okamon
asked on
How to share application using windows 2003 terminal server?
I am not sure how to setup the windows 2003 terminal server to share application. I saw this article, but it didn't really show it. http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part1.html
How does this actually work? Is it like I create a short cut from server and I can uset it and save my own user setting like it were installed locally? Can anyone provide clear step by step setup guide?
How does this actually work? Is it like I create a short cut from server and I can uset it and save my own user setting like it were installed locally? Can anyone provide clear step by step setup guide?
ASKER
you get the shortcut from where? from server?
you don't need to use RDP client to connect to server?
you don't need to use RDP client to connect to server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I think you missed my last question. Regardless the installation, how the user access the application? Do they need to use RDP to the server and using application there?
Yes. they need to be on the network or via VPN. Then RDP or VNC to the server and log in to utilize TS
ASKER
What?! Even I don't install terminal server, I can still use RDP client to the server and use all applications. What's the difference?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I see... But it sounds that a practical solution for end users. When they need to use office application, ex: word. They have to open up RDP client, connect to terminal server, use the word in the server and save files on that server. And if they need to send that word document in email, they have to back to their desktop, fire up their outlook, look for the word document they created on the server. And if the location where they saved the file that is not shared, they don't have access to the file....... sounds very impractical.
ASKER
by the way, i just install TS on my DC. I know usually it will not install on DC, it's my lab. I didn't install the license server at this time. I add one user in the remote desktop GP, but when I tried to access the server from client pc, why i still get denied access??
What's the exact error that you get when you try to log on?
Users can also set up their emails on a TS profile. That way their machine is just a dummy machine. Thats the way you would work around that.
ASKER
here
rdp.jpg
rdp.jpg
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It's working now! Do you think it's because this is a DC, that's why I need to that? if I install the TS on a member server, do i still to do this or just simply add the user to remote desktop gp?
and how can i install the application? can I just install like usual or i need to perform extra steps?
and how can i install the application? can I just install like usual or i need to perform extra steps?
ASKER
and one more thing I noticed, the user can view everything on the DC, all folders, files, AD setting...
Do i have control over that?
Do i have control over that?
That's one of the reasons why it's not a good idea to install Terminal Server on a DC - you end up allowing your TS users to effectively log on locally to the DC. They don't have administrative rights (unless you explicitly give them admin rights), so they shouldn't be able to do too much damage, but it's still a security hole.
As far as installing TS on a member server, I don't recall whether that automatically grants the "Log on through Terminal Services" user right to anyone, so you'll want to check it to make sure. In any case, you won't be checking the Domain Controller Security Policy, since it won't be installed on a DC - you'll need to check the policy for whatever OU that member server occupies.
As far as installing TS on a member server, I don't recall whether that automatically grants the "Log on through Terminal Services" user right to anyone, so you'll want to check it to make sure. In any case, you won't be checking the Domain Controller Security Policy, since it won't be installed on a DC - you'll need to check the policy for whatever OU that member server occupies.
ASKER
thank you!! and how can i install the application? can I just install like usual (like double click on exe file) or i need to perform extra steps?
Make sure to change to install mode with "change user /install" first, and then you can install normally - by double-clicking setup.exe or whatever the app requires. Then don't forget to change back to execute mode with "change user /execute" after the installation completes.
ASKER
"Make sure to change to install mode with "change user /install" first"
in CMD? or right clikck on the app?
in CMD? or right clikck on the app?
At a command prompt.
ASKER
So you mean I type "change user/install" in CMD and then double click on any file?
And after the installation is done, I type "change user /execute" again in CMD?
And after the installation is done, I type "change user /execute" again in CMD?
Correct.
ASKER
Thank you so much for your time!! Something just happened to me unexpectedly. After I reboot my DC, domain admin no longer able to remote access to it !! but physical access is fine..... what happened?
Not sure. Are you getting the same error as before, or a different one?
ASKER
same. I think the TS modified something
Yep, it must have. Check that user right in the DC Security Policy again, and check the membership of the Remote Desktop Users group as well (unless you're using a different group, obviously).
ASKER
By default the remote desktop group contains which group? my has none there, but in remote desktop of computer system property, it shows "administrators already have access"
ASKER
also checked the DC user right, the "Allow logon locally" , administrators is already in the list.
and plus administrator already has access to remote desktop, i cannot think of why this happened
and plus administrator already has access to remote desktop, i cannot think of why this happened
I don't think Remote Desktop Users contains anything by default - at least, it's empty on a 2003 DC I have here. "Allow logon locally" may be populated, but how about "Allow logon through Terminal Services?"
ASKER
it's "not defined"
Define it and add Remote Desktop Users to it.
ASKER
I just added the domain admin account to the "remote desktop users" in system property.
It works! but this should not be this. I believe if you check your DC, u don't have any admin account in the lists, but you can still access by rdp client.
It works! but this should not be this. I believe if you check your DC, u don't have any admin account in the lists, but you can still access by rdp client.
ASKER
and i also found out, the TS really screwed up my DC. now I just uninstalled TS to see if it's better, but it's not.
I added domain users in "remote desktop users" in system property., and they can just rdp to my DC.
I added domain users in "remote desktop users" in system property., and they can just rdp to my DC.
ASKER
in your user right, allow logon locally, what do you have there?
What's screwed up on the DC at the moment, now that TS has been removed?
On my DC, "Allow logon locally" is assigned to Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators.
ASKER
I have them as well, plus domain\IUSR_DC1. no idea what's this.
Yes, I uninstalled TS. But nothing changed.
Yes, I uninstalled TS. But nothing changed.
The IUSR account is used for anonymous web access. You must have IIS installed on that DC.
To clarify my earlier question, what's not working correctly on the DC?
To clarify my earlier question, what's not working correctly on the DC?
ASKER
Domain administrator doesn't have access to DC via RDP client.
I will assign you the point now, since you already answered my question. If you have time, please help me to fix this extra issue. Thank you for your time!!!
I will assign you the point now, since you already answered my question. If you have time, please help me to fix this extra issue. Thank you for your time!!!
Go to My Computer Properties and look in the Remote tab. Make sure the "Enable Remote Desktop" box is checked. Removing TS has been known to disable that.
ASKER
yes.I double checked, I checked it back.
one thing in user right, allowed to log on through Terminal Services -> it's "Not defined".
Probably the TS change its default setting, where can I find out? I tried to add administrators there and it works.
one thing in user right, allowed to log on through Terminal Services -> it's "Not defined".
Probably the TS change its default setting, where can I find out? I tried to add administrators there and it works.
Yeah, removing TS probably changed that back to "Not defined." I don't have a DC with TS installed, so I can't verify that myself.
ASKER
In you DC, " allowed to log on through Terminal Services" -> it's not defined??? or not?
It's "Not defined" on my DC.
ASKER
ok.... so same as my.... we are not able to find out what the default for "Not defined"???
I'm pretty sure "Not defined" is the default. I haven't made any changes to that setting on my DC, as far as I know.
ASKER
No, I mean, even though it is "NOT DEFINED". But in the root of the AD, there should be policy there. So if here is "Not defined", then the policy propagate down. If I set something else here, it will overwrite the root setting. So I think there should be a setting in the root. Do you understand what i am trying to say?
I can verify that it's "Not defined" in both the Default Domain Policy and Default Domain Controller Policy on my server, so it is apparently not defined by default in any location. It's simply a user right that's not assigned to anyone until you assign it.
Also, it's time for me to leave the office, so I will likely not be back on EE until Monday.
Also, it's time for me to leave the office, so I will likely not be back on EE until Monday.
ASKER
Thank you so much for spending your valuable time with me!! have a nice weekend
This will have the program readily available for anyone that logs into the TS.