Terminal Services Group Policy Settings

Introduction to Terminal Services – Group Policies

If you intend to be serious about Microsoft’s Terminal Services then invest time to configure Group Policies.  In fact, choosing your Terminal Server settings will be both fun and a labour of love.  Perhaps you already use Windows Server 2003’s Group Policy to control the XP experience?  If so, then configuring the remote desktop will follow on naturally.

Topics for Terminal Services Group Policies

Getting Started with GPMC
Guy’s 5 Terminal Service Group Policy Best Practices
\(Root) – 15 PoliciesTerminal Services Group Policy Settings
\Client Server Data Redirection
\Encryption and Security
\Licensing
\Temporary Folders
\Client
\Session Directory
\Sessions

Getting Started with GPMC

Assumption: that you have Windows Server 2003 and have downloaded the marvellous Group Policy Management Console (GPMC) from Microsoft’s site.

Most of the Terminal Services Group Policies are found under the Computer Configuration.  Whilst some settings are also available under User Configuration, my first piece of advice is just use the Computer Configuration Group Polices for Terminal Services.  My reasoning is keep it simple, and keep all the settings in one place.

Many of these Group Policies can also be controlled via the Terminal Services Configuration Snap-in, a classic case of Microsoft providing two (three) ways of doing everything.  So, my suggestion is to have both the GPMC and the Terminal Services Configuration menus available.

Guy’s 5 Terminal Service Group Policy Best Practices

About half of the Group Policies are only needed for special situations, such as Microsoft clustering or running Remote Desktop from PDAs.  I have indicated where settings would not be needed if you have a standard configuration of Terminal Services.  However, I have selected 5 Group Policies which you should consider for any Windows Server 2003 configuration.

Guy Recommends:  A Free Trial of the Network Performance Monitor (NPM)Review of Orion NPM v12 v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network.  This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems.  Its second best feature is the ability to monitor the health of individual VMware virtual machines.  If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Download your free trial of SolarWinds Network Performance Monitor.

Assumption:

You have access to the Windows 2003 Server, and you have opened the GPMC (Group Policy Management Console).  From there you edit the Group Policy.  See screen shot above showing Terminal Services Group Policy.

\(Root) – 15 Policies

Keep Alive Connections Specifies whether persistent connections are allowed. By default, keep-alive connections are disabled. The idea is to ensure that the session state on the server is consistent with the client state.
Automatic Reconnection By default, the Terminal Server tries twenty reconnections at five second intervals.  This setting is also available at the Experience tab in Remote Desktop Connection. Users can choose ‘Reconnect if connection is dropped’.
Restrict Terminal Services users to a single remote session This GPO setting is nailed down by default.  It is a good idea to keep it not configured, in which case the default on the Terminal Server takes over.  You need a really good reason to Disable this setting.
Enforce Removal of Remote Desktop Wallpaper Useful for slow connections.
Deny log off of an administrator logged in to the console session There is a concept of session 0.  If one administrator has control of the terminal server console they may not want another server to log them off session 0.  Tentatively suggest enable.  Make sure you check the double negative logic
Limit number of connections Self evident group policy.
Limit maximum color depth Only useful for slow connections or primitive devices.
Allow users to connect remotely using Terminal Services I suggest that this is a maintenance setting to stop users logging on during a time when you are servicing the terminal server.
Do not allow local administrators to customize permissions Guy says you don’t need this policy.  Control permissions with Remote Desktop Users Group.
Remove Windows Security item from Start menu and Policy to make it difficult for users to end a remote desktop session.  Settings for a kiosk.
Remove Disconnect option from Shut Down dialog Makes it difficult for users to end a remote desktop session.  Useful for an internet cafe?
Always show Desktop on Connection Group Policy to prevent people choosing other programs running.  Guy cannot see much call for this setting.
Set path for TS Roaming Profiles * Type the UNC path to the network share in the form \\Computername\Sharename. Note, no need to specify %username% for the user alias, because Terminal Services automatically appends this at logon.
TS User Home Directory Type the UNC path to the network share in the form \\Computername\Sharename. Note, no need to specify %username% for the user alias, because Terminal Services automatically appends this at logon.
Start a Program on Connection Optional.  See also Windows 8 Group Policy Preferences.

Guy Recommends: Permissions Analyzer – Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like thePermissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try – it’s free!

Download Permissions Analyser – Free Active Directory Tool

\Client Server Data Redirection  – 10 Terminal Services Group Policy Settings

Allow Time Zone Redirection By default the session take’s its time from the server.  You can alter the behaviour to display local time on the remote desktop.
Do not allow clipboard redirection The default is copy and paste between session and local applications is allowed.
Do not allow smart card device redirection Normally smart cards are detected on connection.
Allow audio redirection Users can use the "Remote computer sound" option on the Local Resources tab of Remote Desktop Connection to choose whether to play the server’s sound on the remote computer or on the local computer
Do not allow COM port redirection Can also be controlled by the Terminal Services Configuration menu.
Do not allow client printer redirection Normally, you would want clients to be able to redirect jobs to a local printer.
Do not allow LPT port redirection Similar Group Policy setting to the printer settings above.
Do not allow drive redirection Normally drives are mapped when the initial session is connected.
Do not set default client printer to be default printer in a session Suppose a client already has a default printer.  When the terminal server session is created, the normal behavior is to retain this default printer.
Terminal Server Fallback printer driver behavior* If there is no matching printer driver on the client, then Terminal Services finds then nearest match.  Good idea.
See also Windows 8 Remote Desktop Group Policies.

\Encryption and Security – 3 Terminal Services Group Policies

Secure Server (Require Security) This is a Group Policy for RPC authentication. If you enable then make sure the Terminal Services clients are capable of secure RPC communication.
Always prompt client for password upon connection Enabling this setting means that users cannot tick the remember my password box.  A classic of the more security have the more work there is.  If enabled, could annoy users.
Set client connection encryption level If you enable this setting, choose client compatible.

\Licensing – 2 Policies

License Server Security Group* You need to enable this setting to control which computers can contact the Terminal Service Licensing server.  (SP1 cures a bug which prevents the very licensing server from obtaining a license)
Prevent License Upgrade You need to investigate this Terminal Services group policy setting only if you have both Windows 2000 and Windows Server 2003 Terminal services.

\Temporary Folders – 2 Policies

Do not use temp folders per session If you enable this GPO, Terminal Server heaps all the users temporary files in one directory.  Guy says specialist use only.
Do not delete temp folder upon exit Enabling this group policy may give slightly better performance the next time a user reconnects.  I would not be in a hurry to enable this setting.

\Client – 1 Policies

Do not allow passwords to be saved Enabling this setting would be considered high security, but balance security with annoying the users.  Not a policy for me.

\Session Directory – 4 Policies for Clusters of Terminal Server Farms

Terminal Server IP Address Redirection Microsoft’s Cluster settings
Join Session Directory Policy for Cluster settings
Session Directory Server More Cluster settings
Session Directory Cluster Name Cluster settings

\Sessions – 5 Settings for Terminal Services Group Policies

Set time limit for disconnected sessions* This setting overcomes the problem of users disconnecting without logging off from their terminal server session.
Sets a time limit for active Terminal Services sessions Not often needed.  Why would you want to stop them working!
Sets a time limit for active but idle Terminal Services sessions* Worth setting.  The only decision is how long is a reasonable idle time-out 20 mins?  1 Hour, you decide.
Allow reconnection from original client only If the status is set to Enabled, users can reconnect to disconnected sessions only from the original client computer. If a user attempts to connect to the disconnected session from another computer, a new session is created instead.
Terminate session when time limits are reached This Group Policy controls whether you are disconnecting or deleting remote desktop sessions that reach their time limits.

Summary of Terminal Services Group Policies

Most of the Terminal Services Group Policy settings are found under the Computer Configuration.  Whilst some settings are also available under User Configuration, my advice is just use the Computer Configuration Group Polices for Terminal Services.  My reasoning is keep it simple, and keep all the settings in one place.

Many of these GPOs can also be controlled via the Terminal Services Configuration Snap-in, a classic case of Microsoft providing three ways of configuring.


See more Computer Group Policies

Troubleshooting Group Policies   • Software Installation   • Terminal Services Group Policy Settings

Group Policies  • Windows Components  • Windows Settings   •Computer Network Policies

Computer Printer Policies   • Computer Administrative Templates   •Computer System Policies

If you like this page then please share it with your friends