<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Group Policy Best Practices for Terminal (Remote Desktop) Servers

Published on
27,460 Points
20,060 Views
4 Endorsements
Last Modified:
Approved
When it comes to configuring terminal server environments, recently now referred to as Remote Desktop server environments, often admins get confused with respect to user profiles setup. For one thing they are unaware, or perhaps forget, that in Active Directory a user object can have two profiles: one for a normal PC environment and the other for a remote desktop/terminal services environment (going forth will always refer to it as terminal services). The terminal services profile can be setup within the user object properties in Active Directory (AD), just like a normal profile is setup, albeit in a different tab. However, doing this for each individual in an organization with 1000+ employees becomes impractical! The answer to this is setting it up through Group Policy Objects (GPO).

Another point to consider when setting up a terminal services environment is to configure folder redirection for the user’s ‘Documents’, ‘Desktop’, ‘Favourites’ and to the controversial folder, ‘Application Data’. When you redirect a folder to a share on another server, you are actually telling the system not to load and unload these folders whenever the user logs in and logs out respectively. You are only pointing the system to the folders shared on the other server. This way you avoid all the delays and consequences resulting from loading and unloading those folders during the start and end of the session.
Different organizations will have different requirements. For example, I have been once asked about the possibility of presenting different redirected desktops for the same user in different environments: a desktop in his normal PC session and another in his terminal services session. In that scenario, I advised them to basically do a different folder redirection setting for the user’s terminal services session. This way they were able to isolate their normal users' desktop from the terminal services desktop.

Enough with the introduction. I hereby provide a step by step best practice preparation of the AD to achieve a baseline for terminal services configuration that can accommodate any requirement or scenario.

1. Create a security group in AD, say TS Group, and add all the terminal server machines as members of that group.

2. Create a new organizational unit (OU), name it say TS OU and have all your terminal server machines in that OU.

3. Create a new GPO and link it to TS OU.

4. Block inheritance on the GPO (recommended; but if you want domain policies to apply then forget this step).

5. On this GPO, disable the User Configuration settings.

6. Add TS Group and Authenticated Users (or only the user group who will access TS) to the filter on the OU.

7. Enable loopback under Computer Configuration\Administrative Templates\System\Group Policy and set the User Group Policy loopback processing mode to Replace.

8. Ensure that Allow Logon Locally is enabled for your intended users under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies in the User Rights Assignment.

9. Configure the terminal services profile path under Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services.

10. Configure all other settings and required lockdowns.
For more info on remote desktop/terminal server settings see: http://technet.microsoft.com/en-us/library/cc770884(v=ws.10).aspx 

11. Create another GPO and link it to the TS OU.

12. Block inheritance on the GPO (recommended; but if you want domain policies to apply then forget this step).

13. On this GPO, disable the Computer Configuration settings.

14. Add TS Group and Authenticated Users (or only the user group who will access TS) to the filter on the OU.

15. Configure the folder redirection under User Configuration\Windows Settings\Folder Redirections. Here you can specify the same path for all the folders as in your normal environment, unless you require to present different documents and desktops.

16. Configure all other settings or lockdowns for your TS users.

Note that both the computer configuration and user configuration GPOs for TS environment SHOULD be linked to the TS OU.
4
Comment
Author:Ayman Bakr
0 Comments

Featured Post

Angular Fundamentals

Learn the fundamentals of Angular 2, a JavaScript framework for developing dynamic single page applications.

Join & Write a Comment

This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month