Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 932
  • Last Modified:

Terminal Server - general cleanup tips

I have quite a few Terminal Servers around and they have been around for a long time and over time they end up being like regular desktops multiplied by x number of users - all kinds of unnecessary junk. I am looking for some general cleanup tips for these Terminal Servers.  
0
lineonecorp
Asked:
lineonecorp
7 Solutions
 
adiloadiloCommented:
Install windows 2008 terminal services gateway and manage all from one interface , then delete one by one if not needed .
0
 
yelbaglfCommented:
We use a combination of terminal services profiles and good group policies to keep ours cleaned up at all times.

Here are a couple of good articles for overall term svcs group policies.
http://www.virtualizationadmin.com/articles-tutorials/terminal-services/general/managing-terminal-services-group-policy.html
http://www.virtualizationadmin.com/articles-tutorials/terminal-services/security/locking-down-windows-terminal-services.html

0
 
lineonecorpAuthor Commented:
adiloadilo:
Sorry I wasn't clear enough. What I meant was that we have many different sites that use Terminal Services - the sites are unrelated.

yelbaglf:

Ok, let's say things weren't locked down for a while and now we've locked them down but there is still debris from earlier. What tips would there be for cleaning up that kind of environment?
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
TFMXCommented:
make sure their profiles are not set to save to the local terminal server and are set to use their storage server. Also limit the rights of users to save to local server.
Also setup windows disk cleanup to run regularly as well as defrags.
0
 
yelbaglfCommented:
Once you have your group policies set up correctly, then the users' profiles will be moved to the new location, upon the next logon/off after the policies are applied.  In short, no more user data or user profiles on your terminal servers.  If there are things left that you want to cleanup like programs, etc., then just use Add/Remove Programs for this.

Read through the links, and you'll find there are policies for just about everything, even limiting the size of the profiles and removing the cache upon logoff.  If there is other maintenance that you feel is necessary like disk defrag, then it's perfectly ok to do this. (I'm assuming we are talking about physical servers here?)

Are there other things/items of concern besides the users' data and unused applications?  Feel free to ask, and I'll do my best to help!
0
 
lineonecorpAuthor Commented:
In summary you folks are recommending that Profiles not be stored on Terminal Servers but on a different computer?  My question in that context is that I have found that when profiles are not saved to the Terminal Server where the user is logged in it's more likely we end up with corrupt profiles. Maybe it's my own personal urban legend but that's what it seems to me like and I have attributed it to reading and writing profiles across the network as opposed to locally e.g. roaming profiles getting more corrupted than non-roaming.  Has anybody else had this experience/theory? I understand for large networks with many Terminal Servers redundancy is important and keeping profiles central is useful but most of the networks I deal with are small with only one TS.
0
 
yelbaglfCommented:
If you decide to not move them to a central location other than the terminal server, then you can still lock down the environment by following the articles and leaving the profiles on the server.  If you do this, you'll just need to decide what you want to do with the users' data that is clutter.  If it truly is clutter, then just delete it, but if it's stuff that the users need or would want, you could enable group policy to copy the profiles off the server (but leave them there too) to a share that users have access to already.  Then do your delete and cleanup on the server, but leave anything the users' absolutely need on the server.  Everything else they will have access to on the share or wherever you put it.

Afterwards, you can disable the policy and lock down your server, so that the clutter doesn't accumulate again.  I have seen corrupt user profiles, but when set up properly, it is more of a fear than a reality.  Some things to help prevent corrupt roaming profiles are the following:

-Limit the size of profiles (in previously posted links)
-Increase logoff timeout
-Use UPHC

http://support.microsoft.com/kb/299386
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en

Also, in configuring your group policy, you'll be limiting the amount of data needed for your sessions, which means less traffic on your network.  Besides, the profiles are only moved back and forth across the network when logging in and out and not during the session because it uses a local cache on the server for the session.
0
 
yelbaglfCommented:
Other thoughts I wanted to mention...

While not necessary, roaming ts profiles work best when deployed as close to your ts environment as possible.  For instance, it doesn't make a ton of sense to have your profiles on one side of a WAN and your servers on the other.  If you have room on the server and don't want to keep profiles on the 'server', then you could move them to a share on the server or any other close-by server.  It's a matter of preference and what you feel is best for the environment,

Also, set up AV exclusions for RDP processes, as well as UPHC and your ts applications' processes.  There is no sense in scanning these processes, and setting up the exclusions will help with not only session performance but also reduction in profile corruption.
0
 
lineonecorpAuthor Commented:
yelbaglf:

Thanks for the additional input about the scanning and WAN.

One last followup on your comments and I'm gone.

You write:
"you could enable group policy to copy the profiles off the server (but leave them there too) to a share that users have access to already."

Can you explain that a bit more? Are you saying there is a specific group policy that allows a copy of the profile to be made to some network share but keeps the original in place as well so that when a user logs off and then logs back in again they use the one that was left in place but in theory there is a duplicate of that on the network share? Then as I delete stuff from the working profile there is always the backup that can be accessed if I have deleted too much?  What kind of items are you thinking of that are important to have on the share - actual files they have on their desktop or the little folders like Appdata, etc. in people's profiles?

 Do you have a link about this policy?
0
 
yelbaglfCommented:
I apologize if that's a bit unclear...

You could enable the roaming profile location and set all your group policies up.  Then upon the next logon/logoff after the policy is applied, the users' local profiles will be copied to the roaming location.  Once the copy takes place, you can redirect the users' profiles back to the local server, and leave the contents in the roaming location.
http://support.microsoft.com/kb/888203/en-us

So this would give them a fresh and clean local profile.  If there is data they need specifically for an application like shortcuts or program folders, then you can copy these over with a login script. (this is how we do it)

Or you could map a drive via a login script to the network share that holds all the users' data (this is the local to roaming profile data), and they will then have access to any docs, etc. that they might need, while keeping it completely off the local server BUT using a local profile.

I would also recommend that your terminal servers are in an OU of their own, and make sure you test to ensure it reacts the way you are expecting, when applying all of these new group policies.
0
 
yelbaglfCommented:
If you wanted to do a regular copy without group policy, this would allow you to keep the entire profile locally but copy the user data over to a share, as a duplicate.  For this, you can just use Xcopy.

http://technet.microsoft.com/en-us/library/bb491035.aspx

Then once you have duplicated the user data, it would be a process of manually deleting and cleaning up what's not needed.  If you delete a file that a user needs, then you can just copy it back.  

Both ideas are similar.  With group policy, you get a completely clean local profile.  And with using the Xcopy method, you have less risk of needing to copy something back over locally because everything is still there.  But in both scenarios, you have the user data, and it's just a matter of getting it in the right place, where needed.

To take this a step further, you could use group policy redirection, as stated in the previous post.  Once the profiles are redirected from the local server to the network share, you can use Xcopy to make a copy of the network share.  Then you could 'undo' the policy, but this time instead of leaving the contents in the roaming profile location,  you could set it to copy the contents back over since you duplicated everything from the share.  Then you would have your manual cleanup process from above.
http://support.microsoft.com/kb/888203/en-us

It wouldn't be a bad idea either, depending on how important all the user data is, to just create a backup of the terminal server before any changes are made.  Then make your changes using whichever method makes most sense for you.  Now you have multiple ways to restore user data or start over, if needed.
0
 
lineonecorpAuthor Commented:
Thanks for all the time and information.
0
 
yelbaglfCommented:
You're most welcome!  Glad I could help!
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now