同步處理 SharePoint Server 2013 中的使用者與群組設定檔Synchronize user and group profiles in SharePoint Server 2013

摘要: 了解如何使用 SharePoint Server 2013 設定檔同步處理方法同步處理使用者和群組設定檔資訊。Summary: Learn how to synchronize user and group profile information by using the SharePoint Server 2013 profile synchronization method.

設定設定檔同步處理是包含許多步驟的程序。本文將此程序分成幾個較短的階段,以便您檢視進度,並減少發生錯誤時必須重做的步驟數。設定設定檔同步處理分成四個階段。根據您的情況,您可能不需要執行所有階段。本文還提供「階段 0」,內含設定設定檔同步處理之前,所需的必要條件設定指示。Configuring profile synchronization (or profile sync) is a process that involves many steps. This article divides the process into shorter phases, both so that you can see progress and to reduce the number of steps through which you have to backtrack if you make an error. There are four phases to configuring profile synchronization. Depending on your situation, you might not have to perform all of the phases. This article also includes Phase 0, which contains instructions for configuring the prerequisites that are required before you can configure profile synchronization.

使用者設定檔及群組可用的 SharePoint Server 2013 伺服器對伺服器驗證存取和要求的資源來自另一個代表使用者透過。如需伺服器對伺服器驗證的詳細資訊,請參閱 < SharePoint Server 的伺服器對伺服器驗證及使用者設定檔User profiles and groups are used by SharePoint Server 2013 through server-to-server authentication to access and request resources from one another on behalf of users. For more information about server-to-server authentication, see Server-to-server authentication and user profiles in SharePoint Server.

重要

本文僅適用於 SharePoint Server 2013。This article applies to only SharePoint Server 2013.

開始之前Before you begin

開始此作業之前,請先檢閱下列必要條件的相關資訊:Before you begin this operation, review the following information about prerequisites:

當您設定設定檔同步處理時,您需要相關資訊,以回答使用者介面中的問題。您也需要具備適當權限的帳戶,以及已部分設定的 SharePoint Server 2013 伺服器陣列。本節中的各節說明設定設定檔同步處理之前,必須具備的必要條件。As you configure profile synchronization, you will need information to answer questions in the user interface. You will also need accounts that have the appropriate permissions and a SharePoint Server 2013 farm that is already partly configured. The subsections within this section explain the prerequisites that you must have before you configure profile synchronization.

收集資訊Gather information

在您執行本文中的程序之前,應先完成SharePoint Server 2013 的使用者設定檔屬性與設定檔同步處理規劃工作表。當您執行本文中的程序時,將會用到您在工作表中記錄的資訊。Before you perform the procedures in this article, you should complete the User profile properties and profile synchronization planning worksheets for SharePoint Server 2013. You will use the information that you record in the worksheets as you perform the procedures in this article.

  • 連線規劃工作表:包含即將建立的每個設定檔同步處理連線的詳細資料。<規劃 SharePoint Server 2013 Preview 的設定檔同步處理>一文包含填寫工作表的指示。Connection planning worksheet: Contains details about each profile synchronization connection that you will create. The article Plan profile synchronization for SharePoint Server 2013 contains instructions for filling out the worksheet.

  • 使用者設定檔屬性工作表: 識別使用者設定檔屬性以及如何將屬性對應至外部資料來源。規劃 SharePoint Server 中的使用者設定檔的文章說明如何完成的工作表中,大部分並規劃設定檔同步處理 SharePoint Server 2013 的文章包含有關如何將新增的屬性對應資訊的指示。User profile properties worksheet: Identifies user profile properties and how the properties are mapped to external data sources. The article Plan user profiles in SharePoint Server explains how to complete most of the worksheet, and the article Plan profile synchronization for SharePoint Server 2013 contains instructions on how to add the property mapping information.

  • 設定檔同步處理規劃工作表:收集建立 User Profile Service 應用程式及其必要條件所需的資訊。如果您的伺服器陣列已包含 User Profile Service 應用程式,則可以略過此工作表。Profile synchronization planning worksheet: Collects the information that you must have to create the User Profile service application and its prerequisites. If your farm already contains a User Profile service application, you can omit this worksheet.

您必須知道同步處理伺服器的名稱。同步處理伺服器是要執行之使用者設定檔同步處理服務的伺服器。規劃同步處理伺服器] 區段中的規劃設定檔同步處理 SharePoint Server 2013包含如何選取同步處理伺服器上的指引。You will have to know the name of the synchronization server. The synchronization server is the server on which the User Profile synchronization service will run. The Plan for the synchronization server section of Plan profile synchronization for SharePoint Server 2013 contains guidance on how to select the synchronization server.

授與帳戶權限Grant account permissions

若要設定設定檔同步處理您必須知道的伺服器陣列帳戶以及伺服器陣列帳戶的密碼並您需要針對每個與同步處理的目錄服務同步處理帳戶。規劃帳戶權限] 區段中的規劃設定檔同步處理 SharePoint Server 2013說明所需的每個帳戶的權限。如果帳戶沒有適當的權限,您可能不知道的權限如下錯誤之前已前進的方式設定程序的一部分。To configure profile synchronization you will have to know the farm account and the farm account's password, and you will need a synchronization account for each directory service that you will synchronize with. The permissions that are required for each account are described in the Plan account permissions section of Plan profile synchronization for SharePoint Server 2013. If an account does not have the appropriate permissions, you might not know that the permissions are wrong until you have progressed part of the way through the configuration procedure.

注意

不正確的權限是設定設定檔同步處理時最常見的錯誤原因。Incorrect permissions are the most common cause of errors in configuring profile synchronization.

安裝必要條件Install prerequisites

若要設定設定檔同步處理,您必須在伺服器陣列設定中安裝 SharePoint Server 2013。To set up profile synchronization you will need SharePoint Server 2013 installed in a farm configuration.

您必須完整安裝 SQL Server,而不是安裝 Express 版。如果遵循<在包含內建資料庫的單一伺服器上安裝 SharePoint 2013>中的指示安裝 SharePoint Server 2013,設定檔同步處理將無法運作。You must have a full installation of SQL Server, not the Express edition. Profile synchronization will not work if you have installed SharePoint Server 2013 by following the instructions in Install SharePoint 2013 on a single server with a built-in database.

階段 0:設定伺服器陣列Phase 0: Configure the farm

在此階段中,您會設定同步處理設定檔的基礎結構。During this phase, you configure the infrastructure for synchronizing profiles.

此階段包括下列工作:This phase involves the following tasks:

  1. 建立架設「我的網站」的 Web 應用程式Create a web application to host My Sites

  2. 建立「My Site」的管理路徑Create a managed path for My Site

  3. 建立「我的網站主機」網站集合Create a My Site Host site collection

  4. 建立 User Profile Service 應用程式Create a User Profile service application

  5. [使用 PowerShell 啟用 user profile synchronization 的 NetBIOS 網域名稱Enable NetBIOS domain names for user profile synchronization by using PowerShell](設定-設定檔-synchronization.md # Proc-admcreds-assignpolicies)

  6. 啟動 User Profile ServiceStart the User Profile service

若要在此階段中執行工作,您必須是 SharePoint 伺服器陣列管理員群組的成員,以及執行 SharePoint Server 2013 之電腦的管理員群組的成員。To perform the tasks in this phase, you must be a member of the Farm Administrators SharePoint group and a member of the Administrators group on the computer that is running SharePoint Server 2013.

建立架設「我的網站」的 Web 應用程式Create a web application to host My Sites

在此程序,您可以建立 「 我的網站將都位於的 web 應用程式。建議您 「 我的網站要在不同的 web 應用程式中的 web 應用程式可能會與其他共同作業網站、 共用應用程式集區中雖然或可能是不同的應用程式集區中但共用的 IIS 網站中。如需 SharePoint Server 2013 的網站、 應用程式集區及 IIS 網站的詳細資訊,請參閱 < SharePoint 2013 IT 專業人員的架構設計。如需如何建立 web 應用程式的詳細指示,請參閱建立 SharePoint Server 中的 web 應用程式In this procedure, you create the web application in which My Sites will reside. We recommend that My Sites be in a separate web application, although the web application may be in an application pool that is shared with other collaboration sites, or it may be in a separate application pool but in a shared IIS website. For more information about SharePoint Server 2013 sites, application pools, and IIS websites, see Architecture design for SharePoint 2013 IT pros. For more detailed instructions about how to create a web application, see Create a web application in SharePoint Server.

建立 Web 應用程式To create a web application

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員。The user account that performs this procedure is a farm administrator.

    • 執行此程序的使用者帳戶是執行 SharePoint Server 2013 之電腦上管理員群組的成員。The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  2. 在管理中心的 [應用程式管理]**** 區段中,按一下 [管理 Web 應用程式]*In Central Administration, in the *Application Management section, click Manage web applications.

  3. 在功能區上,按一下 [新增]。On the ribbon, click New.

  4. 在「建立新的 Web 應用程式」頁面上,選取 [驗證] 區段中要用於此 Web 應用程式的驗證模式。On the Create New Web Application page, in the Authentication section, select the authentication mode that will be used for this web application.

  5. 您可以在 [IIS 網站] 區段中選取下列兩個選項之一,以設定新 Web 應用程式的設定 (請參閱設定檔同步處理規劃工作表):In the IIS Web Site section, you can configure the settings for your new web application by selecting one of the following two options (see the Profile Synchronization Planning worksheet):

    • 按一下 [使用現有的 IIS 網站],然後選取要安裝新 Web 應用程式的網站。Click Use an existing web site, and then select the website on which to install your new web application.

    • 按一下 [建立新的 IIS 網站],然後在 [名稱] 方塊中輸入網站的名稱。Click Create a new IIS web site, and then type the name of the website in the Name box.

      您也可以提供連接埠號碼、主機標頭或新 IIS 網站的路徑。You may also provide the port number, host header, or path for the new IIS website.

  6. 在 [安全性設定] 區段中,選取驗證提供者、是否允許匿名存取,以及是否使用 Secure Sockets Layer (SSL)。In the Security Configuration section, select an authentication provider, whether to allow anonymous access, and whether to use Secure Sockets Layer (SSL).

  7. 在 [應用程式集區] 區段中,執行下列其中一項動作:In the Application Pool section, do one of the following:

    • 如果「My Site」應用程式集區 (請參閱設定檔同步處理規劃工作表) 是現有的應用程式集區,請按一下 [使用現有的應用程式集區],然後從下拉式功能表中選取「My Site」應用程式集區。If the My Site application pool (see the Profile Synchronization Planning worksheet) is an existing application pool, click Use existing application pool, and then select the My Site application pool from the drop-down menu.

    • 如果「My Site」應用程式集區 (請參閱設定檔同步處理規劃工作表) 是新應用程式集區,請按一下 [建立新的應用程式集區],然後輸入「My Site」應用程式集區的名稱,再選取執行應用程式集區所使用的帳戶 (請參閱設定檔同步處理規劃工作表),或建立新的受管理帳戶,以執行應用程式集區。If the My Site application pool (see the Profile Synchronization Planning worksheet) is a new application pool, click Create a new application pool, type the name of the My Site application pool, and either select the account that the application pool will run under (see the Profile Synchronization Planning worksheet) or create a new managed account for the application pool to run under.

  8. 在 [資料庫名稱與驗證] 區段中,選取新 Web 應用程式的資料庫伺服器、資料庫名稱和驗證方法。In the Database Name and Authentication section, select the database server, database name, and authentication method for your new web application.

  9. 如果您使用資料庫鏡像,請在 [容錯移轉伺服器] 區段的 [容錯移轉資料庫伺服器] 方塊中,輸入您要與內容資料庫建立關聯的特定容錯移轉資料庫伺服器名稱。If you use database mirroring, in the Failover Server section, in the Failover Database Server box, type the name of a specific failover database server that you want to associate with a content database.

  10. 在 [服務應用程式連線] 區段中,選取要用於 Web 應用程式的服務應用程式連線。In the Service Application Connections section, select the service application connections that will be available to the web application.

  11. 在 [客戶經驗改進計畫] 區段中,按一下 [是] 或 [否]。In the Customer Experience Improvement Program section, click Yes or No.

  12. 按一下 [確定] 建立新的 Web 應用程式。Click OK to create the new web application.

  13. 當「建立的應用程式」頁面顯示時,按一下 [確定]。When the Application Created page appears, click OK.

在設定檔同步處理規劃工作表的 [「我的網站」Web 應用程式] 列中,輸入 Web 應用程式的名稱。您稍後將需要此資訊。Enter the name of the web application in the My Site web application row of the Profile Synchronization Planning worksheet. You will need this information later.

建立「My Site」的管理路徑Create a managed path for My Site

若要 「 我的網站主機與使用者的 「 我的網站要在還沒有受管理的路徑的 URL,請使用中定義管理路徑 SharePoint Server 中的程序在您先前建立的 「 我的網站 web 應用程式中建立 「 我的網站的受管理的路徑。在大多數情況下,將足夠的現有的受管理的路徑。If you want the My Site host and users' My Sites to be at a URL that does not already have a managed path, use the procedure in Define managed paths in SharePoint Server to create the My Site managed path in the My Site web application that you previously created. In most cases, the existing managed paths will be sufficient.

建立「我的網站主機」網站集合Create a My Site Host site collection

在此程序,您可以建立網站集合主控使用者的 「 我的網站。如需如何建立網站集合的詳細指示,請參閱建立 SharePoint Server 中的網站集合In this procedure, you create the site collection that will host users' My Sites. For more detailed instructions about how to create a site collection, see Create a site collection in SharePoint Server.

建立「我的網站主機」網站集合To create a My Site Host site collection

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員The user account that performs this procedure is a farm administrator

    • 執行此程序的使用者帳戶是執行 SharePoint Server 2013 之電腦上管理員群組的成員。The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  2. 在管理中心上,按一下 [應用程式管理] 區段中的 [建立網站集合]。On Central Administration, in the Application Management section, click Create site collections.

  3. 在「建立網站集合」 頁面上,選取 [Web 應用程式] 區段中的「My Site」Web 應用程式 (請參閱設定檔同步處理規劃工作表)。On the Create Site Collection page, in the Web Application section, select the My Site web application (see the Profile Synchronization Planning worksheet).

  4. 在 [標題與描述] 區段中,輸入網站集合的標題及描述。In the Title and Description section, type the title and description for the site collection.

  5. 在 [網站位址] 區段中,選取「My Site」主機 URL 的路徑。在大多數情況下,您可以使用根目錄 (/)。In the Web Site Address section, select the path of the URL for the My Site host. In most cases, you can use the root directory (/).

  6. 在 [範本選擇]**** 區段中,按一下 [企業]**** 索引標籤,然後選取 [我的網站主機]*In the *Template Selection section, click the Enterprise tab, and then select My Site Host.

  7. 在 [主要網站集合管理員]**** 區段中,輸入將擔任網站集合管理員之使用者的使用者名稱 (格式為<網域>\ <使用者名稱>)。In the Primary Site Collection Administrator section, type the user name (in the form <DOMAIN>\ <user name>) for the user who will be the site collection administrator.

  8. 在 [次要網站集合管理員]**** 區段中,輸入網站集合次要管理員的使用者名稱。 In the Secondary Site Collection Administrator section, type the user name for the secondary administrator of the site collection.

  9. 若使用配額管理網站集合的儲存,請在 [配額範本] 區段中,按一下 [選取配額範本] 清單中的範本。If you are using quotas to manage storage for site collections, in the Quota Template section, click a template in the Select a quota template list.

  10. 按一下 [確定]。Click OK.

建立「My Site主機」網站集合之後,「成功建立頂層網站」頁面會隨即顯示 。在設定檔同步處理規劃工作表的 [「我的網站主機」網站集合 URL] 列中,輸入此 URL。雖然您可以按一下連結瀏覽至網站集合的根目錄,但是這麼做會導致無法載入使用者設定檔的錯誤。這是預期的行為;此時尚未匯入使用者設定檔。The Top-Level Site Successfully Created page will appear when the My Site Host site collection is created. Enter this URL in the My Site Host site collection URL row of the Profile Synchronization Planning worksheet. Although you can click the link to browse to the root of the site collection, doing this results in an error because the user profile cannot be loaded. This behavior is to be expected; user profiles are not imported at this point.

建立 User Profile Service 應用程式Create a User Profile service application

在此程序中,您會建立管理設定檔同步處理的 User Profile Service 應用程式。In this procedure, you create the User Profile service application through which you will manage profile synchronization.

如需如何建立 User Profile Service 應用程式的詳細指示,請參閱<建立 User Profile Service 應用程式>。For more detailed instructions about how to create a User Profile service application, see Create a User Profile service application.

建立 User Profile Service 應用程式To create a User Profile Service application

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員The user account that performs this procedure is a farm administrator

    • 執行此程序的使用者帳戶是執行 SharePoint Server 2013 之電腦上管理員群組的成員。The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  2. 在管理中心上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On Central Administration, in the Application Management section, click Manage service applications.

  3. 在「管理服務應用程式」頁面上,按一下功能區上的 [新增],然後按一下 [User Profile Service 應用程式]。On the Manage Service Application page, on the ribbon, click New, and then click User Profile Service Application.

  4. 在 [名稱] 區段中,輸入 User Profile Service 應用程式名稱 (請參閱設定檔同步處理規劃工作表)。In the Name section, type the User Profile service application name (see the Profile Synchronization Planning worksheet).

  5. 在 [應用程式集區] 區段中,選取 User Profile Service 應用程式執行所在的應用程式集區 (如其存在),或建立新應用程式集區 (請參閱設定檔同步處理規劃工作表)。In the Application Pool section, select the application pool that the User Profile service application will run in (if it exists), or create a new application pool. (See the Profile Synchronization Planning worksheet.)

  6. 接受設定檔資料庫、同步處理資料庫及社交標記資料庫的預設設定 (除非想使用不同名稱),然後視需要指定容錯移轉伺服器。Accept the default settings for the profile database, the synchronization database, and the social tagging database (unless you want different names), and specify failover servers if you are using them.

  7. 在 [設定檔同步處理執行個體] 區段中,選取同步處理伺服器 (請參閱設定檔同步處理規劃工作表)。In the Profile Synchronization Instance section, select the synchronization server (see the Profile Synchronization Planning worksheet).

  8. 在 [我的網站主機 URL] 區段中,輸入您在上一個步驟中建立的「My Site主機」網站集合 URL (請參閱設定檔同步處理規劃工作表)。In the My Site Host URL section, enter the My Site Host site collection URL that you created in the previous step (see the Profile Synchronization Planning worksheet).

  9. 在 [ 「 我的網站管理路徑] 區段中輸入路徑的一部分時新增至 「 我的網站 」 主機 URL,將會授與使用者的 「 我的網站 (請參閱設定檔同步處理規劃工作表) 的路徑。例如,如果我的網站主機 URL 是http://server:12345/而您想要在每個使用者的 「 我的網站http://server:12345/personal/ 、 輸入/個人的 「 我的網站的管理路徑。您輸入的受管理的路徑是自動建立。那里已經沒有設為您提供的名稱與受管理的路徑。In the My Site Managed Path section, enter the part of the path which, when appended to the My Site host URL, will give the path of users' My Sites (see the Profile Synchronization Planning worksheet). For example, if the My Site host URL is http://server:12345/ and you want each user's My Site to be at http://server:12345/personal/, enter /personal for the My Site managed path. The managed path that you enter is created automatically. There does not already have to be a managed path with the name that you provide.

  10. 在 [網站命名格式] 區段中,選取命名配置。In the Site Naming Format section, select a naming scheme.

  11. 在 [預設 Proxy 群組] 區段中,選取是否要讓此 User Profile Service 的 Proxy 成為此伺服器陣列的預設 Proxy 群組之一部分。In the Default Proxy Group section, select whether you want the proxy of this User Profile Service to be a part of the default proxy group on this farm.

  12. 按一下 [建立]。Click Create.

  13. 在「建立新的 User Profile Service 應用程式」頁面顯示 [已成功建立設定檔服務應用程式] 訊息時,按一下 [確定]。When the Create New User Profile Service Application page displays the message Profile Service Application successfully created, click OK.

若要確認是否已建立 User Profile Service 應用程式,請重新整理「管理服務應用程式」頁面。您應該會看見兩個項目,其值在 [名稱] 欄中為您提供給先前建立之 User Profile Service 應用程式的名稱。第一個項目是服務應用程式本身;第二個項目是服務應用程式的連線 (亦即 Proxy)。To verify that the User Profile service application was created, refresh the Manage Service Applications page. You should see two entries whose value in the Name column is the name that you provided for the User Profile service application that you previously created. The first entry is the service application itself. The second entry is a connection (that is, a "proxy") to the service application.

使用 PowerShell 啟用 user profile synchronization 的 NetBIOS 網域名稱Enable NetBIOS domain names for user profile synchronization by using PowerShell

如果您同步處理之任何網域的 NetBIOS 名稱與其完整網域名稱不同,則必須在 User Profile Service 應用程式上啟用 NetBIOS 網域名稱。如果所有 NetBIOS 名稱與網域名稱皆相同,您可以略過此程序。If the NetBIOS name of any domain with which you are synchronizing differs from its fully-qualified domain name, you must enable NetBIOS domain names on the User Profile service application. If all NetBIOS names are the same as the domain names, you may skip this procedure.

若要使用 PowerShell 啟用 user profile synchronization 的 NetBIOS 網域名稱To enable NetBIOS domain names for user profile synchronization by using PowerShell

  1. 確認您具備下列成員身分:Verify that you have the following memberships:

    • SQL Server 執行個體上的 securityadmin 固定伺服器角色。securityadmin fixed server role on the SQL Server instance.

    • 所有要更新之資料庫上的 db_owner 固定資料庫角色。db_owner fixed database role on all databases that are to be updated.

    • 正在執行 PowerShell Cmdlet 之所在伺服器上的系統管理員群組。Administrators group on the server on which you are running PowerShell cmdlets.

    • 您必須閱讀 about_Execution_PoliciesYou must read about_Execution_Policies.

      系統管理員可以使用 Add-SPShellAdmin Cmdlet 授與使用 SharePoint Server 2016 Cmdlet 的權限。An administrator can use the Add-SPShellAdmin cmdlet to grant permissions to use SharePoint Server 2016 cmdlets.

      注意

      如果您不具備上述權限,請連絡安裝程式系統管理員或 SQL Server 系統管理員要求權限。如需 PowerShell 權限的其他資訊,請參閱<權限>與<Add-SPShellAdmin>。If you do not have permissions, contact your Setup administrator or SQL Server administrator to request permissions. For additional information about PowerShell permissions, see Permissions and Add-SPShellAdmin.

  2. 將下列程式碼貼到 [記事本] 等文字編輯器:Paste the following code into a text editor, such as Notepad:

  3. $ServiceApps = Get-SPServiceApplication
    $UserProfileServiceApp = ""
    foreach ($sa in $ServiceApps)
     {if ($sa.DisplayName -eq "<UPSAName>") 
       {$UserProfileServiceApp = $sa}
     }
    $UserProfileServiceApp.NetBIOSDomainNamesEnabled = 1
    $UserProfileServiceApp.Update()
    
  4. 以 User Profile Service 應用程式的名稱取代 <UPSA 名稱>Replace <UPSAName> with the name of the User Profile service application.

  5. 儲存檔案並新增 .ps1 副檔名,例如 EnableNetBIOS.ps1。Save the file and add the .ps1 extension, such as EnableNetBIOS.ps1.

    注意

    您可以使用不同的檔案名稱,但是必須將檔案儲存為副檔名為 .ps1 的 ANSI 編碼文字檔。You can use a different file name, but you must save the file as an ANSI-encoded text file whose extension is .ps1.

  6. 啟動 SharePoint 2016 管理命令介面。Start the SharePoint 2016 Management Shell.

  7. 變更至您儲存檔案的目錄。Change to the directory where you saved the file.

  8. 在 PowerShell 命令提示字元中,輸入下列命令:At the PowerShell command prompt, type the following command:

    & .\EnableNetBIOS.ps1
    

注意

建議您在執行命令列管理工作時使用 Windows PowerShell。Stsadm 命令列工具已過時,但為與舊版產品相容,仍會隨附提供。We recommend that you use Microsoft PowerShell when performing command-line administrative tasks. The Stsadm command-line tool has been deprecated, but is included to support compatibility with previous product versions.

啟動 User Profile ServiceStart the User Profile service

在此程序中,您會啟動 User Profile Service。In this procedure, you start the User Profile service.

啟動 User Profile ServiceTo start the User Profile service

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員The user account that performs this procedure is a farm administrator

    • 執行此程序的使用者帳戶是執行 SharePoint Server 2013 之電腦上管理員群組的成員。The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  2. 在管理中心上,按一下 [系統設定] 區段中的 [管理伺服器上的服務]。On Central Administration, in the System Settings section, click Manage services on server.

  3. 在「伺服器上的服務」頁面上,選取 [伺服器] 方塊中的同步處理伺服器 (請參閱設定檔同步處理規劃工作表)。On the Services on Server page, in the Server box, select the synchronization server (see the Profile Synchronization Planning worksheet).

  4. 尋找 [服務] 欄值為 [User Profile Service] 的列。如果 [狀態] 欄中的值為 [已停止],請按一下 [動作] 欄中的 [啟動]。Find the row whose Service column value is User Profile Service. If the value in the Status column is Stopped, click Start in the Action column.

階段 1:啟動 User Profile Synchronization ServicePhase 1: Start the User Profile synchronization service

在此階段中,您會啟動 User Profile Synchronization Service。During this phase, you start the User Profile synchronization service.

此階段包括下列工作:This phase involves the following tasks:

  1. 啟動 User Profile Synchronization ServiceStart the User Profile synchronization service

  2. 移除不必要的權限Remove unnecessary permissions

  3. 重設 IISReset IIS

若要在此階段中執行工作,您必須是 SharePoint 伺服器陣列管理員群組的成員,以及執行 SharePoint Server 2013 之電腦的管理員群組的成員。To perform the tasks in this phase, you must be a member of the Farm Administrators SharePoint group and a member of the Administrators group on the computer that is running SharePoint Server 2013.

啟動 User Profile Synchronization ServiceStart the User Profile synchronization service

在此程序中,您會啟動 User Profile Synchronization Service。User Profile Synchronization Service 與 Microsoft Forefront Identity Manager (FIM) 互動,以與外部系統同步處理資訊。In this procedure, you start the User Profile synchronization service. The User Profile synchronization service interacts with Microsoft Forefront Identity Manager (FIM) to synchronize information with external systems.

啟動 User Profile Synchronization ServiceTo start the User Profile synchronization service

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員The user account that performs this procedure is a farm administrator

    • 執行此程序的使用者帳戶是執行 SharePoint Server 2013 之電腦上管理員群組的成員。The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  2. 在管理中心上,按一下 [系統設定] 區段中的 [管理伺服器上的服務]。On Central Administration, in the System Settings section, click Manage services on server.

  3. 在「伺服器上的服務」頁面上,選取 [伺服器] 方塊中的同步處理伺服器。On the Services on Server page, in the Server box, select the synchronization server.

  4. 尋找 [服務] 欄值為 [User Profile Synchronization Service] 的列。如果 [狀態] 欄中的值為 [已停止],請按一下 [動作] 欄中的 [啟動]。Find the row whose Service column value is User Profile Synchronization Service. If the value in the Status column is Stopped, click Start in the Action column.

  5. 在「User Profile Synchronization Service」 頁面上,選取 [選取使用者設定檔應用程式] 區段中的 User Profile Service 應用程式。On the User Profile Synchronization Service page, in the Select the User Profile Application section, select the User Profile service application.

  6. 在 [服務帳戶名稱和密碼] 區段中,已選取伺服器陣列帳戶。在 [密碼] 方塊中,輸入伺服器陣列帳戶的密碼,然後在 [確認密碼] 方塊中再輸入一次。In the Service Account Name and Password section, the farm account is already selected. Enter the password for the farm account in the Password box, and enter it again in the Confirm Password box.

  7. 按一下 [確定]。Click OK.

[伺服器上的服務] 頁面上顯示的使用者設定檔同步處理服務已啟動狀態。當您啟動 [使用者設定檔同步處理服務時、 SharePoint Server 2013 佈建 FIM 參與同步處理。這可能需要 10 分鐘。若要判斷是否已啟動 [使用者設定檔同步處理服務,重新整理 [伺服器上的服務] 頁面。The Services on Server page shows that the User Profile synchronization service has a status of Starting. When you start the User Profile synchronization service, SharePoint Server 2013 provisions FIM to participate in synchronization. This may take 10 minutes. To determine whether the User Profile synchronization service has started, refresh the Services on Server page.

如果 User Profile Synchronization Service 未啟動,請確認伺服器陣列帳戶具有同步處理伺服器上的必要權限。如需所需權限的詳細資訊,請參閱<規劃設定檔同步處理>一文的<規劃帳戶權限>一節。If the User Profile synchronization service does not start, confirm that the farm account has the necessary permissions on the synchronization server. For more information about which permissions are required, see the Plan account permissions section of the article "Plan for profile synchronization."

移除不必要的權限Remove unnecessary permissions

啟動 User Profile synchronization service],日常作業之後的伺服器陣列帳戶不需要是在執行同步處理服務的電腦上管理員群組的成員。若要改善 SharePoint Server 2013 安裝的安全性,移除執行同步處理服務的電腦上的管理員群組中的伺服器陣列帳戶。不過,當您執行 User Profile 應用程式的備份,同步處理服務佈建的使用者設定檔應用程式一次。佈建的使用者設定檔應用程式的期間,伺服器陣列帳戶必須停止並啟動同步處理服務。若要這樣做,伺服器陣列帳戶必須執行同步處理服務之電腦的管理員群組的成員。如此,在執行備份之前,將伺服器陣列帳戶新增至執行同步處理服務的電腦上的管理員群組。備份已完成執行之後,您可以移除伺服器陣列帳戶從系統管理員群組。After you start the User Profile synchronization service, for day to day operations, the farm account is not required to be a member of the Administrators group on the computer that is running the synchronization service. To improve the security of your SharePoint Server 2013 installation, remove the farm account from the Administrators group on the computer that is running the synchronization service. However, when you perform a backup of the User Profile application, the synchronization service provisions the User Profile application again. During the course of provisioning the User Profile application, the farm account must stop and start the synchronization service. To do this, the farm account must be a member of the Administrators group on the computer that is running the synchronization service. So, before you perform a backup, add the farm account to the Administrators group on the computer that is running the synchronization service. After the backup has finished running, you can remove the farm account from the Administrators group.

將 Microsoft FIM 2010 的遠端啟用權限授予伺服器陣列帳戶To grant the farm account the Remote Enable permission to Microsoft FIM 2010

  1. 在執行同步處理服務的伺服器上,按一下 [開始]。On the server that is running the synchronization service, click Start.

  2. 按一下 [執行],並輸入 wmimgmt.msc,然後按一下 [確定]。Click Run, type wmimgmt.msc, and then click OK.

  3. 以滑鼠右鍵按一下 [WMI 控制],然後按一下 [內容]。Right click WMI Control, and then click Properties.

  4. 在 [WMI 控制內容] 對話方塊中,按一下 [安全性] 索引標籤。In the WMI Control Properties dialog box, click the Security tab.

  5. 展開 [根] 清單,然後選取 Microsoft FIM 2010 命名空間 [MicrosoftIdentityIntegrationServer]。Expand the Root list, and then select the Microsoft FIM 2010 namespace MicrosoftIdentityIntegrationServer.

  6. 按一下 [安全性] 按鈕。Click the Security button.

  7. 將伺服器陣列帳戶新增至群組及使用者的清單,然後在 [驗證使用者的權限] 方塊中,對於 [遠端啟用] 權限選取 [允許]。Add the farm account to the list of groups and users, and then in the Permissions for Authenticated Users box, select Allow for the Remote Enable permission.

  8. 按一下 [確定] 關閉 [ROOT\MicrosoftIdentityIntegrationServer 的安全性] 對話方塊,然後按一下 [確定] 關閉 [WMI 控制內容] 對話方塊。Click OK to dismiss the Security for ROOT\MicrosoftIdentityIntegrationServer dialog box, and then click OK to dismiss the WMI Control Properties dialog box.

重設 IISReset IIS

如果 SharePoint 管理中心網站和 User Profile Synchronization Service 在相同伺服器上執行,您必須在 User Profile Synchronization Service 啟動之後重設 IIS。如果在不同伺服器上執行,則可略過此程序。If the SharePoint Central Administration website and the User Profile synchronization service are running on the same server, you must reset IIS after the User Profile synchronization service starts. If they are running on different servers, you may skip this procedure.

重設 IISTo reset IIS

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員The user account that performs this procedure is a farm administrator

    • 執行此程序的使用者帳戶是執行 SharePoint Server 2013 之電腦上管理員群組的成員。The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  2. 以提高的權限啟動命令提示字元。Start a Command Prompt with elevated privileges.

  3. 在 [使用者帳戶控制] 對話方塊中,按一下 [是]。In the User Account Control dialog box, click Yes.

  4. 系統管理員: 命令提示字元處] 視窗中,輸入 iisreset,然後按 ENTER。In the Administrator: Command Prompt window, type iisreset and then press ENTER.

  5. 在顯示 [網際網路服務已順利重新啟動] 訊息時,關閉 [管理員: 命令提示字元] 視窗。When the message Internet services successfully restarted is displayed, close the Administrator: Command Prompt window.

注意

重設 IIS 之後,管理中心的頁面需要幾秒載入。After you reset IIS, pages of Central Administration will take several seconds to load.

階段 2:設定連線並從目錄服務匯入資料Phase 2: Configure connections and import data from directory services

若要匯入設定檔,您至少必須具備一個連至目錄服務的同步處理連線。在此階段中,您會建立要匯入設定檔之每個來源目錄服務的同步處理連線。您可以在建立每個連線之後進行同步處理,或在建立所有連線之後一次進行同步處理。在每個連線之後進行同步處理需要更長的時間,但是這麼做可以更容易對您可能遇到的任何問題進行疑難排解。To import profiles, you must have at least one synchronization connection to a directory service. During this phase, you create a synchronization connection to each directory service that you want to import profiles from. You can synchronize after you create each connection, or you can synchronize one time, after you have created all of the connections. Synchronizing after each connection will take longer, but doing this makes it easier to troubleshoot any problems that you might encounter.

您必須是伺服器陣列管理員或 User Profile Service 應用程式的管理員,才可執行這些程序。如果您不是伺服器陣列管理員,請使用 [管理設定檔服務] 頁面啟動每個程序。You must be a farm administrator or an administrator of the User Profile service application to perform these procedures. If you are not a farm administrator, start each procedure by using the Manage Profile Service page.

此階段包括下列工作:This phase involves the following tasks:

  1. 建立目錄服務的同步處理連線Create a synchronization connection to a directory service

  2. 定義同步處理連線的排除篩選Define exclusion filters for a synchronization connection

  3. 對應使用者設定檔屬性Map user profile properties

  4. 啟動設定檔同步處理Start profile synchronization

建立目錄服務的同步處理連線Create a synchronization connection to a directory service

在此程序中,您會建立目錄服務的連線。此連線識別要同步處理的項目,並包含與目錄服務互動所使用的認證。您輸入的資訊來自連線規劃工作表。In this procedure, you create a connection to a directory service. The connection identifies the items to synchronize and contains the credentials that are used to interact with the directory service. The information that you enter comes from the Connection Planning worksheet.

建立目錄服務的設定檔同步處理連線To create a Profile synchronization connection to a directory service

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員或 User Profile Service 應用程式的管理員。The user account that performs this procedure is a farm administrator or an administrator of the User Profile service application.

    • 執行此程序的使用者帳戶是執行 SharePoint Server 2013 之電腦上管理員群組的成員。The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  2. 如果執行此程序的使用者帳戶是伺服器陣列管理員,請完成這些步驟。如果使用者帳戶不是伺服器陣列管理員,請移至下一步:If the user account that is performing this procedure is a farm administrator, complete these steps. Otherwise, if the user account is not a farm administrator go to the next step:

  3. 在管理中心上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On Central Administration, in the Application Management section, click Manage service applications.

  4. 在「管理服務應用程式」頁面上,選取 [User Profile Service 應用程式]。On the Manage Service Applications page, select the User Profile service application.

  5. 在管理中心的「管理設定檔服務」頁面上,按一下 [同步處理] 區段中的 [設定同步處理連線]。On Central Administration, on the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  6. 在「同步處理連線」頁面上,按一下 [建立新連線]。On the Synchronizations Connections page, click Create New Connection.

  7. 在「新增同步處理連線」頁面的 [連線名稱] 方塊中,輸入同步處理連線名稱。On the Add new synchronization connection page, type the synchronization connection name in the Connection Name box.

  8. 從 [類型] 清單中,選取您要連線的目錄服務類型。From the Type list, select the type of directory service to which you want to connect.

  9. 根據您建立連線的目錄服務,填入 [連線設定] 區段。Fill in the Connection Settings section according to the directory service to which you are creating a connection.

    若是 Active Directory 網域服務 (AD DS),請遵循下列步驟:For Active Directory Domain Services (AD DS), follow these steps:

  10. 在 [樹系名稱] 方塊中,輸入樹系的名稱。In the Forest name box, type the name of the forest.

  11. 執行下列其中一項動作:Do one of the following:

    • 如果樹系中只有一個網域控制站,請按一下 [自動探索網域控制站]。If there is only one domain controller in the forest, click Auto discover domain controller.

    • 如果樹系中有多個網域控制站,請按一下 [指定網域控制站],然後在 [網域控制站名稱] 方塊中,輸入網域控制站名稱。If there are multiple domain controllers in the forest, click Specify a domain controller and type the domain controller name in the Domain controller name box.

  12. 在 [驗證提供者類型] 方塊中,選取驗證提供者的類型。In the Authentication Provider Type box, select the type of authentication provider.

  13. 如果選取 [表單驗證] 或 [信任的宣告提供者驗證],請從 [驗證提供者執行個體] 方塊中選取驗證提供者。If you select Forms Authentication or Trusted Claims Provider Authentication, select an authentication provider from the Authentication Provider Instance box.

    [驗證提供者執行個體] 方塊只會列出 Web 應用程式目前使用的驗證提供者。The Authentication Provider Instance box lists only the authentication providers that are currently used by a web application.

    提示

    您必須選取 [信任的宣告提供者驗證],然後在 [驗證提供者類型] 方塊中選取 [表單驗證],才會顯示驗證提供者清單。You may have to select Trusted Claims Provider Authentication and then select Forms authentication in the Authentication Provider Type box before the list of authentication providers is displayed.

  14. 在 [帳戶名稱] 方塊中,輸入同步處理帳戶。In the Account name box, type the synchronization account.

  15. 在 [密碼] 方塊中,輸入同步處理帳戶的密碼。In the Password box, type the password for the synchronization account.

  16. 在 [確認密碼] 方塊中,再次輸入同步處理帳戶的密碼。In the Confirm Password box, type the password for the synchronization account again.

  17. 在 [連接埠] 方塊中,輸入連線連接埠。In the Port box, enter the connection port.

  18. 如果目錄服務的連線需要使用 Secure Sockets Layer (SSL) 連線,請選取 [使用 SSL 安全連線]。If a Secure Sockets Layer (SSL) connection is required to connect to the directory service, select Use SSL-secured connection.

    重要

    如果使用 SSL 連線,您必須從 Active Directory 伺服器匯出網域控制站的憑證,再將憑證匯入同步處理伺服器。If you use an SSL connection, you must export the certificate of the domain controller from the Active Directory server and import the certificate into the synchronization server.

    若是 Novell eDirectory、Sun Java System Directory Server 或 IBM Tivoli Directory Server (ITDS),請遵循下列步驟:For Novell eDirectory, Sun Java System Directory Server, or IBM Tivoli Directory Server (ITDS), follow these steps:

  19. 在 [目錄服務伺服器名稱] 方塊中,輸入目錄服務伺服器的名稱。In the Directory Service Server Name box, type the name of the directory service server.

  20. 在 [驗證提供者類型] 方塊中,選取驗證提供者的類型。In the Authentication Provider Type box, select the type of authentication provider.

  21. 在 [驗證提供者執行個體] 方塊中,選取驗證提供者。In the Authentication Provider Instance box, select the authentication provider.

    [驗證提供者執行個體] 方塊只會列出 Web 應用程式目前使用的驗證提供者。The Authentication Provider Instance box lists only the authentication providers that are currently used by a web application.

    提示

    您必須選取 [信任的宣告提供者驗證],然後在 [驗證提供者類型] 方塊中選取 [表單驗證],才會顯示驗證提供者清單。You may have to select Trusted Claims Provider Authentication and then select Forms authentication in the Authentication Provider Type box before the list of authentication providers is displayed.

  22. 在 [帳戶名稱] 方塊中,以 LDAP 格式輸入同步處理帳戶,例如,uid=username,ou=ouname,dc=yourcompany,dc=Com。In the Account name box, type the synchronization account in LDAP format, for example, uid=username,ou=ouname,dc=yourcompany,dc=Com.

  23. 在 [密碼] 方塊中,輸入同步處理帳戶的密碼。In the Password box, type the password for the synchronization account.

  24. 在 [確認密碼] 方塊中,再次輸入同步處理帳戶的密碼。In the Confirm Password box, type the password for the synchronization account again.

  25. 在 [連接埠] 方塊中,輸入連線連接埠。In the Port box, enter the connection port.

  26. 確認未選取 [使用 SSL 安全連線] 核取方塊。這些目錄服務不支援 SSL 連線。Verify that the Use SSL-secured connection check box is not selected. SSL connections are not supported for these directory services.

  27. 在 [使用者名稱屬性] 方塊中,輸入目錄服務中做為每個設定檔唯一識別碼的屬性名稱。In the Username attribute box, type the name of the attribute in the directory service that serves as the unique identifier of each profile.

  28. 在 [容器] 區段中,按一下 [填入容器],然後從您要同步處理的目錄服務中選取容器。In the Containers section, click Populate Containers, and then select the containers from the directory service that you want to synchronize.

  29. 按一下 [確定]。Click OK.

定義同步處理連線的排除篩選Define exclusion filters for a synchronization connection

在此程序中,您會定義連線的篩選,以指出要從同步處理中排除哪些使用者設定檔與哪些群詛。您輸入的資訊來自連線規劃工作表。In this procedure, you define filters for the connection to indicate which user profiles and which groups to exclude from synchronization. The information that you enter comes from the Connection Planning worksheet.

定義連線篩選To define connection filters

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員或 User Profile Service 應用程式的管理員。The user account that performs this procedure is a farm administrator or an administrator of the User Profile service application.

    • 執行此程序的使用者帳戶是執行 SharePoint Server 2013 之電腦上管理員群組的成員。The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  2. 如果執行此程序的使用者帳戶是伺服器陣列管理員,請完成這些步驟。如果使用者帳戶不是伺服器陣列管理員,請移至下一步:If the user account that is performing this procedure is a farm administrator, complete these steps. Otherwise, if the user account is not a farm administrator go to the next step:

  3. 在管理中心上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On Central Administration, in the Application Management section, click Manage service applications.

  4. 在「管理服務應用程式」頁面上,選取 [User Profile Service 應用程式]。On the Manage Service Applications page, select the User Profile service application.

  5. 在管理中心的「管理設定檔服務」頁面上,按一下 [同步處理] 區段中的 [設定同步處理連線]。On Central Administration, on the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  6. 在「同步處理連線」頁面上,於您要用於設定使用者設定檔同步處理連線篩選的連線上按一下滑鼠右鍵,然後按一下 [編輯連線篩選]。On the Synchronization Connections page, right-click the connection for which you want to configure User Profile synchronization connection filters, and then click Edit Connection Filters.

  7. 在「編輯連線篩選」頁面上,選取 [使用者的排除篩選] 區段中要用於加入篩選子句的運算子。On the Edit connection filters page, in the Exclusion Filters for Users section, select the operator to use to join the clauses of the filter.

    • 若要指定所有篩選子句必須為真 (Ture),請選取 [全部套用 (AND)]。To specify that all of the clauses of the filter must be true, select All apply (AND).

    • 若要指定至少要有一個篩選子句必須為真 (True),請選取 [任何套用 (OR)]。To specify that at least one of the clauses of the filter must be true, select Any apply (OR).

  8. 在 [屬性] 清單中,選取要比較的目錄服務屬性。In the Attributes list, select the directory service attribute to compare.

  9. 在 [運算子] 清單中,選取要使用的比較運算子。In the Operator list, select the comparison operator to use.

    注意

    可用的運算子取決於您所選取之屬性的資料類型。如需這些運算子是供每個資料類型的清單,請參閱連線篩選資料類型與 SharePoint Server 2013 中的運算子The operators that are available depend on the data type of the attribute that you selected. For a list of which operators are available for each data type, see Connection filter data types and operators in SharePoint Server 2013.

  10. 在 [篩選] 方塊中,輸入要比較之屬性的值。In the Filter box, type the value to which you want to compare the attribute.

  11. 按一下 [新增]。Click Add.

    您新增的子句會顯示在 [使用者的排除篩選] 區域。The clause that you added is displayed in the Exclusion Filter for Users area.

  12. 若要將子句新增至篩選,請重複步驟 5 到 9。To add clauses to the filter, repeat steps 5 through 9.

  13. 若要篩選已同步處理的群詛,請使用頁面的 [群組的排除篩選] 區段,重複步驟 5 到 9。To filter which groups are synchronized, repeat steps 5 through 9, using the Exclusion Filters for Groups section of the page.

  14. 完成新增連線篩選之後,按一下 [確定]。When you have finished adding connection filters, click OK.

對應使用者設定檔屬性Map user profile properties

在此程序,可決定 SharePoint Server 2013 使用者設定檔屬性對應至擷取自目錄服務的使用者資訊的方式。您應該會將使用者設定檔屬性] 工作表中的使用者設定檔屬性資料工作表上的使用者設定檔屬性對應如何識別。In this procedure, you determine how the properties of SharePoint Server 2013 user profiles map to the user information that is retrieved from the directory service. You should have identified how you will map user profile properties on the User profile properties data sheet in the User Profile Properties worksheet.

您會回到此程序稍後階段可以將使用者設定檔屬性對應到從商務系統擷取的資訊和對應如何使用 SharePoint Server 2013 中的使用者設定檔屬性至回寫至目錄服務的資訊。如果尚未未達到這些階段,略過處理商務系統和匯出資料的程序的組件]。You will come back to this procedure in later phases to map user profile properties to information that is retrieved from business systems and to map how user profile properties in SharePoint Server 2013 can be used to write information back to the directory service. If you have not yet reached these phases, ignore the parts of the procedure that deal with business systems and exporting data.

Tomap 使用者設定檔屬性Tomap user profile properties

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員或 User Profile Service 應用程式的管理員。The user account that performs this procedure is a farm administrator or an administrator of the User Profile service application.

    • 執行此程序的使用者帳戶是執行 SharePoint Server 2013 之電腦上管理員群組的成員。The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  2. 如果執行此程序的使用者帳戶是伺服器陣列管理員,請完成這些步驟。如果使用者帳戶不是伺服器陣列管理員,請移至下一步:If the user account that is performing this procedure is a farm administrator, complete these steps. Otherwise, if the user account is not a farm administrator go to the next step:

  3. 在管理中心上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On Central Administration, in the Application Management section, click Manage service applications.

  4. 在「管理服務應用程式」頁面上,選取 [User Profile Service 應用程式]。On the Manage Service Applications page, select the User Profile service application.

  5. 在管理中心的「管理設定檔服務」頁面上,按一下 [人員] 區段中的 [管理使用者屬性]。On Central Administration, on the Manage Profile Service page, in the People section, click Manage User Properties.

  6. 在 [管理使用者屬性] 頁面以滑鼠右鍵按一下您想要對應至目錄服務屬性的 SharePoint Server 2013 屬性和 [編輯On the Manage User Properties page, right-click the SharePoint Server 2013 property that you want to map to a directory service property, and then click Edit.

  7. 若要移除現有對應,請在 [同步處理屬性對應] 區段中,選取您要移除的對應,然後按一下 [移除]。To remove an existing mapping, in the Property Mapping for Synchronization section, select the mapping that you want to remove, and then click Remove.

  8. 若要新增對應,請執行下列動作:To add a new mapping, do the following:

  9. 在 [新增對應] 區段的 [來源資料連線] 清單中,選取代表您要對應的 SharePoint Server 2013 屬性之外部系統的資料連線。In the Add New Mapping section, in the Source Data Connection list, select the data connection that represents the external system to which you want to map the SharePoint Server 2013 property.

  10. 在 [屬性] 清單中,選取要對應屬性之外部系統中的屬性名稱。In the Attribute list, select the name of the attribute in the external system to which you want to map the property.

    提示

    如果資料類型相容,您可以只將使用者設定檔屬性對應至外部系統的屬性。如果在嘗試建立新對應時,未列出您要對應至使用者設定檔的屬性,可能是因為使用者設定檔屬性與屬性之間的資料類型不符。如需哪些資料類型為相容的詳細資訊,請參閱<SharePoint Server 2013 的使用者設定檔屬性資料類型>。You can only map a user profile property to an attribute of an external system if the data types are compatible. If an attribute that you want to map to a user profile is not listed when you try to create a new mapping, it might be due to a data type mismatch between the user profile property and the attribute. For more information about which data types are compatible, see User profile property data types in SharePoint Server 2013.

  11. 在 [方向] 清單中,選取對應方向。In the Direction list, select the mapping direction.

    匯入的方向表示之外部系統中之屬性的值將會匯入 SharePoint Server 2013 與用來設定 SharePoint Server 2013 屬性的值。匯出方向表示在 SharePoint Server 2013 中屬性的值將會匯出至外部系統和用於外部系統中設定屬性的值。A direction of Import means that the value of the attribute in the external system will be imported into SharePoint Server 2013 and used to set the value of the SharePoint Server 2013 property. A direction of Export means that the value of the property in SharePoint Server 2013 will be exported to the external system and used to set the value of the attribute in the external system.

    注意

    您無法編輯對應。若要變更對應方向,您必須先移除包含舊方向的對應,然後再建立新方向的對應並新增對應。You cannot edit a mapping. To change the direction of a mapping, you must first remove the mapping with the old direction, and then create a mapping in the new direction and add the mapping.

  12. 按一下 [新增]。Click Add.

  13. 按一下 [確定]。Click OK.

  14. 重複步驟 4 到 7,以對應其他屬性。Repeat steps 4 through 7 to map additional properties.

啟動設定檔同步處理Start profile synchronization

使用此程序同步處理 SharePoint Server 2013 與外部系統 (例如目錄服務或商務系統) 之間的設定檔資訊。Use this procedure to synchronize profile information between SharePoint Server 2013 and external systems such as directory services or business systems.

啟動設定檔同步處理To start profile synchronization

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員或 User Profile Service 應用程式的管理員。The user account that performs this procedure is a farm administrator or an administrator of the User Profile service application.

    • 執行此程序的使用者帳戶是執行 SharePoint Server 2013 之電腦上管理員群組的成員。The user account that performs this procedure is a member of the Administrators group on the computer that is running SharePoint Server 2013.

  2. 如果您已匯入的使用者或已建立 「 我的網站,且您已啟用 NetBIOS 網域名稱,再開始設定檔同步處理必須停用 「 我的網站清除計時器工作。如需此計時器工作,請參閱 < SharePoint Server 2016 的計時器工作參考。您用來啟用及停用此計時器工作的 PowerShell cmdlet 的相關資訊,請參閱計時器工作 cmdlet (SharePoint Server 2010)If you have already imported users or created My Sites, and you have enabled NetBIOS domain names, you must disable the My Site cleanup timer job before you start profile synchronization. For information about this timer job, see the Timer job reference for SharePoint Server 2016. For information about the PowerShell cmdlets that you use to enable and disable this timer job, see Timer jobs cmdlets (SharePoint Server 2010).

  3. 如果執行此程序的使用者帳戶是伺服器陣列管理員,請完成這些步驟。如果使用者帳戶不是伺服器陣列管理員,請移至下一步:If the user account that is performing this procedure is a farm administrator, complete these steps. Otherwise, if the user account is not a farm administrator go to the next step:

  4. 在管理中心上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On Central Administration, in the Application Management section, click Manage service applications.

  5. 在「管理服務應用程式」頁面上,選取 [User Profile Service 應用程式]。On the Manage Service Applications page, select the User Profile service application.

  6. 在管理中心的「管理設定檔服務」頁面上,按一下 [同步處理] 區段中的 [啟動設定檔同步處理]。On Central Administration, on the Manage Profile Service page, in the Synchronization section, click Start Profile Synchronization.

  7. 如果是第一次同步處理,或者自上次同步處理之後已新增或變更任何同步處理連線或屬性對應,請在「啟動設定檔同步處理」頁面上,選取 [啟動完整同步處理]。如果只要同步處理自上次同步處理之後變更的資訊,請選取 [啟動累加同步處理]。On the Start Profile Synchronization page, select Start Full Synchronization if this is the first time that you are synchronizing or if you have added or changed any synchronization connections or property mappings since the last time that you synchronized. Select Start Incremental Synchronization to synchronize only information that has changed since the last time that you synchronized.

  8. 按一下 [確定]。Click OK.

    「管理設定檔服務」頁面會隨即顯示。The Manage Profile Service page is displayed.

  9. 如果您要啟用「My Site」清除計時器工作,在啟用該工作之前,請完成下列額外的步驟:If you intend to enable the My Site cleanup timer job, complete these additional steps before you enable the job:

  10. 如本節所述,請再次執行設定檔同步處理。Run profile synchronization again as described in this section.

  11. 完成執行第二次設定檔同步處理之後,在管理中心的 [應用程式管理] 區段中,按一下 [管理服務應用程式]。After the second profile synchronization has finished running, on Central Administration, in the Application Management section, click Manage service applications.

  12. 按一下 User Profile Service 應用程式的名稱,然後按一下 [管理使用者設定檔]。Click the User Profile Service Application name, and then click Manage User Profiles.

  13. 在 [管理設定檔服務] 頁面上,按一下 [人員] 區段中的 [管理使用者設定檔]。On the Manage Profile Service page, in the People section, click Manage User Profiles.

  14. 選取 [檢視] 旁的 [匯入時遺失的設定檔]。Next to View, select Profiles Missing from Import.

  15. 在 [尋找設定檔] 方塊中,輸入設定檔的網域,然後按一下 [尋找]。In the Find Profiles box, type the domain for the profiles, and then click Find.

  16. 會傳回每個設定檔,請檢查原始目錄服務,例如 Active Directory 的該設定檔的狀態。如果傳回的設定檔的目錄中的任何的狀態未停用或不刪除,不會啟用 「 我的網站清除計時器工作。連絡 Microsoft 支援人員以取得更多協助。否則請啟用 「 我的網站清除計時器工作。您用來啟用及停用此計時器工作的 PowerShell cmdlet 的相關資訊,請參閱計時器工作 cmdlet (SharePoint Server 2010)For each profile that is returned, check the originating directory service, such as Active Directory, for the status of that profile. If the status of any of the returned profiles in the directory is not disabled or is not deleted, do not enable the My Site cleanup timer job. Contact Microsoft support for more assistance. Otherwise, enable the My Site cleanup timer job. For information about the PowerShell cmdlets that you use to enable and disable this timer job, see Timer jobs cmdlets (SharePoint Server 2010).

完整同步處理可能很耗時。當您重新整理「管理設定檔服務」頁面時,頁面右側會顯示同步處理工作的進度。請注意,設定檔同步處理包含數個階段,且不會立即匯入設定檔。進行同步處理時,不會自動重新整理「管理設定檔服務」頁面。A full synchronization can take a long time. If you refresh the Manage Profile Service page, the right side of the page displays the progress of the synchronization job. Be aware that profile synchronization consists of several stages, and the profiles will not be imported immediately. The Manage Profile Service page is not refreshed automatically as synchronization progresses.

階段 3:設定連線並從商務系統匯入資料Phase 3: Configure connections and import data from business systems

您可以從人事系統或財務系統之類的商務系統匯入資料,然後使用該資料將屬性新增至現有的使用者設定檔。您應該已建立外部內容類型,可將外部系統的資訊匯入至 SharePoint Server 2013。如需如何建立外部內容類型以同步處理商務系統的詳細資訊,請參閱<規劃 SharePoint Server 2013 Preview 的設定檔同步處理>。You can import data from a business system, such as a personnel system or a financial system, and use that data to add properties to existing user profiles. You should already have created an external content type that brings the information from the external system into SharePoint Server 2013. For more information about how to create an external content type to synchronize with a business system, see Plan profile synchronization for SharePoint Server 2013.

這是選用的階段。This phase is optional.

您必須是伺服器陣列管理員,或 User Profile Service 應用程式及 Business Data Connectivity Service 應用程式的管理員,才可執行這些程序。如果您不是伺服器陣列管理員,請在 [管理設定檔服務] 頁面上啟動每個程序。You must be a farm administrator, or an administrator of both the User Profile service application and the Business Data Connectivity service application, to perform these procedures. If you are not a farm administrator, start each procedure at the Manage Profile Service page.

此階段包括下列工作:This phase involves the following tasks:

  1. 授與 User Profile Service 應用程式權限以使用外部內容類型Give the User Profile service application permission to use the external content type

  2. 設定 Business Data Connectivity 同步處理連線Configure a Business Data Connectivity synchronization connection

  3. 新增或編輯使用者設定檔屬性Add or edit user profile properties

  4. 匯入資料Import data

授與 User Profile Service 應用程式權限以使用外部內容類型Give the User Profile service application permission to use the external content type

使用此程序授與伺服器陣列帳戶對外部內容類型執行作業的權限。如需如何設定外部內容類型之權限的詳細資訊,請參閱<設定外部內容類型的權限>。Use this procedure to give the farm account permission to execute operations on the external content type. For more information about how to set permissions on an external content type, see Set permissions on an external content type.

注意

Business Connectivity Services 使用來決定授權規則上的外部內容類型與商務系統的權限的權限。您必須確保伺服器陣列帳戶也有存取商務系統的權限。如需驗證和權限的詳細資訊,請參閱 < Overview of Business Connectivity Services in SharePoint Server 的安全性工作Business Connectivity Services uses the permissions on the external content type and the permissions on the business system to determine authorization rules. You must make sure that the farm account also has permission to access the business system. For more information about authentication and permissions, see Overview of Business Connectivity Services security tasks in SharePoint Server.

授與 User Profile Service 應用程式權限以使用外部內容類型To give the User Profile service application permission to use the external content type

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員或 Business Data Connectivity Service 應用程式的管理員。The user account that performs this procedure is a farm administrator or an administrator of the Business Data Connectivity service application.

    • 執行此程序的使用者帳戶具有同步處理之外部內容類型的「設定權限」。The user account that performs this procedure has Set Permissions permission on the external content type with which you are synchronizing.

  2. 如果執行此程序的使用者帳戶是伺服器陣列管理員,請完成此步驟。如果使用者帳戶不是伺服器陣列管理員,請移至下一步:If the user account that is performing this procedure is a farm administrator, complete this step. Otherwise, if the user account is not a farm administrator go to the next step:

    • 在SharePoint 管理中心網站上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On the SharePoint Central Administration website, in the Application Management section, click Manage service applications.
  3. 在管理中心的「管理服務應用程式」頁面上,選取 Business Data Connectivity Service 應用程式。On Central Administration, on the Manage Service Applications page, select the Business Data Connectivity service application.

  4. 選取顯示您要同步處理的資訊之外部內容類型的核取方塊。Select the check box of the external content type that represents the information with which you want to synchronize.

  5. 在 [權限] 群組中,按一下 [設定物件權限]。In the Permissions group, click Set Object Permissions.

  6. 在方塊中,輸入伺服器陣列帳戶,然後按一下 [新增]In the box, type the farm account, and then click Add.

  7. 的權限<帳戶>] 方塊中,選取 [執行]In the Permissions for <account> box, select Execute.

    注意

    伺服器陣列帳戶是否會列於唯一帳戶的權限<帳戶>] 方塊中,您必須也提供伺服器陣列帳戶設定權限給外部內容類型。至少一個使用者、 群組或宣告的外部內容類型的存取控制清單中必須具備 「 設定權限 」 權限。If the farm account is the only account that is listed in the Permissions for <account> box, you must also give the farm account Set Permissions to the external content type. At least one user, group, or claim in the external content type's access control list must have the Set Permissions permission.

  8. 按一下 [確定]。Click OK.

  9. 確認已選取 [將權限傳播到這個外部內容類型的所有方法。這麼做將會覆寫現有權限。] 核取方塊。Verify that the Propagate permissions to all methods of this external content type. Doing so will overwrite existing permissions. check box is selected.

  10. 重複這些步驟設定其他外部內容類型的權限。Repeat these steps to set permissions on additional external content types.

設定 Business Data Connectivity 同步處理連線Configure a Business Data Connectivity synchronization connection

在此程序中,您會建立每個外部內容類型的連線。此連線會指定商務系統資料如何與設定檔屬性產生關聯。您輸入的資訊來自連線規劃工作表。In this procedure, you create a connection for each external content type. The connection specifies how the business system data relates to the profile properties. The information that you enter comes from the Connection Planning worksheet.

建立使用者設定檔同步處理連線To create a User Profile synchronization connection

  1. 確認執行此程序的使用者帳戶具有下列認證:Verify that the user account that is performing this procedure has the following credentials:

    • 執行此程序的使用者帳戶是伺服器陣列管理員,或 User Profile Service 應用程式和 Business Data Connectivity Service 應用程式的管理員。The user account that performs this procedure is a farm administrator or administrator of both the User Profile service application and the Business Data Connectivity service application.
  2. 如果執行此程序的使用者帳戶是伺服器陣列管理員,請完成這些步驟。如果使用者帳戶不是伺服器陣列管理員,請移至下一步:If the user account that is performing this procedure is a farm administrator, complete these steps. Otherwise, if the user account is not a farm administrator go to the next step:

  3. 在管理中心上,按一下 [應用程式管理] 區段中的 [管理服務應用程式]。On Central Administration, in the Application Management section, click Manage service applications.

  4. 在「管理服務應用程式」頁面上,選取 [User Profile Service 應用程式]。On the Manage Service Applications page, select the User Profile service application.

  5. 在管理中心的「管理設定檔服務」頁面上,按一下 [同步處理] 區段中的 [設定同步處理連線]。On Central Administration, on the Manage Profile Service page, in the Synchronization section, click Configure Synchronization Connections.

  6. 在「同步處理連線」頁面上,按一下 [建立新連線]。On the Synchronizations Connections page, click Create New Connection.

  7. 在「新增同步處理連線」頁面的 [連線名稱] 方塊中,輸入同步處理連線的名稱。On the Add new synchronization connection page, type a name for the synchronization connection in the Connection Name box.

  8. 從 [類型] 清單中,選取 [Business Data Connectivity]。From the Type list, select Business Data Connectivity.

  9. 在 [Business Data Connectivity 實體] 方塊中,輸入外部內容類型的名稱。In the Business Data Connectivity Entity box, type the name of the external content type.

    提示

    如果您不清楚外部內容類型的名稱,請按一下 [選取外部內容類型] 按鈕,以檢視所有外部內容類型。從清單中選取外部內容類型,然後按一下 [確定]。If you do not know the name of the external content type, click the Select External Content Type button to see all external content types. Select the external content type from the list, and then click OK.

  10. 如果每個使用者設定檔僅會對應至一個外部內容類型執行個體,請執行下列動作:If each user profile maps to only one external content type instance, do the following:

  11. 按一下 [以一對一對應的方式將「使用者設定檔儲存」連線至 Business Data Connectivity 實體]。Click Connect User Profile Store to Business Data Connectivity Entity as a 1:1 mapping.

  12. 在 [傳回依此設定檔屬性識別的項目] 清單中,選取用來比對外部內容類型執行個體的使用者設定檔的使用者設定檔屬性。使用者設定檔屬性與外部內容類型識別碼定義的使用者設定檔與外部內容類型之 1:1 關係與可用來確定匯入的屬性會套用至正確的使用者設定檔。In the Return items identified by this profile property list, select the user profile property that is used to match user profiles to external content type instances. The user profile property and the external content type identifier define the 1:1 relationship between the user profiles and the external content type, and are used to make sure that that the imported properties are applied to the correct user profile.

    提示

    [傳回依此設定檔屬性識別的項目] 清單會傳回所有具有與外部內容類型識別碼類似之資料類型的使用者設定檔屬性。The Return items identified by this profile property list returns all user profile properties that have a similar data type to the external content type identifier.

  13. 如果使用者設定檔可以對應至多個外部內容類型執行個體,請執行下列動作:If a user profile can map to multiple external content type instances, do the following:

  14. 按一下 [以一對多對應的方式將「使用者設定檔儲存」連線至 Business Data Connectivity 實體]。Click Connect User Profile Store to Business Data Connectivity Entity as a 1:many mapping.

  15. 在 [篩選項目依據]清單中,選取要用於尋找套用至使用者設定檔之外部內容類型執行個體集合的篩選。In the Filter items by list, select the filter that is used to find the set of external content type instances that apply to a user profile.

    注意

    [篩選項目依據] 清單會顯示在外部內容類型中定義的所有篩選。The Filter items by list displays all filters that are defined in the external content type.

  16. 在 [使用此設定檔屬性為篩選值] 清單中,選取用於將使用者設定檔對應至外部內容類型執行個體的使用者設定檔屬性。In the Use this profile property as the filter value list, select the user profile property that is used to match user profiles to external content type instances.

  17. 按一下 [確定]。Click OK.

  18. 重複步驟 4 到 10,以新增更多連線。Repeat steps 4 through 10 to add more connections.

新增或編輯使用者設定檔屬性Add or edit user profile properties

您可以匯入商務系統資料之前,您必須指定商務系統資料對應至使用者設定檔屬性的方式。在 [使用者設定檔屬性工作表中的使用者設定檔屬性資料工作表列出您要匯入商務系統屬性與這些屬性對應至 SharePoint Server 2013 設定檔儲存中的設定檔屬性的方式。Before you can import the business system data, you must specify how the business system data maps to the user profile properties. The User profile properties data sheet in the User profile properties worksheet lists the business system properties that you want to import and how those properties map to the profile properties in the SharePoint Server 2013 profile store.

請遵循<對應使用者設定檔屬性>一節的程序對應其他使用者設定檔屬性。如果資料對應至現有的使用者設定檔屬性,請編輯屬性,然後新增新的對應。如果資料不是對應至現有的使用者設定檔屬性,請新增自訂屬性,然後對應該屬性。Follow the procedure in the Map user profile properties section to map additional user profile properties. If the data maps to an existing user profile property, edit the property and add a new mapping. If the data does not map to an existing user profile property, add a new custom property and then map the property.

匯入資料Import data

若要從商務系統匯入資料,您必須執行完整同步處理。請遵循<啟動設定檔同步處理>一節中的程序啟動完整同步處理。To import data from the business system, you must perform a full synchronization. Follow the procedure in the Start profile synchronization section to start a full synchronization.

階段 4:設定連線並將資料匯出至目錄服務Phase 4: Configure connections and export data to directory services

您可以在上一個階段中設定設定檔同步處理連線,您必須具備。若要將寫回至目錄服務設定檔資訊,您的設定檔屬性使用對應至目錄服務屬性的匯出對應方向。在執行設定檔同步處理下, 一次屬性將會是匯入及匯出根據您所設定的對應。In previous phases, you configured the profile synchronization connections that that you must have. To write profile information back to a directory service, you map the profile properties to attributes in the directory service by using a mapping direction of Export. The next time that profile synchronization runs, properties will be imported and exported according to the mappings that you configured.

注意

雖然您可以使用 Business Connectivity Service 從商務系統匯入設定檔資料,但是您無法將設定檔資料匯出至商務系統。Although you can import profile data from business systems by using the Business Connectivity Service, you cannot export profile data to business systems.

這是選用的階段。This phase is optional.

您必須是伺服器陣列管理員或 User Profile Service 應用程式的管理員,才可執行這些程序。如果您不是伺服器陣列管理員,請使用 [管理設定檔服務] 頁面啟動每個程序。You must be a farm administrator or an administrator of the User Profile service application to perform these procedures. If you are not a farm administrator, start each procedure by using the Manage Profile Service page.

請不要建立新同步處理連線以匯出屬性。若要將屬性匯出至目錄服務,請使用您為了從目錄服務匯入屬性所建立的相同同步處理連線。您無法將同步處理連線僅用於匯出屬性。Do not create a new synchronization connection to export properties. To export properties to a directory service, use the same synchronization connection that you created to import properties from the directory service. You cannot use a synchronization connection only to export properties.

遵循此程序將使用者設定檔屬性對應再次、 此次匯出選取的對應方向。您將對應的屬性將會從 SharePoint Server 2013 匯出至目錄服務選取其連線。Follow the procedure to Map user profile properties again, this time selecting Export for the mapping direction. The properties that you map will be exported from SharePoint Server 2013 to the directory service whose connection you select.

請依照程序以啟動設定檔同步處理,若要執行累加同步處理此選取的時間。將更新任何 SharePoint Server 2013 設定檔屬性對應至匯出至目錄服務屬性的值。Follow the procedure to Start profile synchronization again, this time selecting to do an incremental synchronization. The values of any SharePoint Server 2013 profile properties that were mapped to be exported to directory service attributes will be updated.

注意

若是特定目錄服務,可能需要其他權限才能將資料寫回目錄服務。請檢閱<規劃設定檔同步處理>一文的<規劃帳戶權限>一節中的資訊,並確定同步處理帳戶具備必要權限。For certain directory services, additional permissions may be required to write data back to the directory service. Review the information in the Plan account permissions section of the "Plan for profile synchronization" article, and make sure that that the synchronization account has the necessary permissions.

致謝Acknowledgements

SharePoint Server 2013 內容發佈小組感謝企業架構師 Spencer Harbar 對本文的貢獻。其部落格網址為 http://www.harbar.netThe SharePoint Server 2013 Content Publishing team thanks Spencer Harbar, Enterprise Architect, for contributing to this article. His blog can be found at http://www.harbar.net.

另請參閱See also

概念Concepts

管理 SharePoint Server 中的使用者設定檔同步處理Manage user profile synchronization in SharePoint Server

在 SharePoint Server 中排程設定檔同步處理Schedule profile synchronization in SharePoint Server

規劃 SharePoint Server 2013 的設定檔同步處理Plan profile synchronization for SharePoint Server 2013