• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 371
  • Last Modified:

Terminal Server - Best Pratice

Hi Experts,

I hope you can help me. I'm after opinion really from real case examples. We recently have started to provide terminal services for some of our clients. These clients primarily use office, and a few other programs, and connect to our system via citrix

We have applied much of the security restrictions from Microsoft best practice documentation for terminal servers 2003, but in some ways this is a bit too restrictive

Some of problems users are facing are the following;

Unable to click on links in a spread sheet that map to files stored else where
Every time they double click on a folder or drive it opens in a new window

Also the in-ablity to right click has been problematic so we have had to enable that

My questions for you are the following

Any ideas on how to resolve these issues
How restrictive in your experiences do you make your terminal servers?
And any other advice?
  • 3
  • 3
1 Solution
I have worked for a few hosted services companies, all of which use Citrix, policies varied, client to client, and sometimes there would be a power user and regular user category.  I restrict as much as I can without being overly invasive.  For example, if opening a link from an excel spreadsheet is needed for users to complete their job, it is what it is.  

Some clients (Large banks, CC companies) would provide minimum hardening, so anything that went against those agreements we really easy to deal with "Have you CSIO sign this and I will disable it"... That almost never happened.

As for advise, if only 5 users need the ability to click links or use right click, create a GPO using security filtering so that only they can open a link.
FSIFMAuthor Commented:
Cheers Chris,

Any idea what policies are cause the adverse behavior I've mentioned? I have look through them but nothing stands out presently, especially not why multiple windows are opening
Looks like it may get caused if you turn on "Classic View" through a GPO.  Check these links out -


It looks like that reg key holds a lot of values, so I would probably create a local user and setup the folder options how you would like the end user to see, and grab the reg key from your setup account and apply it to your users with a Policy Preference or log on script.
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

FSIFMAuthor Commented:
Awesome! Chris that totally fixed our issues

The only problem i now have is only new users are fixed. Just like link number 2, existing users retain the problem unless their profiles are removed

Any idea on how to resolve it without removing their profiles?
Did you use a logon script or GPP?
I just removed the required registy and make the IE browser the fix link and without any rdirectly .

Your make harden to control the users by GPO no access of other folder , or only allow that xls .
FSIFMAuthor Commented:
I ended up removing their profiles out of hours and re-creating them. Thank you all for your assistance
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now