Windows Server 2003 - Terminal Services Group Policies
Guy Recommends
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
\(Root) - 15 Policies |
|
| Keep Alive Connections | Specifies whether persistent connections are allowed. By default, keep-alive connections are disabled. The idea is to ensure that the session state on the server is consistent with the client state. |
| Automatic Reconnection | By default, the Terminal Server tries twenty reconnections at five second intervals. This setting is also available at the Experience tab in Remote Desktop Connection. Users can choose 'Reconnect if connection is dropped'. |
| Restrict Terminal Services users to a single remote session | This setting is nailed down by default. It is a good idea to keep it not configured, in which case the default on the Terminal Server takes over. You need a really good reason to Disable this setting. |
| Enforce Removal of Remote Desktop Wallpaper | Useful for slow connections. |
| Deny log off of an administrator logged in to the console session | There is a concept of session 0. If one administrator has control of the terminal server console they may not want another server to log them off session 0. Tentatively suggest enable. Make sure you check the double negative logic |
| Limit number of connections | Self evident group policy. |
| Limit maximum color depth | Only useful for slow connections or primitive devices. |
| Allow users to connect remotely using Terminal Services | I suggest that this is a maintenance setting to stop users logging on during a time when you are servicing the terminal server. |
| Do not allow local administrators to customize permissions | Guy says you don't need this policy. Control permissions with Remote Desktop Users Group. |
| Remove Windows Security item from Start menu and | Policy to make it difficult for users to end a remote desktop session. Settings for a kiosk. |
| Remove Disconnect option from Shut Down dialog | Makes it difficult for users to end a remote desktop session. Useful for an internet café? |
| Always show Desktop on Connection | Group Policy to prevent people choosing other programs running. Guy cannot see much call for this setting. |
| Set path for TS Roaming Profiles * | Type the UNC path to the network share in the form \\Computername\Sharename. Note, no need to specify %username% for the user alias, because Terminal Services automatically appends this at logon. |
| TS User Home Directory | Type the UNC path to the network share in the form \\Computername\Sharename. Note, no need to specify %username% for the user alias, because Terminal Services automatically appends this at logon. |
| Start a Program on Connection | Optional |
\Client Server Data Redirection - 10 Policies |
|
| Allow Time Zone Redirection | By default the session take's its time from the server. You can alter the behaviour to display local time on the remote desktop. |
| Do not allow clipboard redirection | The default is copy and paste between session and local applications is allowed. |
| Do not allow smart card device redirection | Normally smart cards are detected on connection. |
| Allow audio redirection | Users can use the "Remote computer sound" option on the Local Resources tab of Remote Desktop Connection to choose whether to play the server's sound on the remote computer or on the local computer |
| Do not allow COM port redirection | Can also be controlled by the Terminal Services Configuration menu. |
| Do not allow client printer redirection | Normally, you would want clients to be able to redirect jobs to a local printer. |
| Do not allow LPT port redirection | Similar Group Policy to the printer settings above. |
| Do not allow drive redirection | Normally drives are mapped when the initial session is connected. |
| Do not set default client printer to be default printer in a session | Suppose a client already has a default printer. When the terminal server session is created, the normal behavior is to retain this default printer. |
| Terminal Server Fallback printer driver behavior* | If there is no matching printer driver on the client, then Terminal Services finds then nearest match. Good idea. |
|
- \Encryption and Security - 3 Policies |
|
| Secure Server (Require Security) | This is a Group Policy for RPC authentication. If you enable then make sure the Terminal Services clients are capable of secure RPC communication. |
| Always prompt client for password upon connection | Enabling this setting means that users cannot tick the remember my password box. A classic of the more security have the more work there is. If enabled, could annoy users. |
| Set client connection encryption level | If you enable this setting, choose client compatible. |
\Licensing - 2 Policies |
|
| License Server Security Group* | You need to enable this setting to control which computers can contact the Terminal Service Licensing server. (SP1 cures a bug which prevents the very licensing server from obtaining a license) |
| Prevent License Upgrade | You need to investigate this setting only if you have both Windows 2000 and Windows Server 2003 Terminal services. |
\Temporary Folders - 2 Policies |
|
| Do not use temp folders per session | If you enable this, Terminal Server heaps all the users temporary files in one directory. Guy says specialist use only. |
| Do not delete temp folder upon exit | Enabling this setting may give slightly better performance the next time a user reconnects. I would not be in a hurry to enable this setting. |
\Client - 1 Policies |
|
| Do not allow passwords to be saved | Enabling this would be considered high security, but balance security with annoying the users. Not a policy for me. |
\Session Directory - 4 Policies for Clusters of Terminal Server Farms |
|
| Terminal Server IP Address Redirection | Microsoft's Cluster settings |
| Join Session Directory | Policy for Cluster settings |
| Session Directory Server | More Cluster settings |
| Session Directory Cluster Name | Cluster settings |
\Sessions - 5 Policies |
|
| Set time limit for disconnected sessions* | This setting overcomes the problem of users disconnecting without logging off from their terminal server session. |
| Sets a time limit for active Terminal Services sessions | Not often needed. Why would you want to stop them working! |
| Sets a time limit for active but idle Terminal Services sessions* | Worth setting. The only decision is how long is a reasonable idle time-out 20 mins? 1 Hour, you decide. |
| Allow reconnection from original client only | If the status is set to Enabled, users can reconnect to disconnected sessions only from the original client computer. If a user attempts to connect to the disconnected session from another computer, a new session is created instead. |
| Terminate session when time limits are reached | This Group Policy controls whether you are disconnecting or deleting remote desktop sessions that reach their time limits. |
Learn more about Terminal Services and VPN. As an MCT trainer, I can thoroughly recommend TrainSignal
because they provide practical hands on training. In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text
material. With TrainSignal you can either take one module, for example Terminal Services and VPN or go for a combination of modules.
See more about Terminal Services
and VPN here
Summary of Terminal Services Group Policies
Most of the Terminal Services Group Policies are found under the Computer Configuration. Whilst some settings are also available under User Configuration, my advice is just use the Computer Configuration Group Polices for Terminal Services. My reasoning is keep it simple, and keep all the settings in one place.
Many of these Group Policies can also be controlled via the Terminal Services Configuration Snap-in, a classic case of Microsoft providing three ways of configuring.
Related topics
● More Group Policies ● Terminal Services Home ● Terminal Server Configuration
.
|
|
Guy Recommends: GFi EventsManagerHere is a solution to monitor, manage and archive thousands of events that are generated by devices across your entire network. Get your free evaluation copy of GFI EventsManager. |
|
Home Copyright © 1999-2008 Computer Performance LTD All rights reserved Please report a broken link, or an error.
| |
