Re: GPO Settings
- From: "Vera Noest [MVP]" <vera.noest@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 24 Sep 2007 13:47:50 -0700
comments inline
"Bob" <86c6c2e6-2146512712@xxxxxxxxxxxxxx> wrote on 24 sep 2007 in
microsoft.public.windows.terminal_services:
Hi,
I've a few things I'd like to do with TS and I think the
following GPO's will help, but I'm not sure. Could someone
please confirm my thoughts?
EXISTING SETTINGS:
------------------------
In Computer Configuration, Administrative Templates, Windows
Components, Terminal Services:
Enabled - Restrict Terminal Services users to a single remote
session
Enabled - Set time limit for disconnected sessions (2
hours)
Enabled - Sets a time limit for active but idle Terminal
Services sessions (2 hours)
Enabled - Terminate session when time limits are reached
Not Configed - Limit number of connections
QUESTIONS:
------------------
"Keep-Alive Connections"
--------------------------
By enabling this, I think I will return to my prior session
after a disconnect and all my previously opened applications
will return as I left them before my disconnect. There is the
"Keep-alive interval" setting, but I don't understand its
description. I would think this is used to set how long my
sessions is kept alive after a disconnect, but the description
indicates how often my session is checked? Anyway, if I set
this for "10", does this mean that my that I have 10 minutes to
re-establish my connection before my work is lost?
KeepAlive does what the description says, it puts a heartbeat on
the connection to detect if the connection is still alive. Without
this mechanism, a session may not transition to a disconnected
state and may remain active even though the client is physically
disconnected from the Terminal Server. And that would mean that you
cannot reconnect to the session, because the server thinks that it
is still an active session.
If your session disconnects because of a network problem, and the
server detects this in time because of the KeepAlive meachanism,
the session will exist on the server for the time specified in the
setting "Set time limit for disconnected sessions (2 hours)". When
you connect to the server again, you will be reconnected to the
disconnected session.
"Set path for TS Roaming Profiles"
----------------------------------
I have roaming user profiles set for my local domain environment
and when these same users connect via TS, they create a local
profile on the server at "C:\Documents and Settings". This in
turn can fill my C-Drive up with a lot of local profiles. I use
the DelProf.exe every 30-days to clear these out.
Can I use the "Set path for TS Roaming Profiles" to place these
profiles on a different partition? And if so, will DelProf.exe
find them in the future?
Yes, by all means!
Note that this will still create a local copy of the roaming
profile in C:\Documents and Settings. But you can use this GPO
settings to get rid of them again:
Computer Configuration - Administrative Templates - System - User
profiles
"Delete cached copies of roaming profiles"
so your server will never store more cached profiles than the
number of concurrent users connecting to it.
I've never used delprof, but as I understand it, it does more or
less the same as the GPO setting mentioned above.
Using a roaming profile can (but doesn't have to) cause slightly
longer logon times, because the centrally stored profile on the
file server has to be copied to the locally cached profile on the
terminal Server. You can and should therefore minimize the size of
the profile by using Folder redirection settings in the GPO. At the
minimum, redirect the My Documents folder to the users home
directory.
Also, I don't understand what a "Home Directory" is and
therefore I don't understand how "TS User Home Directory" may
help here. I'm thinking a "Home Directory" is a legacy to NT
and it doesn't apply to my 2003 server and XP clients?
The TS home directory is the folder in which the \windows subfolder
is created. In this \windows subfolder, user-specific settings are
stored (like ini files), which would reside in %systemroot% on a
workstation.
Using Home Directories with Terminal Server
http://technet2.microsoft.com/windowsserver/en/library/a60adb56-
7f30-4984-a062-7e43143852111033.mspx
246132 - User Profile and Home Directory Behavior with Terminal
Services
http://support.microsoft.com/?kbid=246132
Security:
--------
Not a GPO question, but one about access. I now have VPN access
to my environment, but the users have a tough time setting it up
on their home computers. What risks do I run if I open port
3389 on my router and direct it to my TS server (which is
everything else too - DC, Exchange, etc). (I believe by opening
this port, the VPN Client Access software on the remote
computers is no longer necessary).
Don't do this!
That would mean that there's only a single password between your
domain, mailserver, and TS and the rest of the world.
Even if you enforce strong passwords on all of your users, I would
*not* recommend it.
Running TS on a DC is not recommended either, for both security and
performance reasons, but is sometimes the only way in a very small
business.
_________________________________________________________
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
TS troubleshooting: http://ts.veranoest.net
___ please respond in newsgroup, NOT by private email ___
.
- Follow-Ups:
- Re: GPO Settings
- From: "Ken Zhao [MSFT]"
- Re: GPO Settings
- References:
- GPO Settings
- From: Bob
- GPO Settings
- Prev by Date: Terminal Server Licensing Service in SBS2003 environment
- Next by Date: Re: More than Two Admins (THANKS!)
- Previous by thread: GPO Settings
- Next by thread: Re: GPO Settings
- Index(es):
Relevant Pages
|
