Re: Help with configuration
- From: lavagirl <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 3 Apr 2007 13:16:03 -0700
Okay, please forgive my ignorance...you have been very helpful. So, they log
onto the local domain account first, then logon again to the TS? How do they
do that? Is there a desktop shortcut or start menu icon to the session? Is
there a way to have ONE login and log just into the TS?
I noticed in the configuration of the TS OU, you can configure it to disable
the Control panel, network neighborhood, manage dialogue, search, internet
address, etc... If you configure these things in the lockdown OU this
disabling it locally or on the TS session? This is very confusing.
Thanks!
"Vera Noest [MVP]" wrote:
No, that's not how it works..
When users log on to their workstation, they use their local
workstation profile, which includes application settings for those
applications which are installed locally.
When they start a TS session and gain access to the TS, they use
their TS profile, which contains settings for the appliaction
installed on the TS.
You cannot mix profiles or change profiles on the fly, and you
cannot access applications installed locally from within a TS
session (the only exception would be a very simple application
which doesn't install any dll's and doesn't use the registry, but
those are getting very rare nowadays).
But while users have an active TS session, running a TS-
application, they can minimize the whole session and start a
locally installed application simultaneously.
The only problem would be if these 2 types of applications somehow
need to communicate with each other.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 03 apr 2007 in
microsoft.public.windows.terminal_services:
So there's a local profile and a TS profile. When the user logs
in, are they both available? Can I somehow have the local one
hidden, (all except for the home directory) yet still have the
user access an application located locally? (ie: Most of the
apps will be run from the TS, but there are a few apps that we
have that won't run over TS. Can they still access those from
the local drive, while in a tS session?)
Thank you so much for your help.
"Vera Noest [MVP]" wrote:
About the TS:
yes, you must place it in a separate OU.
Then link your lockdown GPO to this OU.
Make sure that you configure "loopback processing" in this GPO.
About your user accounts and policies: you can leave them in
the "Redirection" security group, which redirects their "My
Documents" folder (when logged on to the clients) to a separate
file server.
You *must* ensure that the users have different profiles on the
clients and the TS, to avoid profile corruption. Since your
users have a local profile on the clients, you probably have
not specified a local profile path in their AD account
properties. If you want them to have a local profile on the TS
as well, you could also leave the TS profile path blank. Or you
can specify a roaming profile, pointing to a shared TS profile
folder on your file server. See:
246132 - User Profile and Home Directory Behavior with Terminal
Services
http://support.microsoft.com/?kbid=246132
Irrespective of whether you use local or roaming TS profiles,
you can use the GPO linked to your TS OU to redirect "My
Documents" on the TS to the same folder as you currently use
(that would also be most convenient for your users). You can
redirect other parts of the TS user profile (Desktop, Start
Menu) to other shared folders.
But don't mix the client profile folders with the TS profile
folders!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 31 mar 2007 in
microsoft.public.windows.terminal_services:
I just read my previous post and realize I need to clarify.
Currently, in active directory, I have the students in a
"redirect" group which redirects the "MyDocuments" folder to
a W2003 server share. They have local profiles. If I change
them to TS users, can I leave them in the redirect group and
keep the MyDocuments folder the same, yet redirect the other
folders of the profile to the TS local drive? And, once I
enable the redirected folders, will it move the profile
folders from the local drive automatically to the TS share?
"lavagirl" wrote:
Wow...great articles! Very informative. I think I'm
getting this somewhat. Do you mind if I ask a few
questions?
For a school environment, where no one is logging in
remotely (offsite), and I want to keep the desktops clean
and "trouble-proof", would you recommend placing the
Terminal Server computer into the lockdown OU?
I am currently redirecting student home directory to a
Windows 2003 server (not TS). If I enable folder
redirection on the TS, can I still redirect to the same
location (on the other server)? If that's the case, can the
desktop, start menu and application folders redirect to the
local TS profile?
What happens if I do not specify a local TS profile, does
it create a
default one?
We tried roaming profiles in our current environment, and
they were a nightmare. I don't know if I want to use them
in the TS environment (but it's not really the same, right,
because they are not being copied over the network?)
thanks so much for your help...
"Vera Noest [MVP]" wrote:
You can lock down what users can do on your Terminal
Server and your desktops with Group Policies.
Here are some good starters, feel free to come back if you
have any specific questions.
Locking Down Windows Server 2003 Terminal Server Sessions
http://www.microsoft.com/downloads/details.aspx?FamilyID=7f
272 fff- 9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en
Windows Server 2003 Terminal Server Security White Paper
http://www.microsoft.com/downloads/details.aspx?FamilyID=40
2A0 CD1- 9E4D-4007-8EAF-C30623E71250&displaylang=en
278295 - How to lock down a Windows Server 2003 or Windows
2000 Terminal Server session
http://support.microsoft.com/?kbid=278295
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 30 mar 2007
in microsoft.public.windows.terminal_services:
I am a TS newbie trying to install/configure Terminal
Services for a small school. I have the Windows 2003
server up and running, with TS enabled, but I'm kind of
at a loss for where to go from here. I have installed
RDP on the client computers, and have installed Office
2003 on the TS. I want the students to have no control
over their desktops or apps installed, redirected home
folder to another server, but still be able to have
individual app settings, favorites, etc... Is this
possible? Can someone direct me to a document or site
that helps someone to walk through the process? I can't
really find anything past setting up the server. Thanks
for any help...
- Follow-Ups:
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- References:
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- Prev by Date: Re: Help with licenses
- Next by Date: Re: Direct hardware access / redirected com ports
- Previous by thread: Re: Help with configuration
- Next by thread: Re: Help with configuration
- Index(es):
Relevant Pages
|
