Computer Group Policy – Terminal Services

Terminal Services Group Policy in Server 2003

Terminal Services can be tricky to control, fortunately Windows Server 2003 has a comprehensive selection of policies.  My aim is to help you get the fastest, most stable Terminal Server for your users.  Actually, I find that the two most useful policies are in the first (Root) folder and the last section, ‘Sessions’.

* Guy’s Top Five Terminal Services Group Policies


Terminal Services – Group Policy (Root)Group Policy Terminal Services Windows Server 2003

We start with two Group Policies to aid the users.  ‘Keep-Alive connections’ and * ‘Automatic reconnect‘.  These are just the sort of policies that will improve the users’ experience of terminal service.

Now we come to policies to stop the users from getting into mischief.  I thoroughly recommend * ‘Remove disconnect option from Shut down‘, this encourages users to logoff properly.  What you don’t want is for people to merely disconnect from the terminal server, because that just wastes resources keeping an unnecessary connection alive.

I am less keen on ‘Remove Windows Security from the start menu’.  The idea is to stop users logging off, but unless this was a ‘Kiosk’ machine I would find it irritating to remember the Ctr Alt, Del sequence every time  that I wanted to finish a terminal services session.

Finally in this section, you have important decisions on how you to configure the home directory and roaming profile path.  Bear in mind that these are additional folders for terminal server sessions, and not the regular Windows Server 2003 home directory path.

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

Terminal Services Sub-folder Policies

Client Server Data Redirect

Remember with Microsoft terminal server, programs behave as though the client was logged on locally at the server.  However, by default the client can redirect certain resources to the machine where they are physically sitting for example, Printer, COM ports and Drive Letters.

So your choice is to continue allowing clients to use local resources or disable redirecting of printers and drive letters to their machines.  Before you make your Group Policy decision, check the logic.  Disabling, ‘Do not allow printer redirection’ means that users CAN continue to redirect their print jobs to a local printer.

Encryption and Security

Enabling ‘Always prompt client for password’ will boost your security.  The rest of the policies in this folder are only needed for high security networks where you wish to encrypt the data.

The RPC Group Policy subfolder is to secure connections when terminal services is used in Administrative mode, so * ‘Secure Server (Require Security)’ is worth setting where administrators dial-in to the Windows Server 2003 network.


The idea here is to conserve Microsoft licences by saying,  ‘Only those computer in a group called Terminal Services Computers, are allowed to connect’.

Temporary Folders

These settings use Group Policy to help to conserve disk space and protect the security of the temp folders.

Session Directory

Perhaps one day we will all be running terminal services in a cluster.  If that day has already arrived for you, then you need to configure these settings, for the rest of us, we can ignore the policies in this folder.

Sessions Group Policies for Terminal Services

Last, but not least, are policies to control the time limits for the users’ connections.  * ‘Time limit for disconnected sessions’, this must be worth setting because all those disconnected session soon eat up precious RAM and disk space.

Following the same logic of conserving resources, I would also set an Idle timeout.  * ‘Set time limit for active but idle…‘  Let’s face it, user can easily reconnect when they return to their machines.

Note 1: Updated Terminal Services Group Policies added here (Recommended)

Note 2: If you need more information on Terminal Services itself, here is an Overview

Summary of Terminal Server Group Policy in Windows 2003

Many of the Terminal Services Group Policy settings are found under the Computer Configuration.  Although there are also settings under the User Configuration section, my advice is just use the Computer Configuration Group Polices for Terminal Services.

Group Policy ebook Windows 2003Download my ‘Master Group Policies’ ebook only $6.25

The extra features you get in your eBook include: Spreadsheet with over 850 policies.  Printer friendly version over Word A4 pages in Word.

See more Computer Group Policies

Troubleshooting Group Policies   • Software Installation   • Terminal Services Group Policy Settings

Group Policies  • Windows Components  • Windows Settings   •Computer Network Policies

Computer Printer Policies   • Computer Administrative Templates   •Computer System Policies

If you like this page then please share it with your friends