Group Policy Best Practices for Terminal (Remote Desktop) Servers

Ayman BakrSenior Consultant
When it comes to configuring terminal server environments, recently now referred to as Remote Desktop server environments, often admins get confused with respect to user profiles setup. For one thing they are unaware, or perhaps forget, that in Active Directory a user object can have two profiles: one for a normal PC environment and the other for a remote desktop/terminal services environment (going forth will always refer to it as terminal services). The terminal services profile can be setup within the user object properties in Active Directory (AD), just like a normal profile is setup, albeit in a different tab. However, doing this for each individual in an organization with 1000+ employees becomes impractical! The answer to this is setting it up through Group Policy Objects (GPO).

Another point to consider when setting up a terminal services environment is to configure folder redirection for the user’s ‘Documents’, ‘Desktop’, ‘Favourites’ and to the controversial folder, ‘Application Data’. When you redirect a folder to a share on another server, you are actually telling the system not to load and unload these folders whenever the user logs in and logs out respectively. You are only pointing the system to the folders shared on the other server. This way you avoid all the delays and consequences resulting from loading and unloading those folders during the start and end of the session.
Different organizations will have different requirements. For example, I have been once asked about the possibility of presenting different redirected desktops for the same user in different environments: a desktop in his normal PC session and another in his terminal services session. In that scenario, I advised them to basically do a different folder redirection setting for the user’s terminal services session. This way they were able to isolate their normal users' desktop from the terminal services desktop.

Enough with the introduction. I hereby provide a step by step best practice preparation of the AD to achieve a baseline for terminal services configuration that can accommodate any requirement or scenario.

1. Create a security group in AD, say TS Group, and add all the terminal server machines as members of that group.

2. Create a new organizational unit (OU), name it say TS OU and have all your terminal server machines in that OU.

3. Create a new GPO and link it to TS OU.

4. Block inheritance on the GPO (recommended; but if you want domain policies to apply then forget this step).

5. On this GPO, disable the User Configuration settings.

6. Add TS Group and Authenticated Users (or only the user group who will access TS) to the filter on the OU.

7. Enable loopback under Computer Configuration\Administrative Templates\System\Group Policy and set the User Group Policy loopback processing mode to Replace.

8. Ensure that Allow Logon Locally is enabled for your intended users under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies in the User Rights Assignment.

9. Configure the terminal services profile path under Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services.

10. Configure all other settings and required lockdowns.
For more info on remote desktop/terminal server settings see: 

11. Create another GPO and link it to the TS OU.

12. Block inheritance on the GPO (recommended; but if you want domain policies to apply then forget this step).

13. On this GPO, disable the Computer Configuration settings.

14. Add TS Group and Authenticated Users (or only the user group who will access TS) to the filter on the OU.

15. Configure the folder redirection under User Configuration\Windows Settings\Folder Redirections. Here you can specify the same path for all the folders as in your normal environment, unless you require to present different documents and desktops.

16. Configure all other settings or lockdowns for your TS users.

Note that both the computer configuration and user configuration GPOs for TS environment SHOULD be linked to the TS OU.
Ayman BakrSenior Consultant

Comments (0)

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.