Terminal Services Group Policy in Server 2003
Terminal Services can be tricky to control, fortunately Windows Server 2003 has a comprehensive selection of policies. My aim is to help you get the fastest, most stable Terminal Server for your users. Actually, I find that the two most useful policies are in the first (Root) folder and the last section, ‘Sessions’.
* Guy’s Top Five Terminal Services Group Policies
- Automatic reconnect
- Remove disconnect option from Shut down
- Secure Server (Require Security)
- Time limit for disconnected sessions
- Set time limit for active but idle…
- See Remote Desktop Group Policies
‡
Terminal Services – Group Policy (Root)
We start with two Group Policies to aid the users. ‘Keep-Alive connections’ and * ‘Automatic reconnect‘. These are just the sort of policies that will improve the users’ experience of terminal service.
Now we come to policies to stop the users from getting into mischief. I thoroughly recommend * ‘Remove disconnect option from Shut down‘, this encourages users to logoff properly. What you don’t want is for people to merely disconnect from the terminal server, because that just wastes resources keeping an unnecessary connection alive.
I am less keen on ‘Remove Windows Security from the start menu’. The idea is to stop users logging off, but unless this was a ‘Kiosk’ machine I would find it irritating to remember the Ctr Alt, Del sequence every time that I wanted to finish a terminal services session.
Finally in this section, you have important decisions on how you to configure the home directory and roaming profile path. Bear in mind that these are additional folders for terminal server sessions, and not the regular Windows Server 2003 home directory path.
Guy Recommends: Permissions Analyzer – Free Active Directory Tool
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
Download Permissions Analyser – Free Active Directory Tool
Terminal Services Sub-folder Policies
- Terminal Services (Root)
- Client Server data redirect
- Encryption and Security
- Licensing
- Temporary Folders
- Session Directory
- Sessions Group Policies for Terminal Services
- Terminal Services Overview
Client Server Data Redirect
Remember with Microsoft terminal server, programs behave as though the client was logged on locally at the server. However, by default the client can redirect certain resources to the machine where they are physically sitting for example, Printer, COM ports and Drive Letters.
So your choice is to continue allowing clients to use local resources or disable redirecting of printers and drive letters to their machines. Before you make your Group Policy decision, check the logic. Disabling, ‘Do not allow printer redirection’ means that users CAN continue to redirect their print jobs to a local printer.
Encryption and Security
Enabling ‘Always prompt client for password’ will boost your security. The rest of the policies in this folder are only needed for high security networks where you wish to encrypt the data.
The RPC Group Policy subfolder is to secure connections when terminal services is used in Administrative mode, so * ‘Secure Server (Require Security)’ is worth setting where administrators dial-in to the Windows Server 2003 network.
Licensing
The idea here is to conserve Microsoft licences by saying, ‘Only those computer in a group called Terminal Services Computers, are allowed to connect’.
Temporary Folders
These settings use Group Policy to help to conserve disk space and protect the security of the temp folders.
Session Directory
Perhaps one day we will all be running terminal services in a cluster. If that day has already arrived for you, then you need to configure these settings, for the rest of us, we can ignore the policies in this folder.
Sessions Group Policies for Terminal Services
Last, but not least, are policies to control the time limits for the users’ connections. * ‘Time limit for disconnected sessions’, this must be worth setting because all those disconnected session soon eat up precious RAM and disk space.
Following the same logic of conserving resources, I would also set an Idle timeout. * ‘Set time limit for active but idle…‘ Let’s face it, user can easily reconnect when they return to their machines.
Note 1: Updated Terminal Services Group Policies added here (Recommended)
Note 2: If you need more information on Terminal Services itself, here is an Overview
Summary of Terminal Server Group Policy in Windows 2003
Many of the Terminal Services Group Policy settings are found under the Computer Configuration. Although there are also settings under the User Configuration section, my advice is just use the Computer Configuration Group Polices for Terminal Services.
Download my ‘Master Group Policies’ ebook only $6.25
The extra features you get in your eBook include: Spreadsheet with over 850 policies. Printer friendly version over Word A4 pages in Word.
See more Computer Group Policies
•Troubleshooting Group Policies • Software Installation • Terminal Services Group Policy Settings
• Group Policies • Windows Components • Windows Settings •Computer Network Policies
• Computer Printer Policies • Computer Administrative Templates •Computer System Policies
If you like this page then please share it with your friends