How to share application using windows 2003 terminal server?

I am not sure how to setup the windows 2003 terminal server to share application. I saw this article, but it didn't really show it. http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part1.html

How does this actually work? Is it like I create a short cut from server and I can uset it and save my own user setting like it were installed locally? Can anyone provide clear step by step setup guide?
okamonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ry_berkCommented:
Go to c:/ .  Documents and Settings. All Users and put a shortcut on the desktop there.

This will have the program readily available for anyone that logs into the TS.
0
okamonAuthor Commented:
you get the shortcut from where? from server?
you don't need to use RDP client to connect to server?
0
DrDave242Senior Support EngineerCommented:
Don't forget that you must use the "change user /install" command to switch the terminal server to install mode before you install applications to be used by terminal server users.  After installing, run "change user /execute" to switch back out of install mode.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
How the Cloud Can Help You as an MSSP

Today, every Managed Security Service Provider (MSSP) needs a platform to deliver effective and efficient security-as-a-service to their customers. Scale, elasticity and profitability are a few of the many features that a Cloud platform offers. Register today to learn more!

okamonAuthor Commented:
I think you missed my last question. Regardless the installation, how the user access the application? Do they need to use RDP to the server and using application there?
0
ry_berkCommented:
Yes. they need to be on the network or via VPN. Then RDP or VNC to the server and log in to utilize TS
0
okamonAuthor Commented:
What?!  Even I don't install terminal server, I can still use RDP client to the server and use all applications. What's the difference?
0
DrDave242Senior Support EngineerCommented:
Without Terminal Server installed, you've got what's known as RDP for Administration.  It's intended to be used for just that - remote administration - rather than application sharing, and it only allows two concurrent connections.
0
okamonAuthor Commented:
I see... But it sounds that a practical solution for end users. When they need to use office application, ex: word. They have to open up RDP client, connect to terminal server, use the word in the server and save files on that server. And if they need to send that word document in email, they have to back to their desktop, fire up their outlook, look for the word document they created on the server. And if the location where they saved the file that is not shared, they don't have access to the file....... sounds very impractical.
0
okamonAuthor Commented:
by the way, i just install TS on my DC. I know usually it will not install on DC, it's my lab. I didn't install the license server at this time. I add one user in the remote desktop GP, but when I tried to access the server from client pc, why i still get denied access??
0
DrDave242Senior Support EngineerCommented:
What's the exact error that you get when you try to log on?
0
ry_berkCommented:
Users can also set up their emails on a TS profile. That way their machine is just a dummy machine. Thats the way you would work around that.

0
okamonAuthor Commented:
here
rdp.jpg
0
DrDave242Senior Support EngineerCommented:
From your, DC check the Domain Controller Security Policy (from Admin Tools).  In the policy, expand Local Policies and click on User Rights Assignment.  Double-click "Allow log on through Terminal Services."  Make sure the "Define these policy settings" box is checked and the Remote Desktop Users group (or whatever group you want to use) is listed.  If it's not, add it.
0
okamonAuthor Commented:
It's working now! Do you think it's because this is a DC, that's why I need to that? if I install the TS on a member server, do i still to do this or just simply add the user to remote desktop gp?

and how can i install the application? can I just install like usual or i need to perform extra steps?
0
okamonAuthor Commented:
and one more thing I noticed, the user can view everything on the DC, all folders, files, AD setting...
Do i have control over that?
0
DrDave242Senior Support EngineerCommented:
That's one of the reasons why it's not a good idea to install Terminal Server on a DC - you end up allowing your TS users to effectively log on locally to the DC.  They don't have administrative rights (unless you explicitly give them admin rights), so they shouldn't be able to do too much damage, but it's still a security hole.

As far as installing TS on a member server, I don't recall whether that automatically grants the "Log on through Terminal Services" user right to anyone, so you'll want to check it to make sure.  In any case, you won't be checking the Domain Controller Security Policy, since it won't be installed on a DC - you'll need to check the policy for whatever OU that member server occupies.
0
okamonAuthor Commented:
thank you!! and how can i install the application? can I just install like usual (like double click on exe file) or i need to perform extra steps?
0
DrDave242Senior Support EngineerCommented:
Make sure to change to install mode with "change user /install" first, and then you can install normally - by double-clicking setup.exe or whatever the app requires.  Then don't forget to change back to execute mode with "change user /execute" after the installation completes.
0
okamonAuthor Commented:
"Make sure to change to install mode with "change user /install" first"
in CMD? or right clikck on the app?
0
DrDave242Senior Support EngineerCommented:
At a command prompt.
0
okamonAuthor Commented:
So you mean I type "change user/install" in CMD and then double click on any file?
And after the installation is done, I type "change user /execute" again in CMD?
0
DrDave242Senior Support EngineerCommented:
Correct.
0
okamonAuthor Commented:
Thank you so much for your time!! Something just happened to me unexpectedly. After I reboot my DC, domain admin no longer able to remote access to it !! but physical access is fine..... what happened?
0
DrDave242Senior Support EngineerCommented:
Not sure.  Are you getting the same error as before, or a different one?
0
okamonAuthor Commented:
same. I think the TS modified something
0
DrDave242Senior Support EngineerCommented:
Yep, it must have.  Check that user right in the DC Security Policy again, and check the membership of the Remote Desktop Users group as well (unless you're using a different group, obviously).
0
okamonAuthor Commented:
By default the remote desktop group contains which group?  my has none there, but in remote desktop of computer system property, it shows "administrators already have access"
0
okamonAuthor Commented:
also checked the DC user right, the "Allow logon locally" , administrators is already in the list.

and plus administrator already has access to remote desktop, i cannot think of why this happened
0
DrDave242Senior Support EngineerCommented:
I don't think Remote Desktop Users contains anything by default - at least, it's empty on a 2003 DC I have here.  "Allow logon locally" may be populated, but how about "Allow logon through Terminal Services?"
0
okamonAuthor Commented:
it's "not defined"
0
DrDave242Senior Support EngineerCommented:
Define it and add Remote Desktop Users to it.
0
okamonAuthor Commented:
I just added the domain admin account to the "remote desktop users" in system property.
It works! but this should not be this. I believe if you check your DC, u don't have any admin account in the lists, but you can still access by rdp client.
0
okamonAuthor Commented:
and i also found out, the TS really screwed up my DC. now I just uninstalled TS to see if it's better, but it's not.

I added domain users in "remote desktop users" in system property., and they can just rdp to my DC.
0
okamonAuthor Commented:
in your user right, allow logon locally, what do you have there?
0
DrDave242Senior Support EngineerCommented:
What's screwed up on the DC at the moment, now that TS has been removed?
0
DrDave242Senior Support EngineerCommented:
On my DC, "Allow logon locally" is assigned to Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators.
0
okamonAuthor Commented:
I have them as well, plus domain\IUSR_DC1. no idea what's this.

Yes, I uninstalled TS. But nothing changed.
0
DrDave242Senior Support EngineerCommented:
The IUSR account is used for anonymous web access.  You must have IIS installed on that DC.
To clarify my earlier question, what's not working correctly on the DC?
0
okamonAuthor Commented:
Domain administrator doesn't have access to DC via RDP client.
I will assign you the point now, since you already answered my question. If you have time, please help me to fix this extra issue. Thank you for your time!!!
0
DrDave242Senior Support EngineerCommented:
Go to My Computer Properties and look in the Remote tab.  Make sure the "Enable Remote Desktop" box is checked.  Removing TS has been known to disable that.
0
okamonAuthor Commented:
yes.I double checked, I checked it back.
one thing in user right,  allowed to log on through Terminal Services -> it's "Not defined".

Probably the TS change its default setting, where can I find out? I tried to add administrators there and it works.
0
DrDave242Senior Support EngineerCommented:
Yeah, removing TS probably changed that back to "Not defined."  I don't have a DC with TS installed, so I can't verify that myself.
0
okamonAuthor Commented:
In you DC,  " allowed to log on through Terminal Services" -> it's not defined??? or not?
0
DrDave242Senior Support EngineerCommented:
It's "Not defined" on my DC.
0
okamonAuthor Commented:
ok.... so same as my.... we are not able to find out what the default for "Not defined"???
0
DrDave242Senior Support EngineerCommented:
I'm pretty sure "Not defined" is the default.  I haven't made any changes to that setting on my DC, as far as I know.
0
okamonAuthor Commented:
No, I mean, even though it is  "NOT DEFINED". But in the root of the AD, there should be policy there. So if here is "Not defined", then the policy propagate down. If I set something else here, it will overwrite the root setting. So I think there should be a setting in the root. Do you understand what i am trying to say?
0
DrDave242Senior Support EngineerCommented:
I can verify that it's "Not defined" in both the Default Domain Policy and Default Domain Controller Policy on my server, so it is apparently not defined by default in any location.  It's simply a user right that's not assigned to anyone until you assign it.

Also, it's time for me to leave the office, so I will likely not be back on EE until Monday.
0
okamonAuthor Commented:
Thank you so much for spending your valuable time with me!! have a nice weekend
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.