary changes, and then add the user account to
the DACL for each resource the new department or position requires.
Search WWH ::
Custom Search