Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

W2K3 Terminal Server

Posted on 2009-05-17
Last Modified: 2013-11-21
Hello, I may be on the wrong track on this one but any help would be greatly appreciated. I basically want to deliver a standard desktop including a few MS apps, Office, IE, etc to 10 - 15 Client workstations. I'm looking to use thin client workstations and connect to a muscular terminal server. Am I able to do so or should I abandon the idea? I am also concerned about standard domain users using a Remote Desktop session to a server and any implications that may have. Funds are limited so it's this or nothing. Any advice and setup tips? Been through the Microsoft whitepapers and followed them as much as possible.

So, My question(s) is, Can it be done? Can I have 10 or 15 users using this as their primary method of access? Is it secure? Any step by step guides from server side setup through to client side considerations? Was terminal server designed for this type of use?

Many Thanks, Aelara.
Question by:Aelara
  • 6
  • 3

Expert Comment

ID: 24408439
You are most certainly able to do so, what you are describing is exactly what Terminal Services is meant and designed to do.

Probably the most important factor in the success of your project is hardware. Obviously you need enough hardware (processing power and memory), to accomodate your user sessions. Do you have hardware specs on the box you will be using?

I also assume that this server will be dedicated to TS? A big mistake is to run TS on a server that already has other important functions in your domain.


Expert Comment

ID: 24408461
Concerning your thoughts on security, TS is a very secure environment assuming it is managed well. Everything you would normally address on and end user machine, you would address on a Terminal Server in a similar manner.

Ensure that MS security patches are kept up to date

That you have an AV solution in place (most AV solutions usually have either special versions, or special install instructions for TS)

That none of the users are logging in with any sort of administrative permissions and all have restricted user accounts

That you run the terminal server in full security mode (rather than relaxed security mode), assuming you don't have any legacy applications that need it

That the HOST machines they are using to connect to the terminal server are secure and locked down in the same manner. No sense going through all of this trouble if your network is infected by an insecure host machine

Expert Comment

ID: 24408469
Not sure if you saw this one already, but this is an excellent white paper:

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.


Author Comment

ID: 24409800
Thanks for the info ishweq, I'll look at the whitepaper later today. Once Terminal server has been added as a role and security implemented, do I just install the Apps I would like users to have access to? Do I need to create a profile?

Thanks Aelara

Author Comment

ID: 24410911
Hello again, It's all up and running and test use so far looks good. I am working through the lock down whitepaper to ensure max security. If working at full potential, what are the limitations of TS compared to citrix?

Thanks Aelara.

Expert Comment

ID: 24414821
For what you are doing, terminal server should be perfect. I wouldn't see any need to incur extra costs for Citrix. Here is a blog entry that pretty much sums it up:



Author Comment

ID: 24420799
Thank you, One last question, Can i white list access to the terminal server by IP address? Although I can specify users, groups and computers within AD we are using HP thin client stations which do not register/appear as AD objects. Hence I need to specify that only a bank of IP addresses will be able to establish a remote session with the terminal server. All other connections will be refused. Can it be done?

Thanks, Aelara.

Expert Comment

ID: 24421746
There isn't any way to do this in direct relation to Terminal Server, however you can filter the ip addresses on your firewall to only allow the hosts you want to allow (You would filter on port 3389).

If you don't have a firewall in place that you can make these changes, you can use the Windows Firewall in Control Panel to do your ip level filtering there.

Accepted Solution

jschweg earned 500 total points
ID: 24421785
Probably a better option than using the windows firewall is to just create an IP Security policy for the network connection:



Expert Comment

ID: 24422023

In regards to installing apps...  I would recommend that you make sure no one else is logged in to the server when you install apps.

The command "change logon" will help keep everyone off the server while you are installing apps. It will also keep you from logging back on to the server if you are disconnected. So, use with caution.

Once done, you can use the add new programs option from add/remove programs or use the command "change user" from the command prompt.

Either way, I would get familiar with both of these commands to install apps on the server.

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Group policy not applying 5 100
Windows Server 2016 GPU passthrough 4 54
Unexpected Windows system folders on D drive 16 88
Internet Protocol Security question 3 94
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question