Re: Help with configuration
- From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 05 Apr 2007 04:43:37 -0700
OK, it seems that you have come a long way in such a short time,
good work!
About your questions:
1. Pass-through authentication is not a feature of Windows Terminal
Services. You would need Citrix for that. But you can minimize the
logins to 2, and users can save their credentials.
Users should logon to the workstation using their domain account
and password. And they should use the same domain account and
passowrd logging in to the TS. Do *not* create local user accounts
for them on the TS, that's a waste of your time as well as a
nuisance for your users.
It seems to me that you are using the new (Vista, version 6.0) rdp
client, is that correct? It has some peculiarities in the way it
handles and stores usernames and passowrds. But once users logon
with the correct username and passowrd, they can select "Remember
my password", which effectively takes away one logon.
Be sure to read the information for the rdp 6.0 client here:
Vista Remote Desktop Connection Authentication FAQ
http://blogs.msdn.com/ts/archive/2007/01/22/vista-remote-desktop-
connection-authentication-faq.aspx
and here:
TS connection experience improvements based on RDP 6.0 client
customer feedback
http://blogs.msdn.com/ts/archive/2007/03/28/ts-connection-
experience-improvements-based-on-rdp-6-0-client-customer-
feedback.aspx
2. Your GPO settings do not apply to your Terminal Server.
Have you checked in the security settings of the GPO that the
Terminal Server object is in the security list?
As you have noticed, you should *not* put the user accounts in the
Terminal Servers OU, because then user accounts will always be
locked down, also when they logon to the workstations.
3. See answer 1. Use domain accounts.
4. This is a bit puzzling. It should be enough to add the TSUSER
account as a member of the Remote Desktop Users group.
Note that this is the *local* RDU group on the Terminal Server, not
the Remote Desktop Users group which you can see in AD.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 05 apr 2007 in
microsoft.public.windows.terminal_services:
Vera, you have been so helpful, I hope you don't mind me asking.
a few more questions. I spent the day configuring the terminal
server, and it actually went pretty well! In Active Directory,
I created an OU called "Terminal Services" and then created a
GPO for it, with all of the recommended lockdown settings (based
on the articles you mentioned). I moved the Terminal Server
object into the new OU. I created a testuser called "TSUSER"
and made sure he had "Allow login to Terminal Services" checked
in his profile. I also made him a member of the Remote Desktop
Users group, and made sure that this group had access to use the
TS. I only have the OFfice apps installed on the server, so I
put the icons for Word, Excel and Powerpoint into the Desktop
Folder under "All Users" on the TS. Then, I logged into the TS
as TSUSER, and VOILA! There was my desktop with the 3 apps.
Here's the issues, though:
1. The student has 3 logons that he has to go through: 1) to
login to the domain/local workstation, 2) to give credentials
for RDP, and then 3) to logon to the TS! Is there any way to do
all these in one step (ie: pass userid/password through)? The
students have enough trouble remembering their regular account
password.
2. I set the Computer Configuration restrictions AND the User
Configuration restrictions in the GPO, and enabled loopback
processing, but when TSUSER logs in, the User restrictions do
not seem to be in effect (ie: SHutdown still appears on the
start menu). If I put TSUSER into the lockdown OU also, those
user restrictions take effect on the local machine (domain
account). (ie: if I minimize the remote desktop session, the
SHUTDOWN does not appear on the Start menu, but it still appears
on the TS session). How do I apply them to the TS logon
session?
3. When I log onto the TS, do I need log onto the local machine,
or to the domain? Do I need to create local accounts for all of
my domain users?
4. It did not work to just put TSUSER into the Remote Desktop
Users group. I had to give group EVERYONE user rights on the
TS.
I think I'm almost there! Any help you can give on these items
would be so appreciated! Thank you...
"Vera Noest [MVP]" wrote:
OK, good luck, and feel free to post back here if you have more
questions!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 04 apr 2007 in
microsoft.public.windows.terminal_services:
Thank you so much for all the info. I am going to
configure/test starting tomorrow. I wanted to get a good plan
and make sure I understood before I even touched the server.
I will not be putting anything into production for the
students until I know it works. I wish we could hire someone
to help, but we are a small school with little money, so I'm
it! :-) Thank you so much for all your help.
"Vera Noest [MVP]" wrote:
Yes, they logon to the workstation first.
From there, they start the Terminal Server session with a
small program called "Remote Desktop" (this is also referred
to as the rdp client). You can find that on any XP
workstation, under Start Menu - Applications - Accessories -
Communication (I think, I'm translating from Swedish).
But you wrote in your first post that you had "installed RDP
on the client computers"? Assuming that you meant the rdp
client, that's the program you use to connect to the
Terminal Server.
And no, you cannot logon directly to the TS without logging
in to the workststaion first. There is 3rd party software
(Citrix) which you install on top of Terminal Services to
enable you to use your cached domain account credentials to
automatically logon to the TS once you have logged on to the
workstation, but it's quite expensive if this is the only
feature you need.
When you create a GPO, you link it to a OU. The computer
settings in the GPO are applied to the objects in the OU.
So if you link your lock-down GPO to the OU which contains
the Terminal Server, it applies to the Terminal Server. If
you link the same GPO to the OU which contains your
workstations, it applies to your workstation.
Note that by default, the user settings are always taking
from the GPO (if any) which is linked to the OU which
contains your user accounts. That's why you have to use the
"loopback processing" options in your TS GPO.
Setting up a Terminal Server and locking it down properly
with GPOs is not a trivial task. I would advice you to *not*
take it into production before you have tested everything
thoroughly, not only with your own Administrator account,
but also with a test user account. It could be a wise
decision to hire some external company to assist you in
setting this up properly.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 03 apr 2007 in
microsoft.public.windows.terminal_services:
Okay, please forgive my ignorance...you have been very
helpful. So, they log onto the local domain account first,
then logon again to the TS? How do they do that? Is
there a desktop shortcut or start menu icon to the
session? Is there a way to have ONE login and log just
into the TS? I noticed in the configuration of the TS OU,
you can configure it to disable the Control panel, network
neighborhood, manage dialogue, search, internet address,
etc... If you configure these things in the lockdown OU
this disabling it locally or on the TS session? This is
very confusing. Thanks!
"Vera Noest [MVP]" wrote:
No, that's not how it works.
When users log on to their workstation, they use their
local workstation profile, which includes application
settings for those applications which are installed
locally. When they start a TS session and gain access to
the TS, they use their TS profile, which contains
settings for the appliaction installed on the TS.
You cannot mix profiles or change profiles on the fly,
and you cannot access applications installed locally from
within a TS session (the only exception would be a very
simple application which doesn't install any dll's and
doesn't use the registry, but those are getting very rare
nowadays). But while users have an active TS session,
running a TS- application, they can minimize the whole
session and start a locally installed application
simultaneously.
The only problem would be if these 2 types of
applications somehow need to communicate with each other.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 03 apr 2007
in microsoft.public.windows.terminal_services:
So there's a local profile and a TS profile. When the
user logs in, are they both available? Can I somehow
have the local one hidden, (all except for the home
directory) yet still have the user access an
application located locally? (ie: Most of the apps will
be run from the TS, but there are a few apps that we
have that won't run over TS. Can they still access
those from the local drive, while in a tS session?)
Thank you so much for your help.
"Vera Noest [MVP]" wrote:
About the TS:
yes, you must place it in a separate OU.
Then link your lockdown GPO to this OU.
Make sure that you configure "loopback processing" in
this GPO.
About your user accounts and policies: you can leave
them in the "Redirection" security group, which
redirects their "My Documents" folder (when logged on
to the clients) to a separate file server.
You *must* ensure that the users have different
profiles on the clients and the TS, to avoid profile
corruption. Since your users have a local profile on
the clients, you probably have not specified a local
profile path in their AD account properties. If you
want them to have a local profile on the TS as well,
you could also leave the TS profile path blank. Or you
can specify a roaming profile, pointing to a shared TS
profile folder on your file server. See:
246132 - User Profile and Home Directory Behavior with
Terminal Services
http://support.microsoft.com/?kbid=246132
Irrespective of whether you use local or roaming TS
profiles, you can use the GPO linked to your TS OU to
redirect "My Documents" on the TS to the same folder
as you currently use (that would also be most
convenient for your users). You can redirect other
parts of the TS user profile (Desktop, Start Menu) to
other shared folders.
But don't mix the client profile folders with the TS
profile folders!
_______________________________________________________
__ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email
___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 31 mar
2007 in microsoft.public.windows.terminal_services:
I just read my previous post and realize I need to
clarify. Currently, in active directory, I have the
students in a "redirect" group which redirects the
"MyDocuments" folder to a W2003 server share. They
have local profiles. If I change them to TS users,
can I leave them in the redirect group and keep the
MyDocuments folder the same, yet redirect the other
folders of the profile to the TS local drive? And,
once I enable the redirected folders, will it move
the profile folders from the local drive
automatically to the TS share?
"lavagirl" wrote:
Wow...great articles! Very informative. I think
I'm getting this somewhat. Do you mind if I ask a
few questions?
For a school environment, where no one is logging
in remotely (offsite), and I want to keep the
desktops clean and "trouble-proof", would you
recommend placing the Terminal Server computer into
the lockdown OU?
I am currently redirecting student home directory
to a Windows 2003 server (not TS). If I enable
folder redirection on the TS, can I still redirect
to the same location (on the other server)? If
that's the case, can the desktop, start menu and
application folders redirect to the local TS
profile?
What happens if I do not specify a local TS
profile, does it create a
default one?
We tried roaming profiles in our current
environment, and they were a nightmare. I don't
know if I want to use them in the TS environment
(but it's not really the same, right, because they
are not being copied over the network?)
thanks so much for your help...
"Vera Noest [MVP]" wrote:
You can lock down what users can do on your
Terminal Server and your desktops with Group
Policies.
Here are some good starters, feel free to come
back if you have any specific questions.
Locking Down Windows Server 2003 Terminal Server
Sessions
http://www.microsoft.com/downloads/details.aspx?Fa
mil yID =7f 272 fff-
9a6e-40c7-b64e-7920e6ae6a0d&DisplayLang=en
Windows Server 2003 Terminal Server Security
White Paper
http://www.microsoft.com/downloads/details.aspx?Fa
mil yID =40 2A0 CD1-
9E4D-4007-8EAF-C30623E71250&displaylang=en
278295 - How to lock down a Windows Server 2003
or Windows 2000 Terminal Server session
http://support.microsoft.com/?kbid=278295
__________________________________________________
___ ___ _ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private
email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 30
mar 2007 in
microsoft.public.windows.terminal_services:
I am a TS newbie trying to install/configure
Terminal Services for a small school. I have
the Windows 2003 server up and running, with TS
enabled, but I'm kind of at a loss for where to
go from here. I have installed RDP on the
client computers, and have installed Office
2003 on the TS. I want the students to have no
control over their desktops or apps installed,
redirected home folder to another server, but
still be able to have individual app settings,
favorites, etc... Is this possible? Can
someone direct me to a document or site that
helps someone to walk through the process? I
can't really find anything past setting up the
server. Thanks for any help...
- Follow-Ups:
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- References:
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- Prev by Date: Re: Terminal services CAL activation isuue
- Next by Date: Re: Remote Desktop connect then disconnects
- Previous by thread: Re: Help with configuration
- Next by thread: Re: Help with configuration
- Index(es):
Relevant Pages
|
