After you create the user and terminal server OUs, you're ready to apply new policies to those OUs. I show you how to configure the servers because that's what most policies apply to. Right-click the TerminalServers OU and choose Properties. Select the Group Policy tab to open the dialog box that Figure 2, page 92, shows. Click New to create a new GPO (the figure shows a new GPO called TS Policies), then click Edit to return to the Group Policy Object Editor screen that Figure 1 shows.
Now you're ready to configure your new policy settings. The following configuration examples will get you started:
Tuning remote control settings. Remote control lets an administrator connect to a user's session to see what the user is doing or interact with the session directly. If you use the default settings, a user must explicitly permit the administrator to take remote control of his or her session, and the administrator can interact with that session. To change these default settings for the OU, go to Computer Configuration\Administrative Templates\WindowsComponents\Terminal Services and enable Sets rules for remote control of Terminal Services user sessions, as Figure 3 shows. From the Options drop-down list, you can choose to completely disable remote control or you can choose settings from one of two main groups: Full Control, which lets the administrator interact with the user's session, and View Session, which lets the administrator watch what the user is doing but not take action. Within those two groups, you can specify whether the user must explicitly permit the administrator to take remote control of his or her session or whether the administrator can connect to the session without getting permission. (These settings are also available under User Configuration\Administrative Templates\WindowsComponents\Terminal Services. If you set policies in both places, the computer policies apply.)
Setting a profile path and home directory for terminal sessions. Migrating profile paths from WTS to Terminal Services used to be painful because the Terminal Services profile path—distinct from the user profile path—wasn't exposed as a property of the user account object in ADSI; therefore, you could configure the profile path only by editing the user account properties either through the GUI or from the Tsprof command-line tool. This information is now available to group policies. The policies controlling user profiles and home directories are in the root Terminal Services folder in Computer Configuration\Administrative Templates\Windows Components. Enable Set Path for TS Roaming Profiles and TS User Home Directory. To configure the profile path, include the computer name and path to the profile directory; the server will fill in the username automatically. If the path you provide doesn't exist (or the server can't reach it), the account will use local profiles.
The same process applies to setting up the home directory—enable the policy, type the Universal Naming Convention (UNC) name for the network share, and assign a local drive letter, if necessary (for applications that demand a drive letter). I don't generally recommend putting the user home directory on the local terminal server unless you have no other options; doing so gives users separate home directories depending on which server they're connected to, complicating backups and making locating user files difficult.
An Evolving Solution
Each generation of Terminal Services gets closer to being a complete solution, even for large organizations with many users. Although Windows 2003 Terminal Services still has some loopholes that third-party products can fill, adding some serious server and group management tools has done a lot to make configuring a lot of servers or user accounts much easier.
End of Article
Anonymous User March 07, 2005 (Article Rating: