Re: Help with configuration
- From: lavagirl <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 4 Apr 2007 19:32:01 -0700
Vera, you have been so helpful, I hope you don't mind me asking a few more
questions. I spent the day configuring the terminal server, and it actually
went pretty well! In Active Directory, I created an OU called "Terminal
Services" and then created a GPO for it, with all of the recommended lockdown
settings (based on the articles you mentioned). I moved the Terminal Server
object into the new OU. I created a testuser called "TSUSER" and made sure
he had "Allow login to Terminal Services" checked in his profile. I also
made him a member of the Remote Desktop Users group, and made sure that this
group had access to use the TS. I only have the OFfice apps installed on the
server, so I put the icons for Word, Excel and Powerpoint into the Desktop
Folder under "All Users" on the TS. Then, I logged into the TS as TSUSER,
and VOILA! There was my desktop with the 3 apps.
Here's the issues, though:
1. The student has 3 logons that he has to go through: 1) to login to the
domain/local workstation, 2) to give credentials for RDP, and then 3) to
logon to the TS! Is there any way to do all these in one step (ie: pass
userid/password through)? The students have enough trouble remembering their
regular account password.
2. I set the Computer Configuration restrictions AND the User Configuration
restrictions in the GPO, and enabled loopback processing, but when TSUSER
logs in, the User restrictions do not seem to be in effect (ie: SHutdown
still appears on the start menu). If I put TSUSER into the lockdown OU also,
those user restrictions take effect on the local machine (domain account).
(ie: if I minimize the remote desktop session, the SHUTDOWN does not appear
on the Start menu, but it still appears on the TS session). How do I apply
them to the TS logon session?
3. When I log onto the TS, do I need log onto the local machine, or to the
domain? Do I need to create local accounts for all of my domain users?
4. It did not work to just put TSUSER into the Remote Desktop Users group.
I had to give group EVERYONE user rights on the TS.
I think I'm almost there! Any help you can give on these items would be so
appreciated! Thank you...
"Vera Noest [MVP]" wrote:
OK, good luck, and feel free to post back here if you have more.
questions!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 04 apr 2007 in
microsoft.public.windows.terminal_services:
Thank you so much for all the info. I am going to
configure/test starting tomorrow. I wanted to get a good plan
and make sure I understood before I even touched the server. I
will not be putting anything into production for the students
until I know it works. I wish we could hire someone to help,
but we are a small school with little money, so I'm it! :-)
Thank you so much for all your help.
"Vera Noest [MVP]" wrote:
Yes, they logon to the workstation first.
From there, they start the Terminal Server session with a small
program called "Remote Desktop" (this is also referred to as
the rdp client). You can find that on any XP workstation, under
Start Menu - Applications - Accessories - Communication (I
think, I'm translating from Swedish).
But you wrote in your first post that you had "installed RDP on
the client computers"? Assuming that you meant the rdp client,
that's the program you use to connect to the Terminal Server.
And no, you cannot logon directly to the TS without logging in
to the workststaion first. There is 3rd party software (Citrix)
which you install on top of Terminal Services to enable you to
use your cached domain account credentials to automatically
logon to the TS once you have logged on to the workstation, but
it's quite expensive if this is the only feature you need.
When you create a GPO, you link it to a OU. The computer
settings in the GPO are applied to the objects in the OU.
So if you link your lock-down GPO to the OU which contains the
Terminal Server, it applies to the Terminal Server. If you link
the same GPO to the OU which contains your workstations, it
applies to your workstation.
Note that by default, the user settings are always taking from
the GPO (if any) which is linked to the OU which contains your
user accounts. That's why you have to use the "loopback
processing" options in your TS GPO.
Setting up a Terminal Server and locking it down properly with
GPOs is not a trivial task. I would advice you to *not* take it
into production before you have tested everything thoroughly,
not only with your own Administrator account, but also with a
test user account. It could be a wise decision to hire some
external company to assist you in setting this up properly.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 03 apr 2007 in
microsoft.public.windows.terminal_services:
Okay, please forgive my ignorance...you have been very
helpful. So, they log onto the local domain account first,
then logon again to the TS? How do they do that? Is there a
desktop shortcut or start menu icon to the session? Is there
a way to have ONE login and log just into the TS? I noticed
in the configuration of the TS OU, you can configure it to
disable the Control panel, network neighborhood, manage
dialogue, search, internet address, etc... If you configure
these things in the lockdown OU this disabling it locally or
on the TS session? This is very confusing. Thanks!
"Vera Noest [MVP]" wrote:
No, that's not how it works.
When users log on to their workstation, they use their local
workstation profile, which includes application settings for
those applications which are installed locally.
When they start a TS session and gain access to the TS, they
use their TS profile, which contains settings for the
appliaction installed on the TS.
You cannot mix profiles or change profiles on the fly, and
you cannot access applications installed locally from within
a TS session (the only exception would be a very simple
application which doesn't install any dll's and doesn't use
the registry, but those are getting very rare nowadays).
But while users have an active TS session, running a TS-
application, they can minimize the whole session and start a
locally installed application simultaneously.
The only problem would be if these 2 types of applications
somehow need to communicate with each other.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 03 apr 2007 in
microsoft.public.windows.terminal_services:
So there's a local profile and a TS profile. When the
user logs in, are they both available? Can I somehow have
the local one hidden, (all except for the home directory)
yet still have the user access an application located
locally? (ie: Most of the apps will be run from the TS,
but there are a few apps that we have that won't run over
TS. Can they still access those from the local drive,
while in a tS session?) Thank you so much for your help.
"Vera Noest [MVP]" wrote:
About the TS:
yes, you must place it in a separate OU.
Then link your lockdown GPO to this OU.
Make sure that you configure "loopback processing" in
this GPO.
About your user accounts and policies: you can leave them
in the "Redirection" security group, which redirects
their "My Documents" folder (when logged on to the
clients) to a separate file server.
You *must* ensure that the users have different profiles
on the clients and the TS, to avoid profile corruption.
Since your users have a local profile on the clients, you
probably have not specified a local profile path in their
AD account properties. If you want them to have a local
profile on the TS as well, you could also leave the TS
profile path blank. Or you can specify a roaming profile,
pointing to a shared TS profile folder on your file
server. See:
246132 - User Profile and Home Directory Behavior with
Terminal Services
http://support.microsoft.com/?kbid=246132
Irrespective of whether you use local or roaming TS
profiles, you can use the GPO linked to your TS OU to
redirect "My Documents" on the TS to the same folder as
you currently use (that would also be most convenient for
your users). You can redirect other parts of the TS user
profile (Desktop, Start Menu) to other shared folders.
But don't mix the client profile folders with the TS
profile folders!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 31 mar 2007
in microsoft.public.windows.terminal_services:
I just read my previous post and realize I need to
clarify. Currently, in active directory, I have the
students in a "redirect" group which redirects the
"MyDocuments" folder to a W2003 server share. They
have local profiles. If I change them to TS users, can
I leave them in the redirect group and keep the
MyDocuments folder the same, yet redirect the other
folders of the profile to the TS local drive? And,
once I enable the redirected folders, will it move the
profile folders from the local drive automatically to
the TS share?
"lavagirl" wrote:
Wow...great articles! Very informative. I think I'm
getting this somewhat. Do you mind if I ask a few
questions?
For a school environment, where no one is logging in
remotely (offsite), and I want to keep the desktops
clean and "trouble-proof", would you recommend placing
the Terminal Server computer into the lockdown OU?
I am currently redirecting student home directory to a
Windows 2003 server (not TS). If I enable folder
redirection on the TS, can I still redirect to the
same location (on the other server)? If that's the
case, can the desktop, start menu and application
folders redirect to the local TS profile?
What happens if I do not specify a local TS profile,
does it create a
default one?
We tried roaming profiles in our current environment,
and they were a nightmare. I don't know if I want to
use them in the TS environment (but it's not really
the same, right, because they are not being copied
over the network?)
thanks so much for your help...
"Vera Noest [MVP]" wrote:
You can lock down what users can do on your Terminal
Server and your desktops with Group Policies.
Here are some good starters, feel free to come back
if you have any specific questions.
Locking Down Windows Server 2003 Terminal Server
Sessions
http://www.microsoft.com/downloads/details.aspx?Famil
yID =7f 272 fff-
9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en
Windows Server 2003 Terminal Server Security White
Paper
http://www.microsoft.com/downloads/details.aspx?Famil
yID =40 2A0 CD1-
9E4D-4007-8EAF-C30623E71250&displaylang=en
278295 - How to lock down a Windows Server 2003 or
Windows 2000 Terminal Server session
http://support.microsoft.com/?kbid=278295
_____________________________________________________
___ _ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private
email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 30 mar
2007 in microsoft.public.windows.terminal_services:
I am a TS newbie trying to install/configure
Terminal Services for a small school. I have the
Windows 2003 server up and running, with TS
enabled, but I'm kind of at a loss for where to go
from here. I have installed RDP on the client
computers, and have installed Office 2003 on the
TS. I want the students to have no control over
their desktops or apps installed, redirected home
folder to another server, but still be able to
have individual app settings, favorites, etc...
Is this possible? Can someone direct me to a
document or site that helps someone to
walk through the process? I can't really find
anything past setting up the server. Thanks
for any help...
- Follow-Ups:
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- References:
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- Prev by Date: Re: RDP with SSL/TLS in XP?
- Next by Date: Re: Terminal services CAL activation isuue
- Previous by thread: Re: Help with configuration
- Next by thread: Re: Help with configuration
- Index(es):
Relevant Pages
|
