01-06-2007, 11:02
|
|
מנהל פורום מערכות הפעלה - הרובע המייקרוסופטי.
|
|
חבר מתאריך: 07.10.04
הודעות: 13,777
|
|
...
קודם כול - כשאתה מגיב למישהו, תלחץ על כפתור ה "תגובה" בהודעה שלו, ככה נדע למי אתה עונה.
דבר שני, נראה כאילו יש עוד צעד לעשות, אתה צריך "לדפוק" את התיקיה של הפרופיל המקומי, כדי שההתחברות תתמצע רק מהפרופיל בשרת.
מוזר שלא היה רשום כלום באתר של מיקרוסופט.
ציטוט:
MANDATORY PROFILES
You can allow an entire department to use the same roaming profile, as discussed in the previous section. As we saw, if a user accidentally makes a change to settings contained in the profile and logs off, the change is replicated to the server copy of the profile and all users have the change when they next log on. This process can introduce an amount of uncertainty into the management of user desktops and adds a level of complexity that you really don’t need. IT systems are already complex enough, and one of the benefits of user profiles is supposed to be to "bring some order to desktops and to reduce management cost." This statement can be true, but only after you have put many hours into the correct design and implementation process.
Enter the mandatory profile. A mandatory profile is a roaming profile that is set so that the user cannot save any changes to the settings contained in the profile—in essence, a read-only roaming profile. To change a roaming profile into a mandatory profile you simply rename the NTuser.dat file, which contains the registry hive portion of the profile, to NTuser.man. This makes the profile read-only from that point on. If a user is already logged on to the system and using the roaming profile when you make this change, the update of the roaming profile will fail at user logoff because the profile is now read-only but the system was not expecting this. If a user logs on to the system and the profile is already mandatory, then no attempt to update the profile is made at logoff time and so no error is generated.
Mandatory profiles can be taken one step further. Not only can you make them read-only so that changes are not saved, but you can also set up a user so that if the mandatory profile is not available, the user cannot log on to the domain. This would mean that if the server holding the profile was not available, then the user couldn’t access the system.
Normally, if a user attempts a domain logon and the profile named in the user account setup cannot be found, the system will attempt to log the user on by using the locally cached copy of the profile (whether it is a roaming profile or mandatory). If this is not successful, the local Default User profile is used. This procedure could present an ingenious user with a way to circumvent the control mechanisms that you have in place.
To avoid this possibility, you can opt to lock out the user if the profile is unavailable. To do this, you rename the profile folder so that it has an extension attached of .man. This would mean that a profile folder named \\IBSNT04\NetStore\UserProf1 would be renamed to \\IBSNT04\NetStore\UserProf1.man. You must also change the profile path for the user in User Manager for Domains so that the .man extension is included.
The net result of setting up a user in this manner is that if the profile is not available for any reason, a message appears on the workstation screen at logon time saying that "the operating system is not able to log you on because your roaming mandatory profile is not available. Please contact your network administrator." The login attempt then ends.
|
לקוח מכאן:
http://www.windowsitlibrary.com/Content/509/05/3.html
_____________________________________
|