Solved

Terminal Server - general cleanup tips

Posted on 2011-02-24
13
903 Views
Last Modified: 2012-05-11
I have quite a few Terminal Servers around and they have been around for a long time and over time they end up being like regular desktops multiplied by x number of users - all kinds of unnecessary junk. I am looking for some general cleanup tips for these Terminal Servers.  
0
Comment
Question by:lineonecorp
13 Comments
 
LVL 7

Expert Comment

by:adiloadilo
Comment Utility
Install windows 2008 terminal services gateway and manage all from one interface , then delete one by one if not needed .
0
 
LVL 11

Accepted Solution

by:
yelbaglf earned 257 total points
Comment Utility
We use a combination of terminal services profiles and good group policies to keep ours cleaned up at all times.

Here are a couple of good articles for overall term svcs group policies.
http://www.virtualizationadmin.com/articles-tutorials/terminal-services/general/managing-terminal-services-group-policy.html
http://www.virtualizationadmin.com/articles-tutorials/terminal-services/security/locking-down-windows-terminal-services.html

0
 

Author Comment

by:lineonecorp
Comment Utility
adiloadilo:
Sorry I wasn't clear enough. What I meant was that we have many different sites that use Terminal Services - the sites are unrelated.

yelbaglf:

Ok, let's say things weren't locked down for a while and now we've locked them down but there is still debris from earlier. What tips would there be for cleaning up that kind of environment?
0
 

Assisted Solution

by:TFMX
TFMX earned 43 total points
Comment Utility
make sure their profiles are not set to save to the local terminal server and are set to use their storage server. Also limit the rights of users to save to local server.
Also setup windows disk cleanup to run regularly as well as defrags.
0
 
LVL 11

Assisted Solution

by:yelbaglf
yelbaglf earned 257 total points
Comment Utility
Once you have your group policies set up correctly, then the users' profiles will be moved to the new location, upon the next logon/off after the policies are applied.  In short, no more user data or user profiles on your terminal servers.  If there are things left that you want to cleanup like programs, etc., then just use Add/Remove Programs for this.

Read through the links, and you'll find there are policies for just about everything, even limiting the size of the profiles and removing the cache upon logoff.  If there is other maintenance that you feel is necessary like disk defrag, then it's perfectly ok to do this. (I'm assuming we are talking about physical servers here?)

Are there other things/items of concern besides the users' data and unused applications?  Feel free to ask, and I'll do my best to help!
0
 

Author Comment

by:lineonecorp
Comment Utility
In summary you folks are recommending that Profiles not be stored on Terminal Servers but on a different computer?  My question in that context is that I have found that when profiles are not saved to the Terminal Server where the user is logged in it's more likely we end up with corrupt profiles. Maybe it's my own personal urban legend but that's what it seems to me like and I have attributed it to reading and writing profiles across the network as opposed to locally e.g. roaming profiles getting more corrupted than non-roaming.  Has anybody else had this experience/theory? I understand for large networks with many Terminal Servers redundancy is important and keeping profiles central is useful but most of the networks I deal with are small with only one TS.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 
LVL 11

Assisted Solution

by:yelbaglf
yelbaglf earned 257 total points
Comment Utility
If you decide to not move them to a central location other than the terminal server, then you can still lock down the environment by following the articles and leaving the profiles on the server.  If you do this, you'll just need to decide what you want to do with the users' data that is clutter.  If it truly is clutter, then just delete it, but if it's stuff that the users need or would want, you could enable group policy to copy the profiles off the server (but leave them there too) to a share that users have access to already.  Then do your delete and cleanup on the server, but leave anything the users' absolutely need on the server.  Everything else they will have access to on the share or wherever you put it.

Afterwards, you can disable the policy and lock down your server, so that the clutter doesn't accumulate again.  I have seen corrupt user profiles, but when set up properly, it is more of a fear than a reality.  Some things to help prevent corrupt roaming profiles are the following:

-Limit the size of profiles (in previously posted links)
-Increase logoff timeout
-Use UPHC

http://support.microsoft.com/kb/299386
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en

Also, in configuring your group policy, you'll be limiting the amount of data needed for your sessions, which means less traffic on your network.  Besides, the profiles are only moved back and forth across the network when logging in and out and not during the session because it uses a local cache on the server for the session.
0
 
LVL 11

Assisted Solution

by:yelbaglf
yelbaglf earned 257 total points
Comment Utility
Other thoughts I wanted to mention...

While not necessary, roaming ts profiles work best when deployed as close to your ts environment as possible.  For instance, it doesn't make a ton of sense to have your profiles on one side of a WAN and your servers on the other.  If you have room on the server and don't want to keep profiles on the 'server', then you could move them to a share on the server or any other close-by server.  It's a matter of preference and what you feel is best for the environment,

Also, set up AV exclusions for RDP processes, as well as UPHC and your ts applications' processes.  There is no sense in scanning these processes, and setting up the exclusions will help with not only session performance but also reduction in profile corruption.
0
 

Author Comment

by:lineonecorp
Comment Utility
yelbaglf:

Thanks for the additional input about the scanning and WAN.

One last followup on your comments and I'm gone.

You write:
"you could enable group policy to copy the profiles off the server (but leave them there too) to a share that users have access to already."

Can you explain that a bit more? Are you saying there is a specific group policy that allows a copy of the profile to be made to some network share but keeps the original in place as well so that when a user logs off and then logs back in again they use the one that was left in place but in theory there is a duplicate of that on the network share? Then as I delete stuff from the working profile there is always the backup that can be accessed if I have deleted too much?  What kind of items are you thinking of that are important to have on the share - actual files they have on their desktop or the little folders like Appdata, etc. in people's profiles?

 Do you have a link about this policy?
0
 
LVL 11

Assisted Solution

by:yelbaglf
yelbaglf earned 257 total points
Comment Utility
I apologize if that's a bit unclear...

You could enable the roaming profile location and set all your group policies up.  Then upon the next logon/logoff after the policy is applied, the users' local profiles will be copied to the roaming location.  Once the copy takes place, you can redirect the users' profiles back to the local server, and leave the contents in the roaming location.
http://support.microsoft.com/kb/888203/en-us

So this would give them a fresh and clean local profile.  If there is data they need specifically for an application like shortcuts or program folders, then you can copy these over with a login script. (this is how we do it)

Or you could map a drive via a login script to the network share that holds all the users' data (this is the local to roaming profile data), and they will then have access to any docs, etc. that they might need, while keeping it completely off the local server BUT using a local profile.

I would also recommend that your terminal servers are in an OU of their own, and make sure you test to ensure it reacts the way you are expecting, when applying all of these new group policies.
0
 
LVL 11

Assisted Solution

by:yelbaglf
yelbaglf earned 257 total points
Comment Utility
If you wanted to do a regular copy without group policy, this would allow you to keep the entire profile locally but copy the user data over to a share, as a duplicate.  For this, you can just use Xcopy.

http://technet.microsoft.com/en-us/library/bb491035.aspx

Then once you have duplicated the user data, it would be a process of manually deleting and cleaning up what's not needed.  If you delete a file that a user needs, then you can just copy it back.  

Both ideas are similar.  With group policy, you get a completely clean local profile.  And with using the Xcopy method, you have less risk of needing to copy something back over locally because everything is still there.  But in both scenarios, you have the user data, and it's just a matter of getting it in the right place, where needed.

To take this a step further, you could use group policy redirection, as stated in the previous post.  Once the profiles are redirected from the local server to the network share, you can use Xcopy to make a copy of the network share.  Then you could 'undo' the policy, but this time instead of leaving the contents in the roaming profile location,  you could set it to copy the contents back over since you duplicated everything from the share.  Then you would have your manual cleanup process from above.
http://support.microsoft.com/kb/888203/en-us

It wouldn't be a bad idea either, depending on how important all the user data is, to just create a backup of the terminal server before any changes are made.  Then make your changes using whichever method makes most sense for you.  Now you have multiple ways to restore user data or start over, if needed.
0
 

Author Comment

by:lineonecorp
Comment Utility
Thanks for all the time and information.
0
 
LVL 11

Expert Comment

by:yelbaglf
Comment Utility
You're most welcome!  Glad I could help!
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Suggested Solutions

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now