Re: Help with configuration
- From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 03 Apr 2007 13:36:29 -0700
Yes, they logon to the workstation first.
From there, they start the Terminal Server session with a smallprogram called "Remote Desktop" (this is also referred to as the
rdp client). You can find that on any XP workstation, under Start
Menu - Applications - Accessories - Communication (I think, I'm
translating from Swedish).
But you wrote in your first post that you had "installed RDP on the
client computers"? Assuming that you meant the rdp client, that's
the program you use to connect to the Terminal Server.
And no, you cannot logon directly to the TS without logging in to
the workststaion first. There is 3rd party software (Citrix) which
you install on top of Terminal Services to enable you to use your
cached domain account credentials to automatically logon to the TS
once you have logged on to the workstation, but it's quite
expensive if this is the only feature you need.
When you create a GPO, you link it to a OU. The computer settings
in the GPO are applied to the objects in the OU.
So if you link your lock-down GPO to the OU which contains the
Terminal Server, it applies to the Terminal Server. If you link the
same GPO to the OU which contains your workstations, it applies to
your workstation.
Note that by default, the user settings are always taking from the
GPO (if any) which is linked to the OU which contains your user
accounts. That's why you have to use the "loopback processing"
options in your TS GPO.
Setting up a Terminal Server and locking it down properly with GPOs
is not a trivial task. I would advice you to *not* take it into
production before you have tested everything thoroughly, not only
with your own Administrator account, but also with a test user
account. It could be a wise decision to hire some external company
to assist you in setting this up properly.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 03 apr 2007 in
microsoft.public.windows.terminal_services:
Okay, please forgive my ignorance...you have been very helpful..
So, they log onto the local domain account first, then logon
again to the TS? How do they do that? Is there a desktop
shortcut or start menu icon to the session? Is there a way to
have ONE login and log just into the TS? I noticed in the
configuration of the TS OU, you can configure it to disable the
Control panel, network neighborhood, manage dialogue, search,
internet address, etc... If you configure these things in the
lockdown OU this disabling it locally or on the TS session?
This is very confusing. Thanks!
"Vera Noest [MVP]" wrote:
No, that's not how it works.
When users log on to their workstation, they use their local
workstation profile, which includes application settings for
those applications which are installed locally.
When they start a TS session and gain access to the TS, they
use their TS profile, which contains settings for the
appliaction installed on the TS.
You cannot mix profiles or change profiles on the fly, and you
cannot access applications installed locally from within a TS
session (the only exception would be a very simple application
which doesn't install any dll's and doesn't use the registry,
but those are getting very rare nowadays).
But while users have an active TS session, running a TS-
application, they can minimize the whole session and start a
locally installed application simultaneously.
The only problem would be if these 2 types of applications
somehow need to communicate with each other.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 03 apr 2007 in
microsoft.public.windows.terminal_services:
So there's a local profile and a TS profile. When the user
logs in, are they both available? Can I somehow have the
local one hidden, (all except for the home directory) yet
still have the user access an application located locally?
(ie: Most of the apps will be run from the TS, but there are
a few apps that we have that won't run over TS. Can they
still access those from the local drive, while in a tS
session?) Thank you so much for your help.
"Vera Noest [MVP]" wrote:
About the TS:
yes, you must place it in a separate OU.
Then link your lockdown GPO to this OU.
Make sure that you configure "loopback processing" in this
GPO.
About your user accounts and policies: you can leave them in
the "Redirection" security group, which redirects their "My
Documents" folder (when logged on to the clients) to a
separate file server.
You *must* ensure that the users have different profiles on
the clients and the TS, to avoid profile corruption. Since
your users have a local profile on the clients, you probably
have not specified a local profile path in their AD account
properties. If you want them to have a local profile on the
TS as well, you could also leave the TS profile path blank.
Or you can specify a roaming profile, pointing to a shared
TS profile folder on your file server. See:
246132 - User Profile and Home Directory Behavior with
Terminal Services
http://support.microsoft.com/?kbid=246132
Irrespective of whether you use local or roaming TS
profiles, you can use the GPO linked to your TS OU to
redirect "My Documents" on the TS to the same folder as you
currently use (that would also be most convenient for your
users). You can redirect other parts of the TS user profile
(Desktop, Start Menu) to other shared folders.
But don't mix the client profile folders with the TS profile
folders!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 31 mar 2007 in
microsoft.public.windows.terminal_services:
I just read my previous post and realize I need to
clarify. Currently, in active directory, I have the
students in a "redirect" group which redirects the
"MyDocuments" folder to a W2003 server share. They have
local profiles. If I change them to TS users, can I leave
them in the redirect group and keep the MyDocuments folder
the same, yet redirect the other folders of the profile to
the TS local drive? And, once I enable the redirected
folders, will it move the profile folders from the local
drive automatically to the TS share?
"lavagirl" wrote:
Wow...great articles! Very informative. I think I'm
getting this somewhat. Do you mind if I ask a few
questions?
For a school environment, where no one is logging in
remotely (offsite), and I want to keep the desktops clean
and "trouble-proof", would you recommend placing the
Terminal Server computer into the lockdown OU?
I am currently redirecting student home directory to a
Windows 2003 server (not TS). If I enable folder
redirection on the TS, can I still redirect to the same
location (on the other server)? If that's the case, can
the desktop, start menu and application folders redirect
to the local TS profile?
What happens if I do not specify a local TS profile,
does it create a
default one?
We tried roaming profiles in our current environment, and
they were a nightmare. I don't know if I want to use
them in the TS environment (but it's not really the same,
right, because they are not being copied over the
network?)
thanks so much for your help...
"Vera Noest [MVP]" wrote:
You can lock down what users can do on your Terminal
Server and your desktops with Group Policies.
Here are some good starters, feel free to come back if
you have any specific questions.
Locking Down Windows Server 2003 Terminal Server
Sessions
http://www.microsoft.com/downloads/details.aspx?FamilyID
=7f 272 fff- 9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en
Windows Server 2003 Terminal Server Security White
Paper
http://www.microsoft.com/downloads/details.aspx?FamilyID
=40 2A0 CD1- 9E4D-4007-8EAF-C30623E71250&displaylang=en
278295 - How to lock down a Windows Server 2003 or
Windows 2000 Terminal Server session
http://support.microsoft.com/?kbid=278295
________________________________________________________
_ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email
___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 30 mar
2007 in microsoft.public.windows.terminal_services:
I am a TS newbie trying to install/configure Terminal
Services for a small school. I have the Windows 2003
server up and running, with TS enabled, but I'm kind
of at a loss for where to go from here. I have
installed RDP on the client computers, and have
installed Office 2003 on the TS. I want the students
to have no control over their desktops or apps
installed, redirected home folder to another server,
but still be able to have individual app settings,
favorites, etc... Is this possible? Can someone
direct me to a document or site that helps someone to
walk through the process? I can't really find
anything past setting up the server. Thanks
for any help...
- Follow-Ups:
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- References:
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- Prev by Date: Re: Direct hardware access / redirected com ports
- Next by Date: Re: Sound lagging
- Previous by thread: Re: Help with configuration
- Next by thread: Re: Help with configuration
- Index(es):
Relevant Pages
|
