How to share application using windows 2003 terminal server?

I am not sure how to setup the windows 2003 terminal server to share application. I saw this article, but it didn't really show it. http://www.windowsnetworking.com/articles_tutorials/Windows_2003_Terminal_Services_Part1.html

How does this actually work? Is it like I create a short cut from server and I can uset it and save my own user setting like it were installed locally? Can anyone provide clear step by step setup guide?
okamonAsked:
Who is Participating?
 
DrDave242Commented:
Don't forget that you must use the "change user /install" command to switch the terminal server to install mode before you install applications to be used by terminal server users.  After installing, run "change user /execute" to switch back out of install mode.
0
 
ry_berkCommented:
Go to c:/ .  Documents and Settings. All Users and put a shortcut on the desktop there.

This will have the program readily available for anyone that logs into the TS.
0
 
okamonAuthor Commented:
you get the shortcut from where? from server?
you don't need to use RDP client to connect to server?
0
On-Demand: Securing Your Wi-Fi for Summer Travel

Traveling this summer?Check out our on-demand webinar to learn about the importance of Wi-Fi security and 3 easy measures you can start taking immediately to protect your private data while using public Wi-Fi. Follow us today to learn more!

 
okamonAuthor Commented:
I think you missed my last question. Regardless the installation, how the user access the application? Do they need to use RDP to the server and using application there?
0
 
ry_berkCommented:
Yes. they need to be on the network or via VPN. Then RDP or VNC to the server and log in to utilize TS
0
 
okamonAuthor Commented:
What?!  Even I don't install terminal server, I can still use RDP client to the server and use all applications. What's the difference?
0
 
DrDave242Commented:
Without Terminal Server installed, you've got what's known as RDP for Administration.  It's intended to be used for just that - remote administration - rather than application sharing, and it only allows two concurrent connections.
0
 
okamonAuthor Commented:
I see... But it sounds that a practical solution for end users. When they need to use office application, ex: word. They have to open up RDP client, connect to terminal server, use the word in the server and save files on that server. And if they need to send that word document in email, they have to back to their desktop, fire up their outlook, look for the word document they created on the server. And if the location where they saved the file that is not shared, they don't have access to the file....... sounds very impractical.
0
 
okamonAuthor Commented:
by the way, i just install TS on my DC. I know usually it will not install on DC, it's my lab. I didn't install the license server at this time. I add one user in the remote desktop GP, but when I tried to access the server from client pc, why i still get denied access??
0
 
DrDave242Commented:
What's the exact error that you get when you try to log on?
0
 
ry_berkCommented:
Users can also set up their emails on a TS profile. That way their machine is just a dummy machine. Thats the way you would work around that.

0
 
okamonAuthor Commented:
here
rdp.jpg
0
 
DrDave242Commented:
From your, DC check the Domain Controller Security Policy (from Admin Tools).  In the policy, expand Local Policies and click on User Rights Assignment.  Double-click "Allow log on through Terminal Services."  Make sure the "Define these policy settings" box is checked and the Remote Desktop Users group (or whatever group you want to use) is listed.  If it's not, add it.
0
 
okamonAuthor Commented:
It's working now! Do you think it's because this is a DC, that's why I need to that? if I install the TS on a member server, do i still to do this or just simply add the user to remote desktop gp?

and how can i install the application? can I just install like usual or i need to perform extra steps?
0
 
okamonAuthor Commented:
and one more thing I noticed, the user can view everything on the DC, all folders, files, AD setting...
Do i have control over that?
0
 
DrDave242Commented:
That's one of the reasons why it's not a good idea to install Terminal Server on a DC - you end up allowing your TS users to effectively log on locally to the DC.  They don't have administrative rights (unless you explicitly give them admin rights), so they shouldn't be able to do too much damage, but it's still a security hole.

As far as installing TS on a member server, I don't recall whether that automatically grants the "Log on through Terminal Services" user right to anyone, so you'll want to check it to make sure.  In any case, you won't be checking the Domain Controller Security Policy, since it won't be installed on a DC - you'll need to check the policy for whatever OU that member server occupies.
0
 
okamonAuthor Commented:
thank you!! and how can i install the application? can I just install like usual (like double click on exe file) or i need to perform extra steps?
0
 
DrDave242Commented:
Make sure to change to install mode with "change user /install" first, and then you can install normally - by double-clicking setup.exe or whatever the app requires.  Then don't forget to change back to execute mode with "change user /execute" after the installation completes.
0
 
okamonAuthor Commented:
"Make sure to change to install mode with "change user /install" first"
in CMD? or right clikck on the app?
0
 
DrDave242Commented:
At a command prompt.
0
 
okamonAuthor Commented:
So you mean I type "change user/install" in CMD and then double click on any file?
And after the installation is done, I type "change user /execute" again in CMD?
0
 
DrDave242Commented:
Correct.
0
 
okamonAuthor Commented:
Thank you so much for your time!! Something just happened to me unexpectedly. After I reboot my DC, domain admin no longer able to remote access to it !! but physical access is fine..... what happened?
0
 
DrDave242Commented:
Not sure.  Are you getting the same error as before, or a different one?
0
 
okamonAuthor Commented:
same. I think the TS modified something
0
 
DrDave242Commented:
Yep, it must have.  Check that user right in the DC Security Policy again, and check the membership of the Remote Desktop Users group as well (unless you're using a different group, obviously).
0
 
okamonAuthor Commented:
By default the remote desktop group contains which group?  my has none there, but in remote desktop of computer system property, it shows "administrators already have access"
0
 
okamonAuthor Commented:
also checked the DC user right, the "Allow logon locally" , administrators is already in the list.

and plus administrator already has access to remote desktop, i cannot think of why this happened
0
 
DrDave242Commented:
I don't think Remote Desktop Users contains anything by default - at least, it's empty on a 2003 DC I have here.  "Allow logon locally" may be populated, but how about "Allow logon through Terminal Services?"
0
 
okamonAuthor Commented:
it's "not defined"
0
 
DrDave242Commented:
Define it and add Remote Desktop Users to it.
0
 
okamonAuthor Commented:
I just added the domain admin account to the "remote desktop users" in system property.
It works! but this should not be this. I believe if you check your DC, u don't have any admin account in the lists, but you can still access by rdp client.
0
 
okamonAuthor Commented:
and i also found out, the TS really screwed up my DC. now I just uninstalled TS to see if it's better, but it's not.

I added domain users in "remote desktop users" in system property., and they can just rdp to my DC.
0
 
okamonAuthor Commented:
in your user right, allow logon locally, what do you have there?
0
 
DrDave242Commented:
What's screwed up on the DC at the moment, now that TS has been removed?
0
 
DrDave242Commented:
On my DC, "Allow logon locally" is assigned to Account Operators, Administrators, Backup Operators, Print Operators, and Server Operators.
0
 
okamonAuthor Commented:
I have them as well, plus domain\IUSR_DC1. no idea what's this.

Yes, I uninstalled TS. But nothing changed.
0
 
DrDave242Commented:
The IUSR account is used for anonymous web access.  You must have IIS installed on that DC.
To clarify my earlier question, what's not working correctly on the DC?
0
 
okamonAuthor Commented:
Domain administrator doesn't have access to DC via RDP client.
I will assign you the point now, since you already answered my question. If you have time, please help me to fix this extra issue. Thank you for your time!!!
0
 
DrDave242Commented:
Go to My Computer Properties and look in the Remote tab.  Make sure the "Enable Remote Desktop" box is checked.  Removing TS has been known to disable that.
0
 
okamonAuthor Commented:
yes.I double checked, I checked it back.
one thing in user right,  allowed to log on through Terminal Services -> it's "Not defined".

Probably the TS change its default setting, where can I find out? I tried to add administrators there and it works.
0
 
DrDave242Commented:
Yeah, removing TS probably changed that back to "Not defined."  I don't have a DC with TS installed, so I can't verify that myself.
0
 
okamonAuthor Commented:
In you DC,  " allowed to log on through Terminal Services" -> it's not defined??? or not?
0
 
DrDave242Commented:
It's "Not defined" on my DC.
0
 
okamonAuthor Commented:
ok.... so same as my.... we are not able to find out what the default for "Not defined"???
0
 
DrDave242Commented:
I'm pretty sure "Not defined" is the default.  I haven't made any changes to that setting on my DC, as far as I know.
0
 
okamonAuthor Commented:
No, I mean, even though it is  "NOT DEFINED". But in the root of the AD, there should be policy there. So if here is "Not defined", then the policy propagate down. If I set something else here, it will overwrite the root setting. So I think there should be a setting in the root. Do you understand what i am trying to say?
0
 
DrDave242Commented:
I can verify that it's "Not defined" in both the Default Domain Policy and Default Domain Controller Policy on my server, so it is apparently not defined by default in any location.  It's simply a user right that's not assigned to anyone until you assign it.

Also, it's time for me to leave the office, so I will likely not be back on EE until Monday.
0
 
okamonAuthor Commented:
Thank you so much for spending your valuable time with me!! have a nice weekend
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.