Terminal Services can be tricky to control, fortunately Windows Server
2003 has a comprehensive
selection of
policies. My aim is to help you get the fastest, most stable Terminal
Server for your users.
Actually, I find that the two most useful policies are in the first (Root)
folder and the last section,
'Sessions'.
We start with two Group Policies to aid the users.
'Keep-Alive connections' and * 'Automatic reconnect'.
These are just the sort of policies that will improve the users' experience of terminal service.
Now we come to policies to stop the users from getting into mischief. I
thoroughly recommend * 'Remove
disconnect option from Shut down', this encourages users to logoff
properly. What you don't want is for people to merely disconnect from
the terminal server, because that just wastes resources keeping an unnecessary connection alive.
I am less keen on 'Remove Windows Security from the start menu'.
The idea is to stop users logging off, but unless this was a 'Kiosk' machine I would find it irritating to
remember the Ctr Alt, Del sequence every time that I wanted to finish a terminal
services session.
Finally in this section, you have important decisions on how you to configure the
home directory and roaming profile path. Bear in mind that these are
additional folders for terminal server sessions, and not the regular Windows Server 2003 home
directory path.
Guy
Recommends: Permissions Analyzer - Free Active Directory Tool
I like the
Permissions Monitor because it enables me to see quickly WHO has permissions
to do WHAT. When you launch this tool it analyzes a users effective NTFS
permissions for a specific file or folder, takes into account network share
access, then displays the results in a nifty desktop dashboard!
Think of all the frustration that this free utility saves when you are
troubleshooting authorization problems for users access to a resource.
Give this permissions monitor a try - it's free!
Remember with Microsoft terminal server, programs behave as though the client was
logged on locally at the server. However, by default the client can
redirect certain resources to the machine where they are physically sitting
for example,
Printer, COM ports and Drive Letters.
So your choice is to continue allowing clients to use local resources
or disable redirecting of printers and drive letters to their
machines. Before you make your Group Policy decision, check the logic.
Disabling, 'Do not allow printer redirection' means that users CAN continue
to redirect their print jobs to a local printer.
Enabling 'Always prompt client for password' will boost your security.
The rest of the policies in this folder are only needed for high security networks where
you wish to encrypt the data.
The RPC Group Policy subfolder is to secure connections when terminal services is used
in Administrative mode, so
* 'Secure Server (Require Security)' is worth setting where
administrators dial-in to the Windows Server 2003 network.
The idea here is to conserve Microsoft licences by saying, 'Only those computer in
a
group called Terminal Services Computers, are allowed to connect'.
Perhaps one day we will all be running terminal services in a cluster.
If that day has already arrived for you, then you need to configure these
settings, for the rest of us, we can ignore the policies in this folder.
Last, but not least, are policies to control the time limits for the
users'
connections.
* 'Time limit for disconnected sessions', this must be worth setting
because all those disconnected session soon eat up precious RAM and disk space.
Following the same logic of conserving resources, I would also set an Idle
timeout. * 'Set time
limit for active but idle...' Let's face it, user can
easily reconnect when they return to their machines.
Summary of Terminal Server Group Policy in Windows 2003
Many of the Terminal Services Group Policy settings are found under the Computer Configuration.
Although there are also settings under the User Configuration section, my
advice is just use the Computer Configuration Group Polices for Terminal
Services.
Guy Recommends:
SolarWinds' NPM - Network Performance Monitor
SolarWinds' performance monitor is designed for detecting network outages,
making it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps; it also helps
identifying whether the
root cause is faulty equipment, or resource overload. Give NPM a try.
