Since Microsoft first released Windows NT Server 4.0, Terminal Server Edition (WTS) in 1998, the company has greatly improved the client experience for people who use RDP to connect to terminal servers. In Windows Server 2003, the RDP client is almost as capable as the ICA client used to connect to Citrix MetaFrame servers, lacking support only for application publishing and Seamless Windows. If you're unfamiliar with MetaFrame, application publishing enables a connection to one application on a terminal server, and Seamless Windows lets end users maintain multiple connections to a terminal server that all connect to the same session and thus don't multiply resource usage.
However, Microsoft historically hasn't paid as much attention to improving server management in WTS and Windows 2000 Server Terminal Services. NT 4.0 predated WTS, so the core NT OS has no terminal server management capabilities—even user account management must be done on a WTS machine or by using the WTS-capable User Account Manager. Win2K includes support for Terminal Services in the core OS, but the server-management tools are suitable for managing only a small number of users or servers because you must configure Terminal Services settings separately for each account or machine. Because Terminal Services settings such as the profile path aren't exposed through Active Directory Service Interfaces (ADSI), you can't script server management beyond what's possible with the command-line tools. This restriction is tolerable if you plan to stay with the default settings or if you have only two or three user accounts or servers to configure. But configuring and managing more user settings and terminal servers consistently can get a bit complicated.
Windows 2003 has done a lot to make terminal servers—and user account settings that apply to Terminal Services—more manageable by exposing many settings through ADSI and Windows Management Instrumentation (WMI). You can use administrative scripts to manage these settings, or you can use Group Policy Objects (GPOs) that you can apply to organizational units (OUs). I introduce you to some GPOs for managing settings for users and computers and show you how to apply them to perform common tasks.
Locating Terminal Services Policies
When you open Group Policy Editor (GPE) on a Windows 2003 computer, you'll see a new folder—Administrative Templates\Windows Components\Terminal Services—under both the Computer Configuration and User Configuration folders. Figure 1, page 92, shows the settings available in the Computer Configuration\Administrative Templates\Windows Components\Terminal Services folder. A few of these settings are duplicated in the User Configuration\Administrative Templates\Windows Components\Terminal Services folder. The Computer Configuration settings are organized into several Terminal Services subfolders. Web Table 1 (http://www.winnetmag.com, InstantDoc ID 38284) lists the location of both the Computer Configuration and User Configuration Terminal Services settings.
To configure a setting, double-click it to open its Properties dialog box, then select Enable or Disable as appropriate. You might need to provide additional information for some settings; for example, to set user home directories for terminal sessions, you must provide the local or network path and—assuming that you're using a network location for home directories—the network drive letter to which you want to map the path. Although most settings apply to only Windows 2003 terminal servers or Windows XP Remote Desktop Connection, a few settings (e.g., the option to remove the Disconnect button from the Start menu) can apply to Win2K terminal servers. The version requirements are on each policy's Properties dialog box.
If you've ever edited the Terminal Services default user and terminal server settings, you know that a precedence of control exists for settings that you can configure for both servers and users. Typically, if a setting exists for both servers and users (as the default printer mapping settings do), the user setting takes precedence. You can use Terminal Services Configuration to override the user setting and give the server setting precedence. If you don't configure a GPO, whichever settings you've chosen to have precedence will control. However, when you configure a GPO, the GPO setting takes precedence over any settings you've edited through Terminal Services Configuration or through the user account properties, whether you enable or disable the GPO. If you've configured the same setting for both users and computers (possible with a few settings, such as those that manage remote control functionality), the computer settings take precedence over the user settings. (If you're linking GPOs to different containers in the domain, the policy-inheritance rules in place apply. If you're not accustomed to working with GPOs, see Getting Started With Win2K, "Group Policy," March 2000, http://www.winnetmag.com, InstantDoc ID 8144.)
Always be careful when you enable or disable policies because the wording of the GPOs can be confusing. For example, if you configure the setting for using smart cards with a terminal server and want to make sure smart cards are supported, you must disable the Do Not Allow Smart Card Redirection Policy.
Applying GPOs to Terminal Servers
To apply GPOs to your terminal servers, you first must create a terminal servers OU and, if needed, a terminal server clients OU. Open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, and right-click the domain's icon in the left-hand pane. From the context menu, choose New, Organizational Unit. Name the new OU TerminalServers or something equally descriptive, and put all the application servers into it.
Terminal Services has no user-specific settings, so you might be able to get by with simply configuring policies for the terminal servers. However, you might choose not to configure all settings (such as those related to remote control of user sessions) at the computer level. You can apply per-user settings in several ways. One option is to create an OU for people allowed to log on to terminal servers. However, AD objects can be in only one OU, and putting people into a Terminal Services—specific OU might not be practical. Another option is to apply settings to the user OUs that you set up and use the loopback policy to make sure that the appropriate settings are applied when the users log on to terminal servers. To use loopback processing, you need to enable the Group Policy Loopback Policy Processing Mode on the Terminal Servers OU. This policy, found in Computer Configuration\Administrative Templates\System\Group Policy, controls how user policies are applied to special-purpose computers such as terminal servers. To make sure that the terminal server policies take precedence, go to the policy's Settings tab and choose Replace from the drop-down menu.
Previous
Register
