Which Remote Desktop Client Access is used on a W2K3 terminal server when Admin logs in?

dmci
dmci used Ask the Experts™
on
When a member of the Administrators Group logs into a W2K3 terminal server using Remote Desktop (RD) Client, which access is used on the server:  RD for Administration  or a standard Terminal Server CAL?  If someone insists on logging in as Administrator to run Applications -- not perform server administration -- what is the impact on the application performance if the User's session is disconnected or a Screen saver kicks in on the terminal server?

I found a reference that explains the remote access environment when  a member of the Administrator's group remotely logs into a Windows 2008 server without vs with Terminal Services installed, but I cannot find a similar comparison for Windows 2003 in plain English.

A link to any formal documentation that details this would be greatly appreciated, even if it only says there is no difference.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Top Expert 2011

Commented:
Is the Terminal Server running in Application mode or Admin Mode?

Why would a normally used account have admin permissions. I find it best to have only a a few accounts with Admin permissions. My normally log on is does not even have admin permission on any server.
it depends upon the mode of the server it has been configured,whether its a remote administration server or application mode server.
Any user logging in with Admin privileges will gain admin access in Remote Terminal administration server. Normal users will not be able to do any admin tasks. If it is application mode, then it will be used just to connect to a application through Remote desktop client.

Normally, when you disconnect from the terminal session, the session will be still running on the server. You can again login and start from the point you got disconnect. But remember, you can define the Terminal policies on how you want your terminal sessions.

Below is the link that may be helpful to you:
http://www.comptechdoc.org/os/windows/win2k/win2kterminal.html

Author

Commented:
Just lost my detailed response, the buttons aren't showing up properly on my home screen.  I believe the system is set up in application mode, but I'm not totally sure how to verify that.  I will respond to the comments and questions tomorrow with a bit more background.  Checked the link provided by GHouseAdmin and it still isn't really clear when a member of the Administrators Group logs in to a W2K3 TS-- with no special switches, ie. /console or /admin -- whether they are using the RD for Administration by virtue of the group membership, or whether the system just uses a standard TS CAL.
How to Generate Services Revenue the Easiest Way

This Tuesday! Learn key insights about modern cyber protection services & gain practical strategies to skyrocket business:

- What it takes to build a cloud service portfolio
- How to determine which services will help your unique business grow
- Various use-cases and examples

Author

Commented:
After reading your responses, also did a bit more research this a.m.  I am rewording the basic question is actually a two parter:
When the W2K3 Administrator remotely logs into a W2K3 Terminal Server, does that admin user use one of the two bulit-in Remote Desktop for Admnistration CALs, or does that login use a TS CAL?  

When a member of the Administrator Group, who is also listed in the Remote Desktop Group, remotely logs into a W2K3 Terminal Server, does that User use of the two built-in Remote Desktop for Administration (RDforA) CALs, or does that login use a TS CAL?  Additionally, if one or both of the RD for A CALs are in use, and another member of the Administrator group remotely logs into the same TS, will that user then be applied against an available TS CAL, or will that user be denied access?

Reference the comment by TheHiTechCoach, we inherited these TS servers and had little to no input into their build or configuration.  I am working to reduce the large number of Users with full Admin rights, some of whom are essentially Application Managers who believe they must have full admin access to perform their functions.  My research indicates that if I move these persons into the Power User group, they should be able to do most if not all necessary functions, i.e. add users, install programs, create directories, etc.  Unfortunately, politics rather than security and technology is a factor that I have to overcome to implement this.
Mind you this all started because the primary Application manager, who insists on logging in as Administrator, complained that when he is running reports on the TS (which can take several hours to complete) the screen saver kicks in on the terminal server and ends the session.  Thus forcing him to start all over again.  Note that at this time, there are no limits on sessions, disconnects, etc.

I know best practice says screen savers should be turned off for TS users, but I feel that when the Administrator is logged in, locally or remotely, there should be a screen saver in effect.  

Anyway, have to go to a meeting.  Would really appreciate it if someone could answer the questions above.  Thanks ahead of time.
Commented:
All, I think I figured out the answer to my questions.  Even our Microsoft rep couldn't specifically answer the question.  Apparently, when one logs into a Terminal Server with TS CALs installed/activated, the server assumes you are a standard user -- assigns a TS CAL-- unless one checks the /console option in the RD Client GUI or  includes the /admin or /console switch when logging in via a command line. Of course, it helps if the TS systems were set up correctly and the TS CALs were also configured/installed properly on the target systems in the first place.  

I also am fairly sure that membership in the admininstrators group really doesn't matter when it comes to logging in on a server as long as said user is also part of the remote desktop group (i.e. the built in Administrator ID, of course, is a remote desktop group member by default).  If standard TS/RD CALS aren't available, the system will grant access using one of the two built-in admin CALs.  Of course, other privileges and capabilities  (ie Admin tasks) are still dependent on group membership and granted rights.

I have seen this in our environment many times over, as we do have developers and testers (with no admin privileges) login, as well as Users logging in to one of our TS systems, on which the only valid Remote access CALs are the two admin CALs. (I'm working to get that issue fixed...).

While the input from the two responders above is appreciated,neither really answered the question(s) or really provided any new information beyond what I have already learned.  So no award points to go out.    Hopefully whoever monitor these questions will take care of closing out this question..

Author

Commented:
While the input from the two responders was appreciated,neither really answered the question(s) or really provided any new information beyond what I have already learned up to that point.  So no award points to go out.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial