Terminal Services Group Policy in Server 2003
Terminal Services can be tricky to control, fortunately Windows Server 2003 has a comprehensive selection of policies. My aim is to help you get the fastest, most stable Terminal Server for your users. Actually, I find that the two most useful policies are in the first (Root) folder and the last section, ‘Sessions’.
* Guy’s Top Five Terminal Services Group Policies
- Automatic reconnect
- Remove disconnect option from Shut down
- Secure Server (Require Security)
- Time limit for disconnected sessions
- Set time limit for active but idle…
- See Remote Desktop Group Policies
We start with two Group Policies to aid the users. ‘Keep-Alive connections’ and * ‘Automatic reconnect‘. These are just the sort of policies that will improve the users’ experience of terminal service.
Now we come to policies to stop the users from getting into mischief. I thoroughly recommend * ‘Remove disconnect option from Shut down‘, this encourages users to logoff properly. What you don’t want is for people to merely disconnect from the terminal server, because that just wastes resources keeping an unnecessary connection alive.
I am less keen on ‘Remove Windows Security from the start menu’. The idea is to stop users logging off, but unless this was a ‘Kiosk’ machine I would find it irritating to remember the Ctr Alt, Del sequence every time that I wanted to finish a terminal services session.
Finally in this section, you have important decisions on how you to configure the home directory and roaming profile path. Bear in mind that these are additional folders for terminal server sessions, and not the regular Windows Server 2003 home directory path.
I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT. When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource. Give this permissions monitor a try – it’s free!
Terminal Services Sub-folder Policies
- Terminal Services (Root)
- Client Server data redirect
- Encryption and Security
- Temporary Folders
- Session Directory
- Sessions Group Policies for Terminal Services
- Terminal Services Overview
Remember with Microsoft terminal server, programs behave as though the client was logged on locally at the server. However, by default the client can redirect certain resources to the machine where they are physically sitting for example, Printer, COM ports and Drive Letters.
So your choice is to continue allowing clients to use local resources or disable redirecting of printers and drive letters to their machines. Before you make your Group Policy decision, check the logic. Disabling, ‘Do not allow printer redirection’ means that users CAN continue to redirect their print jobs to a local printer.
Enabling ‘Always prompt client for password’ will boost your security. The rest of the policies in this folder are only needed for high security networks where you wish to encrypt the data.
The RPC Group Policy subfolder is to secure connections when terminal services is used in Administrative mode, so * ‘Secure Server (Require Security)’ is worth setting where administrators dial-in to the Windows Server 2003 network.
The idea here is to conserve Microsoft licences by saying, ‘Only those computer in a group called Terminal Services Computers, are allowed to connect’.
These settings use Group Policy to help to conserve disk space and protect the security of the temp folders.
Perhaps one day we will all be running terminal services in a cluster. If that day has already arrived for you, then you need to configure these settings, for the rest of us, we can ignore the policies in this folder.
Last, but not least, are policies to control the time limits for the users’ connections. * ‘Time limit for disconnected sessions’, this must be worth setting because all those disconnected session soon eat up precious RAM and disk space.
Following the same logic of conserving resources, I would also set an Idle timeout. * ‘Set time limit for active but idle…‘ Let’s face it, user can easily reconnect when they return to their machines.
Note 2: If you need more information on Terminal Services itself, here is an Overview
Summary of Terminal Server Group Policy in Windows 2003
Many of the Terminal Services Group Policy settings are found under the Computer Configuration. Although there are also settings under the User Configuration section, my advice is just use the Computer Configuration Group Polices for Terminal Services.
See more Computer Group Policies
If you like this page then please share it with your friends