Policy | objects
This article is excerpted from the Windows &. NET Magazine International Chinese Edition
Since Microsoft released its first Windows NT 4.0 Terminal Server Edition (WTS) in 1998, many companies have dramatically improved the user experience of using RDP to connect to terminal servers. In Windows 2003, RDP clients are almost as capable of using ICA clients to Citrix MetaFrame servers, with only a lack of support for application publishing and stateless Windows (Application publishing directs a connection to an application on a Terminal server). A stateless window allows end users to maintain multiple connections to the same session on a single terminal server, and this does not multiply resources.
However, Microsoft has historically been less focused on improving management of terminal servers on WTS and Windows 2000 servers. NT 4.0 is earlier than WTS, so the core NT operating system does not have Terminal Server management capabilities-that is, user account management must also be done on a WTS computer or using a WTS-supported account manager. Windows 2000 includes support for Terminal Services in the core operating system, but server management tools are only appropriate for managing a small number of users or servers, because you must configure the settings for Terminal Services for each user or for each computer individually. The settings of a terminal server, such as a user profile path, are not implemented through the Active Directory Service Interface (ADSI), and you cannot script server administration except for possible implementations using command-line tools. This limitation is tolerable if you plan to keep the default settings or if you have only two or three user accounts or the server needs to be configured. However, it can be very difficult to configure and manage more user settings and terminal servers in a consistent manner.
Windows 2003 does a lot for terminal servers, enabling terminal servers and user accounts that are applied to Terminal Services to implement many settings through ADSI and Windows Management Instrumentation (WMI), making terminal servers more manageable. You can use administrative scripts to manage these settings, or you can use Group Policy objects (GPOs) so that you apply to organizational units (OUs). I introduce you to some GPO methods for user and Computer Management configuration, and show you how to use them to perform general tasks.
Where is the Terminal Services policy?
After you open the Group Policy Editor (GPE) on a Windows 2003 computer, you will see a new folder under the Computer Configuration and User Configuration folder: Administrative Templates \ Windows Components \ Terminal Services. Figure 1 shows the settings available in Computer Configuration \ Administrative Templates \ Windows Components \ Terminal Services. Some of these settings are duplicated in the user Configuration \ Administrative Templates \ Windows Components \ Terminal Services folder. The Computer configuration settings are divided into several Terminal Services subfolders. Table 1 lists the location of Terminal Services settings in both the Computer Configuration and User Configuration.
To configure a parameter, double-click the Properties dialog box that opens it, and then select Enable or disable appropriately. You may need to provide additional information for certain settings; For example, to set the home directory for user terminal sessions, you must provide a local or network path (assuming that the home directory is using a network location, the network drive letter of the path you want to map). Although most settings can only be applied to a Windows 2003 Terminal Server or Remote Desktop Connection to Windows XP, a small number of settings, such as the option to remove a disconnect button from the Startup menu, can be applied to a Windows 2000 Terminal Server. Version requirements are displayed in the Properties dialog box for each policy.
If you have ever edited Terminal Services default User and Terminal server settings, you should know that there are parameters that you can configure priority control for both the server and the user. Generally, if there is a setting for the server and the user (as in the default printer mapping setting), the user's settings get precedence. You can configure Terminal Services configuration to exceed user settings and set priority to the server. If you do not configure a GPO, whichever setting you choose will have priority control. However, when you configure a GPO, whether you enable or disable the GPO,GPO setting overrides the settings that you configured through Terminal Services or edited through user account properties, and you get precedence. If you configure the same settings for both the user and the computer (perhaps a small number of settings, such as those that manage remote control), the computer setting takes precedence over the user settings (if you link the GPO to a different container in the domain, the policy inheritance rules are applied in an adaptive way.)
Because the language used by the GPO is somewhat ambiguous, you should be careful when you enable or disable the policy. For example, if you use smart card configuration parameters for terminal servers and you want to ensure that smart cards are supported, you must disable the smart card redirection policy.
Applying GPOs to Terminal Server
To apply a GPO to a Terminal server, you must create a Terminal Server organizational unit and, if necessary, create a Terminal Server client organizational unit. Open the Microsoft Management Console (MMC) for the Active Directory user and computer snap-in, and right-click the domain name icon in the left panel. Select the new * organizational unit from the associated menu. The new organizational unit is named Terminalservers or the equivalent description, and all terminal servers are placed inside.
Terminal Services does not have a specific user setting. So you can start by simply configuring the Terminal Server policy. However, you may choose not to configure all settings at the machine level, such as those related to remote control of the user's session. You can set the user in several ways. One way to do this is to create an organizational unit for users who are allowed to log on to a terminal server. However, ad objects can only be in a unique OU, and it may not be practical to place the user in a specified ou--terminal services. Another approach is to apply the settings to the User organizational unit that you create, and use the loopback policy to ensure that the appropriate settings are applied when the user logs on to the Terminal server. In order to use loopback processing, you need to enable the Group Policy loopback policy processing mode on the Terminal Server OU. This policy can be found in Computer Configuration \ Administrative Templates \ System \ Group Policy, which controls how user policies are applied to computers of a particular purpose, such as a Terminal server. To ensure that the Terminal Server policy is prioritized, click the Policy's Settings tab and choose Replace from the Drop-down menu.
After you create the user and Terminal Server organizational unit, you can apply the new policies to these organizational units. I'll show you how to configure the server, because this is where most of the policies are applied. Right-click the Terminalservers organizational unit and select Properties. Select the Group Policy tab to open the dialog box as shown in Figure 2. To create a new GPO, click New (a new GPO called TS Policies is shown in the figure), and then click Edit to return to the Group Policy object Editing screen as shown in Figure 1.
Now you are ready to configure the new policy settings. You can start with the following configuration examples:
Adjust the remote control settings. Remote control allows an administrator to connect directly to a user's session to see what the user is doing or to engage in an interactive session. If you use the default settings, the user must explicitly allow the administrator to remotely control his or her session, and the administrator can interact with the conversation. To change the default settings for organizational units, expand Computer Configuration \ Administrative Templates \ Windows Components \ Terminal Services, and enable the creation of rules for remote control of Terminal Services user sessions, as shown in Figure 3. From the list of options listed below, you can choose to disable remote control completely or select one of the two primary groups: Full Control, allow an administrator to interact with a user's session, view a session, and allow the administrator to monitor what the user is doing but not take action. In these two groups, you can specify whether the user must explicitly allow the administrator to remotely control his or her sessions, and whether the administrator can connect to the session without gaining access (these settings can also be found in User Configuration \ admin module \ Windows components \ Terminal Services.) If you set the policy in two places, the computer settings are applied.
Configure a configuration file path and home directory for the terminal session. Migrating a profile from WTS to Terminal Services is painful because the Terminal Services profile path is distinct from the user profile path and is not implemented as a property of the user account in ADSI; Therefore, you can only edit the user Account property profile path. Either through the GUI or by running the Tsprof command-line tool. This information is now available for Group Policy. These policies control the user profile and home directory in the root directory of the computer configuration \ Administrative Templates \ Windows Components Terminal Services. Enable path settings for TS roaming profiles and TS user home directories. The path to the configuration profile, including the computer name and the path to the configuration file directory, and the server automatically fills in the user name. If you provide a path that does not exist (or the server cannot), this account will use a local profile.
The same process can be applied to creating a home directory--enabling policy, entering a naming standard (UNC) name for a network share, and specifying a local drive letter if necessary (for applications that require a drive letter). I generally do not recommend placing the user home directory on the local terminal server, unless you have no other choice; This makes it difficult to back up and locate user files by giving them a separate home directory based on the services they connect to.
A developing solution
The next version of each terminal server is getting closer to a perfect solution, even for large companies with lots of users. Although Terminal Services for Windows 2003 still have some drawbacks that need to be remedied by Third-party products, there are a number of formal server and group management tools that make it easier to configure a large number of servers or user accounts.