Solved

Terminal Server - general cleanup tips

Posted on 2011-02-24
13
914 Views
Last Modified: 2012-05-11
I have quite a few Terminal Servers around and they have been around for a long time and over time they end up being like regular desktops multiplied by x number of users - all kinds of unnecessary junk. I am looking for some general cleanup tips for these Terminal Servers.  
0
Comment
Question by:lineonecorp
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
13 Comments
 
LVL 7

Expert Comment

by:adiloadilo
ID: 34976464
Install windows 2008 terminal services gateway and manage all from one interface , then delete one by one if not needed .
0
 
LVL 11

Accepted Solution

by:
yelbaglf earned 257 total points
ID: 34976551
We use a combination of terminal services profiles and good group policies to keep ours cleaned up at all times.

Here are a couple of good articles for overall term svcs group policies.
http://www.virtualizationadmin.com/articles-tutorials/terminal-services/general/managing-terminal-services-group-policy.html
http://www.virtualizationadmin.com/articles-tutorials/terminal-services/security/locking-down-windows-terminal-services.html

0
 

Author Comment

by:lineonecorp
ID: 34977725
adiloadilo:
Sorry I wasn't clear enough. What I meant was that we have many different sites that use Terminal Services - the sites are unrelated.

yelbaglf:

Ok, let's say things weren't locked down for a while and now we've locked them down but there is still debris from earlier. What tips would there be for cleaning up that kind of environment?
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Assisted Solution

by:TFMX
TFMX earned 43 total points
ID: 34980860
make sure their profiles are not set to save to the local terminal server and are set to use their storage server. Also limit the rights of users to save to local server.
Also setup windows disk cleanup to run regularly as well as defrags.
0
 
LVL 11

Assisted Solution

by:yelbaglf
yelbaglf earned 257 total points
ID: 34984887
Once you have your group policies set up correctly, then the users' profiles will be moved to the new location, upon the next logon/off after the policies are applied.  In short, no more user data or user profiles on your terminal servers.  If there are things left that you want to cleanup like programs, etc., then just use Add/Remove Programs for this.

Read through the links, and you'll find there are policies for just about everything, even limiting the size of the profiles and removing the cache upon logoff.  If there is other maintenance that you feel is necessary like disk defrag, then it's perfectly ok to do this. (I'm assuming we are talking about physical servers here?)

Are there other things/items of concern besides the users' data and unused applications?  Feel free to ask, and I'll do my best to help!
0
 

Author Comment

by:lineonecorp
ID: 34989152
In summary you folks are recommending that Profiles not be stored on Terminal Servers but on a different computer?  My question in that context is that I have found that when profiles are not saved to the Terminal Server where the user is logged in it's more likely we end up with corrupt profiles. Maybe it's my own personal urban legend but that's what it seems to me like and I have attributed it to reading and writing profiles across the network as opposed to locally e.g. roaming profiles getting more corrupted than non-roaming.  Has anybody else had this experience/theory? I understand for large networks with many Terminal Servers redundancy is important and keeping profiles central is useful but most of the networks I deal with are small with only one TS.
0
 
LVL 11

Assisted Solution

by:yelbaglf
yelbaglf earned 257 total points
ID: 34989757
If you decide to not move them to a central location other than the terminal server, then you can still lock down the environment by following the articles and leaving the profiles on the server.  If you do this, you'll just need to decide what you want to do with the users' data that is clutter.  If it truly is clutter, then just delete it, but if it's stuff that the users need or would want, you could enable group policy to copy the profiles off the server (but leave them there too) to a share that users have access to already.  Then do your delete and cleanup on the server, but leave anything the users' absolutely need on the server.  Everything else they will have access to on the share or wherever you put it.

Afterwards, you can disable the policy and lock down your server, so that the clutter doesn't accumulate again.  I have seen corrupt user profiles, but when set up properly, it is more of a fear than a reality.  Some things to help prevent corrupt roaming profiles are the following:

-Limit the size of profiles (in previously posted links)
-Increase logoff timeout
-Use UPHC

http://support.microsoft.com/kb/299386
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=1b286e6d-8912-4e18-b570-42470e2f3582&displaylang=en

Also, in configuring your group policy, you'll be limiting the amount of data needed for your sessions, which means less traffic on your network.  Besides, the profiles are only moved back and forth across the network when logging in and out and not during the session because it uses a local cache on the server for the session.
0
 
LVL 11

Assisted Solution

by:yelbaglf
yelbaglf earned 257 total points
ID: 34989789
Other thoughts I wanted to mention...

While not necessary, roaming ts profiles work best when deployed as close to your ts environment as possible.  For instance, it doesn't make a ton of sense to have your profiles on one side of a WAN and your servers on the other.  If you have room on the server and don't want to keep profiles on the 'server', then you could move them to a share on the server or any other close-by server.  It's a matter of preference and what you feel is best for the environment,

Also, set up AV exclusions for RDP processes, as well as UPHC and your ts applications' processes.  There is no sense in scanning these processes, and setting up the exclusions will help with not only session performance but also reduction in profile corruption.
0
 

Author Comment

by:lineonecorp
ID: 34992630
yelbaglf:

Thanks for the additional input about the scanning and WAN.

One last followup on your comments and I'm gone.

You write:
"you could enable group policy to copy the profiles off the server (but leave them there too) to a share that users have access to already."

Can you explain that a bit more? Are you saying there is a specific group policy that allows a copy of the profile to be made to some network share but keeps the original in place as well so that when a user logs off and then logs back in again they use the one that was left in place but in theory there is a duplicate of that on the network share? Then as I delete stuff from the working profile there is always the backup that can be accessed if I have deleted too much?  What kind of items are you thinking of that are important to have on the share - actual files they have on their desktop or the little folders like Appdata, etc. in people's profiles?

 Do you have a link about this policy?
0
 
LVL 11

Assisted Solution

by:yelbaglf
yelbaglf earned 257 total points
ID: 34993289
I apologize if that's a bit unclear...

You could enable the roaming profile location and set all your group policies up.  Then upon the next logon/logoff after the policy is applied, the users' local profiles will be copied to the roaming location.  Once the copy takes place, you can redirect the users' profiles back to the local server, and leave the contents in the roaming location.
http://support.microsoft.com/kb/888203/en-us

So this would give them a fresh and clean local profile.  If there is data they need specifically for an application like shortcuts or program folders, then you can copy these over with a login script. (this is how we do it)

Or you could map a drive via a login script to the network share that holds all the users' data (this is the local to roaming profile data), and they will then have access to any docs, etc. that they might need, while keeping it completely off the local server BUT using a local profile.

I would also recommend that your terminal servers are in an OU of their own, and make sure you test to ensure it reacts the way you are expecting, when applying all of these new group policies.
0
 
LVL 11

Assisted Solution

by:yelbaglf
yelbaglf earned 257 total points
ID: 34993332
If you wanted to do a regular copy without group policy, this would allow you to keep the entire profile locally but copy the user data over to a share, as a duplicate.  For this, you can just use Xcopy.

http://technet.microsoft.com/en-us/library/bb491035.aspx

Then once you have duplicated the user data, it would be a process of manually deleting and cleaning up what's not needed.  If you delete a file that a user needs, then you can just copy it back.  

Both ideas are similar.  With group policy, you get a completely clean local profile.  And with using the Xcopy method, you have less risk of needing to copy something back over locally because everything is still there.  But in both scenarios, you have the user data, and it's just a matter of getting it in the right place, where needed.

To take this a step further, you could use group policy redirection, as stated in the previous post.  Once the profiles are redirected from the local server to the network share, you can use Xcopy to make a copy of the network share.  Then you could 'undo' the policy, but this time instead of leaving the contents in the roaming profile location,  you could set it to copy the contents back over since you duplicated everything from the share.  Then you would have your manual cleanup process from above.
http://support.microsoft.com/kb/888203/en-us

It wouldn't be a bad idea either, depending on how important all the user data is, to just create a backup of the terminal server before any changes are made.  Then make your changes using whichever method makes most sense for you.  Now you have multiple ways to restore user data or start over, if needed.
0
 

Author Comment

by:lineonecorp
ID: 34994869
Thanks for all the time and information.
0
 
LVL 11

Expert Comment

by:yelbaglf
ID: 34996167
You're most welcome!  Glad I could help!
0

Featured Post

Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question