Re: Help with configuration

Oops, let me clarify. Right now, I have a group policy for the regular users
to redirect their My Documents folder to a share on the fileserver. The TS
profile path and regular profile paths are blank. I do not have the folder
redirection configured in the GPO on the TS, but it still defaults the My
Documents folder on both accounts to the share on the fileserver (ie: they
both show the same redirected folder). Is there any reason why I need to go
ahead and configure folder redirection for the My Documents folder in the
GPo, if it is already redirecting by default? Should I redirect there also
for the other 3 folders shown to the local account?

Thank you so much, you have pretty much walked me through setting up my TS!
I should pay you a consulting fee!

"Vera Noest [MVP]" wrote:

OK, so your GPO is working now, good!

About your other questions:

1. If you leave both profile paths blank, then users will have a
local profile, both on their clients and on the TS.
Nothing wrong with that, but it will also mean that they have
different "My Documents" folders. Users will find it very
frustrating that they can't access documents which they created in
a TS session from their clients and vice versa. That's why I
suggested to redirect at least the "My Documents" folder on the TS
to the file server which already holds their "My Documents" folder
from the clients.

2. the keyword here is "almost"!
I would *strongly* suggest to create 2 separate GPOs and leave the
user accounts in their current "Users" OU. The settings in the TS
GPO and the normal users GPO might be very similar right now, but
they can easily divert later on, when new demands come up.
Separating them later on will be much more disruptive than starting
with 2 separate GPOs right from the beginning.

Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 10 apr 2007 in

OK, my group policy is being applied now. I realized that I did
not have the option cleared on the RDP-tcp connection Client
properties tab for "Use connection settings from user settings".
Once I cleared that, the GPO settings were applied.

Can I ask two more questions? (I thought about starting a new
post, but there was so much history here!)

1. If I do NOT specify a roaming profile path, do I still need
to enable folder redirection? (The profile path on the domain
account profile is blank, also). If so, do I need it on the My
Documents folder, since I am redirecting that to another server
with another group policy?
2. I want the students to have almost
the same restrictions on their local workstations as on the TS.
Should I do this by putting their user object into the TS OU
along with the TS computer, or shoud I create a new group policy
on a new OU?

Again, Vera, thanks so much for your help!

"Vera Noest [MVP]" wrote:

OK, it seems that you have come a long way in such a short
time, good work!

About your questions:

1. Pass-through authentication is not a feature of Windows
Terminal Services. You would need Citrix for that. But you can
minimize the logins to 2, and users can save their credentials.
Users should logon to the workstation using their domain
account and password. And they should use the same domain
account and passowrd logging in to the TS. Do *not* create
local user accounts for them on the TS, that's a waste of your
time as well as a nuisance for your users.
It seems to me that you are using the new (Vista, version 6.0)
rdp client, is that correct? It has some peculiarities in the
way it handles and stores usernames and passowrds. But once
users logon with the correct username and passowrd, they can
select "Remember my password", which effectively takes away one
logon. Be sure to read the information for the rdp 6.0 client

Vista Remote Desktop Connection Authentication FAQ
- connection-authentication-faq.aspx

and here:

TS connection experience improvements based on RDP 6.0 client
customer feedback

2. Your GPO settings do not apply to your Terminal Server.
Have you checked in the security settings of the GPO that the
Terminal Server object is in the security list?
As you have noticed, you should *not* put the user accounts in
the Terminal Servers OU, because then user accounts will always
be locked down, also when they logon to the workstations.

3. See answer 1. Use domain accounts.

4. This is a bit puzzling. It should be enough to add the
TSUSER account as a member of the Remote Desktop Users group.
Note that this is the *local* RDU group on the Terminal Server,
not the Remote Desktop Users group which you can see in AD.

Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 05 apr 2007 in

Vera, you have been so helpful, I hope you don't mind me
asking a few more questions. I spent the day configuring the
terminal server, and it actually went pretty well! In Active
Directory, I created an OU called "Terminal Services" and
then created a GPO for it, with all of the recommended
lockdown settings (based on the articles you mentioned). I
moved the Terminal Server object into the new OU. I created
a testuser called "TSUSER" and made sure he had "Allow login
to Terminal Services" checked in his profile. I also made
him a member of the Remote Desktop Users group, and made sure
that this group had access to use the TS. I only have the
OFfice apps installed on the server, so I put the icons for
Word, Excel and Powerpoint into the Desktop Folder under "All
Users" on the TS. Then, I logged into the TS as TSUSER, and
VOILA! There was my desktop with the 3 apps.

Here's the issues, though:

1. The student has 3 logons that he has to go through: 1) to
login to the domain/local workstation, 2) to give credentials
for RDP, and then 3) to logon to the TS! Is there any way to
do all these in one step (ie: pass userid/password through)?
The students have enough trouble remembering their regular
account password.

2. I set the Computer Configuration restrictions AND the
User Configuration restrictions in the GPO, and enabled
loopback processing, but when TSUSER logs in, the User
restrictions do not seem to be in effect (ie: SHutdown still
appears on the start menu). If I put TSUSER into the
lockdown OU also, those user restrictions take effect on the
local machine (domain account). (ie: if I minimize the remote
desktop session, the SHUTDOWN does not appear on the Start
menu, but it still appears on the TS session). How do I
apply them to the TS logon session?

3. When I log onto the TS, do I need log onto the local
machine, or to the domain? Do I need to create local
accounts for all of my domain users?

4. It did not work to just put TSUSER into the Remote Desktop
Users group. I had to give group EVERYONE user rights on the

I think I'm almost there! Any help you can give on these
items would be so appreciated! Thank you...

"Vera Noest [MVP]" wrote:

OK, good luck, and feel free to post back here if you have
more questions!
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
___ please respond in newsgroup, NOT by private email ___

<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 04 apr 2007 in

Thank you so much for all the info. I am going to
configure/test starting tomorrow. I wanted to get a good
plan and make sure I understood before I even touched the
server. I will not be putting anything into production for
the students until I know it works. I wish we could hire
someone to help, but we are a small school with little
money, so I'm it! :-) Thank you so much for all your

"Vera Noest [MVP]" wrote:

Yes, they logon to the workstation first.
From there, they start the Terminal Server session with a
small program called "Remote Desktop" (this is also
referred to as the rdp client). You can find that on any
XP workstation, under Start Menu - Applications -
Accessories - Communication (I think, I'm translating
from Swedish). But you wrote in your first post that you
had "installed RDP on the client computers"? Assuming
that you meant the rdp client, that's the program you use
to connect to the Terminal Server.

And no, you cannot logon directly to the TS without
logging in to the workststaion first. There is 3rd party
software (Citrix) which you install on top of Terminal
Services to enable you to use your cached domain account
credentials to automatically logon to the TS once you
have logged on to the workstation, but it's quite
expensive if this is the only feature you need.

When you create a GPO, you link it to a OU. The computer
settings in the GPO are applied to the objects in the OU.
So if you link your lock-down GPO to the OU which
contains the Terminal Server, it applies to the Terminal
Server. If you link the same GPO to the OU which contains
your workstations, it applies to your workstation.
Note that by default, the user settings are always taking
from the GPO (if any) which is linked to the OU which
contains your user accounts. That's why you have to use
the "loopback processing" options in your TS GPO.

Setting up a Terminal Server and locking it down properly
with GPOs is not a trivial task. I would advice you to
*not* take it into production before you have tested
everything thoroughly, not only with your own
Administrator account, but also with a test user account.
It could be a wise decision to hire some external company
to assist you in setting this up properly.
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
___ please respond in newsgroup, NOT by private email ___

<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 03 apr 2007

Okay, please forgive my have been very
helpful. So, they log onto the local domain account
first, then logon again to the TS? How do they do
that? Is there a desktop shortcut or start menu icon
to the session? Is there a way to have ONE login and
log just into the TS? I noticed in the configuration of
the TS OU, you can configure it to disable the Control
panel, network neighborhood, manage dialogue, search,
internet address, etc... If you configure these things
in the lockdown OU this disabling it locally or on the
TS session? This is very confusing. Thanks!

"Vera Noest [MVP]" wrote:

No, that's not how it works.
When users log on to their workstation, they use their
local workstation profile, which includes application
settings for those applications which are installed
locally. When they start a TS session and gain access
to the TS, they use their TS profile, which contains
settings for the appliaction installed on the TS.
You cannot mix profiles or change profiles on the fly,
and you cannot access applications installed locally
from within a TS session (the only exception would be
a very simple application which doesn't install any
dll's and doesn't use the registry, but those are
getting very rare nowadays). But while users have an
active TS session, running a TS- application, they can
minimize the whole session and start a locally
installed application simultaneously.

The only problem would be if these 2 types of
applications somehow need to communicate with each
__ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting:
___ please respond in newsgroup, NOT by private email

<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 03 apr
2007 in

So there's a local profile and a TS profile. When
the user logs in, are they both available? Can I
somehow have the local one hidden, (all except for
the home directory) yet still have the user access
an application located locally? (ie: Most of the
apps will be run from the TS, but there are a few
apps that we have that won't run over TS. Can they
still access those from the local drive, while in a
tS session?) Thank you so much for your help.

"Vera Noest [MVP]" wrote:

About the TS:
yes, you must place it in a separate OU.
Then link your lockdown GPO to this OU.
Make sure that you configure "loopback processing"
in this GPO.

About your user accounts and policies: you can
leave them in the "Redirection" security group,
which redirects their "My Documents" folder (when
logged on to the clients) to a separate file