Re: Help with configuration
- From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 11 Apr 2007 11:32:15 -0700
Mmm, that's a bit unexpected.
The only explanation that "My Documents" is redirected on the TS as
well is that you have configured the "User Group Policy loopback
processing mode" with the "Merge" option, is that correct?
meaning that settings which are undefined in the TS GPO are taken
from the User GPO.
If so, then you don't have to redirect it again in the TS GPO.
But I always use the "Replace" option for the loopback setting in
the TS GPO, simply because it is easier to manage if all settings
are taken from the same GPO, and you don't have to check both.
But both scenarios will work, so it's mostly a matter of taste how
you set it up.
No need for a consultancy fee, Lavagirl, newsgroup help is free.
I'm glad I've been able to help you getting started.
Maybe you'd like to come back here after a while and help other
people out!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 11 apr 2007 in
microsoft.public.windows.terminal_services:
Oops, let me clarify. Right now, I have a group policy for the.
regular users to redirect their My Documents folder to a share
on the fileserver. The TS profile path and regular profile
paths are blank. I do not have the folder redirection
configured in the GPO on the TS, but it still defaults the My
Documents folder on both accounts to the share on the fileserver
(ie: they both show the same redirected folder). Is there any
reason why I need to go ahead and configure folder redirection
for the My Documents folder in the GPo, if it is already
redirecting by default? Should I redirect there also for the
other 3 folders shown to the local account?
Thank you so much, you have pretty much walked me through
setting up my TS! I should pay you a consulting fee!
"Vera Noest [MVP]" wrote:
OK, so your GPO is working now, good!
About your other questions:
1. If you leave both profile paths blank, then users will have
a local profile, both on their clients and on the TS.
Nothing wrong with that, but it will also mean that they have
different "My Documents" folders. Users will find it very
frustrating that they can't access documents which they created
in a TS session from their clients and vice versa. That's why I
suggested to redirect at least the "My Documents" folder on the
TS to the file server which already holds their "My Documents"
folder from the clients.
2. the keyword here is "almost"!
I would *strongly* suggest to create 2 separate GPOs and leave
the user accounts in their current "Users" OU. The settings in
the TS GPO and the normal users GPO might be very similar right
now, but they can easily divert later on, when new demands come
up. Separating them later on will be much more disruptive than
starting with 2 separate GPOs right from the beginning.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?= <lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx>
wrote on 10 apr 2007 in
microsoft.public.windows.terminal_services:
OK, my group policy is being applied now. I realized that I
did not have the option cleared on the RDP-tcp connection
Client properties tab for "Use connection settings from user
settings".
Once I cleared that, the GPO settings were applied.
Can I ask two more questions? (I thought about starting a
new post, but there was so much history here!)
1. If I do NOT specify a roaming profile path, do I still
need to enable folder redirection? (The profile path on the
domain account profile is blank, also). If so, do I need it
on the My Documents folder, since I am redirecting that to
another server with another group policy?
2. I want the students to have almost
the same restrictions on their local workstations as on the
TS. Should I do this by putting their user object into the TS
OU along with the TS computer, or shoud I create a new group
policy on a new OU?
Again, Vera, thanks so much for your help!
"Vera Noest [MVP]" wrote:
OK, it seems that you have come a long way in such a short
time, good work!
About your questions:
1. Pass-through authentication is not a feature of Windows
Terminal Services. You would need Citrix for that. But you
can minimize the logins to 2, and users can save their
credentials. Users should logon to the workstation using
their domain account and password. And they should use the
same domain account and passowrd logging in to the TS. Do
*not* create local user accounts for them on the TS, that's
a waste of your time as well as a nuisance for your users.
It seems to me that you are using the new (Vista, version
6.0) rdp client, is that correct? It has some peculiarities
in the way it handles and stores usernames and passowrds.
But once users logon with the correct username and passowrd,
they can select "Remember my password", which effectively
takes away one logon. Be sure to read the information for
the rdp 6.0 client here:
Vista Remote Desktop Connection Authentication FAQ
http://blogs.msdn.com/ts/archive/2007/01/22/vista-remote-desk
top - connection-authentication-faq.aspx
and here:
TS connection experience improvements based on RDP 6.0
client customer feedback
http://blogs.msdn.com/ts/archive/2007/03/28/ts-connection-
experience-improvements-based-on-rdp-6-0-client-customer-
feedback.aspx
2. Your GPO settings do not apply to your Terminal Server.
Have you checked in the security settings of the GPO that
the Terminal Server object is in the security list?
As you have noticed, you should *not* put the user accounts
in the Terminal Servers OU, because then user accounts will
always be locked down, also when they logon to the
workstations.
3. See answer 1. Use domain accounts.
4. This is a bit puzzling. It should be enough to add the
TSUSER account as a member of the Remote Desktop Users
group. Note that this is the *local* RDU group on the
Terminal Server, not the Remote Desktop Users group which
you can see in AD.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 05 apr 2007 in
microsoft.public.windows.terminal_services:
Vera, you have been so helpful, I hope you don't mind me
asking a few more questions. I spent the day configuring
the terminal server, and it actually went pretty well! In
Active Directory, I created an OU called "Terminal
Services" and then created a GPO for it, with all of the
recommended lockdown settings (based on the articles you
mentioned). I moved the Terminal Server object into the
new OU. I created a testuser called "TSUSER" and made
sure he had "Allow login to Terminal Services" checked in
his profile. I also made him a member of the Remote
Desktop Users group, and made sure that this group had
access to use the TS. I only have the OFfice apps
installed on the server, so I put the icons for Word,
Excel and Powerpoint into the Desktop Folder under "All
Users" on the TS. Then, I logged into the TS as TSUSER,
and VOILA! There was my desktop with the 3 apps.
Here's the issues, though:
1. The student has 3 logons that he has to go through: 1)
to login to the domain/local workstation, 2) to give
credentials for RDP, and then 3) to logon to the TS! Is
there any way to do all these in one step (ie: pass
userid/password through)? The students have enough trouble
remembering their regular account password.
2. I set the Computer Configuration restrictions AND the
User Configuration restrictions in the GPO, and enabled
loopback processing, but when TSUSER logs in, the User
restrictions do not seem to be in effect (ie: SHutdown
still appears on the start menu). If I put TSUSER into
the lockdown OU also, those user restrictions take effect
on the local machine (domain account). (ie: if I minimize
the remote desktop session, the SHUTDOWN does not appear
on the Start menu, but it still appears on the TS
session). How do I apply them to the TS logon session?
3. When I log onto the TS, do I need log onto the local
machine, or to the domain? Do I need to create local
accounts for all of my domain users?
4. It did not work to just put TSUSER into the Remote
Desktop Users group. I had to give group EVERYONE user
rights on the TS.
I think I'm almost there! Any help you can give on these
items would be so appreciated! Thank you...
"Vera Noest [MVP]" wrote:
OK, good luck, and feel free to post back here if you
have more questions!
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 04 apr 2007
in microsoft.public.windows.terminal_services:
Thank you so much for all the info. I am going to
configure/test starting tomorrow. I wanted to get a
good plan and make sure I understood before I even
touched the server. I will not be putting anything into
production for the students until I know it works. I
wish we could hire someone to help, but we are a small
school with little money, so I'm it! :-) Thank you so
much for all your help.
"Vera Noest [MVP]" wrote:
Yes, they logon to the workstation first.
From there, they start the Terminal Server session
with a small program called "Remote Desktop" (this is
also referred to as the rdp client). You can find that
on any XP workstation, under Start Menu - Applications
- Accessories - Communication (I think, I'm
translating from Swedish). But you wrote in your first
post that you had "installed RDP on the client
computers"? Assuming that you meant the rdp client,
that's the program you use to connect to the Terminal
Server.
And no, you cannot logon directly to the TS without
logging in to the workststaion first. There is 3rd
party software (Citrix) which you install on top of
Terminal Services to enable you to use your cached
domain account credentials to automatically logon to
the TS once you have logged on to the workstation, but
it's quite expensive if this is the only feature you
need.
When you create a GPO, you link it to a OU. The
computer settings in the GPO are applied to the
objects in the OU. So if you link your lock-down GPO
to the OU which contains the Terminal Server, it
applies to the Terminal Server. If you link the same
GPO to the OU which contains your workstations, it
applies to your workstation. Note that by default, the
user settings are always taking from the GPO (if any)
which is linked to the OU which contains your user
accounts. That's why you have to use the "loopback
processing" options in your TS GPO.
Setting up a Terminal Server and locking it down
properly with GPOs is not a trivial task. I would
advice you to *not* take it into production before you
have tested everything thoroughly, not only with your
own Administrator account, but also with a test user
account. It could be a wise decision to hire some
external company to assist you in setting this up
properly.
_______________________________________________________
__ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email
___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 03 apr
2007 in microsoft.public.windows.terminal_services:
Okay, please forgive my ignorance...you have been
very helpful. So, they log onto the local domain
account first, then logon again to the TS? How do
they do that? Is there a desktop shortcut or start
menu icon to the session? Is there a way to have
ONE login and log just into the TS? I noticed in the
configuration of the TS OU, you can configure it to
disable the Control panel, network neighborhood,
manage dialogue, search, internet address, etc...
If you configure these things in the lockdown OU
this disabling it locally or on the TS session? This
is very confusing. Thanks!
"Vera Noest [MVP]" wrote:
No, that's not how it works.
When users log on to their workstation, they use
their local workstation profile, which includes
application settings for those applications which
are installed locally. When they start a TS session
and gain access to the TS, they use their TS
profile, which contains settings for the
appliaction installed on the TS. You cannot mix
profiles or change profiles on the fly,
and you cannot access applications installed
locally from within a TS session (the only
exception would be a very simple application which
doesn't install any dll's and doesn't use the
registry, but those are getting very rare
nowadays). But while users have an active TS
session, running a TS- application, they can
minimize the whole session and start a locally
installed application simultaneously.
The only problem would be if these 2 types of
applications somehow need to communicate with each
other.
____________________________________________________
___ __ Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private
email ___
=?Utf-8?B?bGF2YWdpcmw=?=
<lavagirl@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote on 03
apr 2007 in
microsoft.public.windows.terminal_services:
So there's a local profile and a TS profile.
When the user logs in, are they both available?
Can I somehow have the local one hidden, (all
except for the home directory) yet still have the
user access an application located locally? (ie:
Most of the apps will be run from the TS, but
there are a few apps that we have that won't run
over TS. Can they still access those from the
local drive, while in a tS session?) Thank you so
much for your help.
"Vera Noest [MVP]" wrote:
About the TS:
yes, you must place it in a separate OU.
Then link your lockdown GPO to this OU.
Make sure that you configure "loopback
processing" in this GPO.
About your user accounts and policies: you can
leave them in the "Redirection" security group,
which redirects their "My Documents" folder
(when logged on to the clients) to a separate
file server.
- Follow-Ups:
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- References:
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- From: Vera Noest [MVP]
- Re: Help with configuration
- From: lavagirl
- Re: Help with configuration
- Prev by Date: Re: Remote Desktop to XP Pro Problems
- Next by Date: Failure Audit on Terminal Server
- Previous by thread: Re: Help with configuration
- Next by thread: Re: Help with configuration
- Index(es):
Relevant Pages
|
