Configure a Profile Store
Refernce: http://msdn.microsoft.com/en-us/library/cc757013(v=ws.10).aspx
Granting profile share permissions
A common error in user profiles is permissions that are incorrectly set. To ensure that permissions are set correctly, use the following guidelines:
- When you create the shared folders for roaming user profiles, limit access to the folder to only users who need access.
- Because a roaming profile contains personal information, such as the user’s documents and EFS certificates, it is important to ensure that roaming user profiles are secure. Here are some ways you can enhance the security of roaming user profiles:
- Restrict the shared folder to only users who need access. Create a security group for users who have profiles on a particular shared folder, and then limit access to only those users.
- When you create the shared folder, hide the folder by putting a dollar sign ($) after the share name. This hides the folder from casual browsers and hides the folder in My Network Places.
- Unless you need special permissions on the profile folder, do not create profile folders in advance for the user. Instead, allow the system to create them.
- Assign users the minimum permissions that are required as described in Tables 7.7, 7.8, and 7.9. These tables list the required NTFS and share level server message block (SMB) permissions for roaming user profile shares and folders.
NTFS Permissions for Roaming Profile Parent Folder
| User Account | Minimum Permissions Required |
|---|---|
Creator Owner
|
Full Control, Subfolders and Files Only
|
Administrator
|
None
|
Security group of users needing to put data on share
|
List Folder/Read Data, Create Folders/Append Data - This Folder Only
|
Everyone
|
No permissions
|
Local System
|
Full Control, This Folder, Subfolders and Files
|
Share level (SMB) Permissions for Roaming Profile Share
| User Account | Default Permissions | Minimum Permissions Required |
|---|---|---|
Everyone
|
Read only
|
No permissions
|
Security group of users needing to put data on share
|
N/A
|
Full Control
|
NTFS Permissions for Each User’s Roaming Profile Folder
| User Account | Default Permissions | Minimum Permissions Required |
|---|---|---|
%Username%
|
Full Control, Owner of Folder
|
Full Control, Owner of Folder
|
Local System
|
Full Control
|
Full Control
|
Administrators
|
No Permissions*
|
No Permissions
|
Everyone
|
No Permissions
|
No Permissions
|
* No permissions is the default unless the Add the Administrator security group to the roaming user profile share policy setting is set, in which case the Administrators group has full control.
Configure View Persona GPOs
View Persona is configured via GPO.
Add the View PM template
Reference: VMware-View-Persona-Management-Deployment-Guide
To use View Persona Management with View desktops, you must create desktop pools with a View Persona Management agent installed on each desktop.
Prerequisites
■
|
Verify that View Agent with the View Persona Management setup option is installed on the virtual machine that you use to create the desktop pool. See Install View Agent with the View Persona Management Option.
|
■
|
If you intend to configure View Persona Management policies for this pool only, verify that you added the View Persona Management ADM Template file to the virtual machine and configured group policy settings in the Local Computer Policy configuration. See Add the Persona Management ADM Template to a Single System and Configure View Persona Management Policies.
|
Procedure
Note
After you deploy View Persona Management on your View desktops, if you remove the View Persona Management setup option on the desktops, or uninstall View Agent altogether, the local user profiles are removed from the desktops of users who are not currently logged in. For users who are currently logged in, the user profiles are downloaded from the remote profile repository during the uninstall process.
No comments:
Post a Comment