Jump to content

GPO Settings

Guest Bob

By Guest Bob
in Windows NT Server

 Share

Recommended Posts

Guest Bob

Guest Bob

Posted
Posted

Hi,

 

I've a few things I'd like to do with TS and I think the following GPO's

will help, but I'm not sure. Could someone please confirm my thoughts?

 

EXISTING SETTINGS:

------------------------

In Computer Configuration, Administrative Templates, Windows Components,

Terminal Services:

 

Enabled - Restrict Terminal Services users to a single remote session

Enabled - Set time limit for disconnected sessions (2 hours)

Enabled - Sets a time limit for active but idle Terminal Services sessions

(2 hours)

Enabled - Terminate session when time limits are reached

Not Configed - Limit number of connections

 

QUESTIONS:

------------------

 

"Keep-Alive Connections"

--------------------------

By enabling this, I think I will return to my prior session after a

disconnect and all my previously opened applications will return as I left

them before my disconnect. There is the "Keep-alive interval" setting, but

I don't understand its description. I would think this is used to set how

long my sessions is kept alive after a disconnect, but the description

indicates how often my session is checked? Anyway, if I set this for "10",

does this mean that my that I have 10 minutes to re-establish my connection

before my work is lost?

 

 

"Set path for TS Roaming Profiles"

----------------------------------

I have roaming user profiles set for my local domain environment and when

these same users connect via TS, they create a local profile on the server

at "C:\Documents and Settings". This in turn can fill my C-Drive up with a

lot of local profiles. I use the DelProf.exe every 30-days to clear these

out.

 

Can I use the "Set path for TS Roaming Profiles" to place these profiles on

a different partition? And if so, will DelProf.exe find them in the future?

 

Also, I don't understand what a "Home Directory" is and therefore I don't

understand how "TS User Home Directory" may help here. I'm thinking a "Home

Directory" is a legacy to NT and it doesn't apply to my 2003 server and XP

clients?

 

 

Security:

--------

Not a GPO question, but one about access. I now have VPN access to my

environment, but the users have a tough time setting it up on their home

computers. What risks do I run if I open port 3389 on my router and direct

it to my TS server (which is everything else too - DC, Exchange, etc). (I

believe by opening this port, the VPN Client Access software on the remote

computers is no longer necessary).

 

Thanks!

 

---

Bob

  • Replies 3
  • Created
  • Last Reply

Popular Days

Popular Days

Guest Vera Noest [MVP]

Guest Vera Noest [MVP]

Posted
Posted

Re: GPO Settings

 

comments inline

 

"Bob" <86c6c2e6-2146512712@news.postalias> wrote on 24 sep 2007 in

microsoft.public.windows.terminal_services:

> Hi,

>

> I've a few things I'd like to do with TS and I think the

> following GPO's will help, but I'm not sure. Could someone

> please confirm my thoughts?

>

> EXISTING SETTINGS:

> ------------------------

> In Computer Configuration, Administrative Templates, Windows

> Components, Terminal Services:

>

> Enabled - Restrict Terminal Services users to a single remote

> session

> Enabled - Set time limit for disconnected sessions (2

> hours)

> Enabled - Sets a time limit for active but idle Terminal

> Services sessions (2 hours)

> Enabled - Terminate session when time limits are reached

> Not Configed - Limit number of connections

>

> QUESTIONS:

> ------------------

>

> "Keep-Alive Connections"

> --------------------------

> By enabling this, I think I will return to my prior session

> after a disconnect and all my previously opened applications

> will return as I left them before my disconnect. There is the

> "Keep-alive interval" setting, but I don't understand its

> description. I would think this is used to set how long my

> sessions is kept alive after a disconnect, but the description

> indicates how often my session is checked? Anyway, if I set

> this for "10", does this mean that my that I have 10 minutes to

> re-establish my connection before my work is lost?

 

KeepAlive does what the description says, it puts a heartbeat on

the connection to detect if the connection is still alive. Without

this mechanism, a session may not transition to a disconnected

state and may remain active even though the client is physically

disconnected from the Terminal Server. And that would mean that you

cannot reconnect to the session, because the server thinks that it

is still an active session.

If your session disconnects because of a network problem, and the

server detects this in time because of the KeepAlive meachanism,

the session will exist on the server for the time specified in the

setting "Set time limit for disconnected sessions (2 hours)". When

you connect to the server again, you will be reconnected to the

disconnected session.

 

> "Set path for TS Roaming Profiles"

> ----------------------------------

> I have roaming user profiles set for my local domain environment

> and when these same users connect via TS, they create a local

> profile on the server at "C:\Documents and Settings". This in

> turn can fill my C-Drive up with a lot of local profiles. I use

> the DelProf.exe every 30-days to clear these out.

>

> Can I use the "Set path for TS Roaming Profiles" to place these

> profiles on a different partition? And if so, will DelProf.exe

> find them in the future?

 

Yes, by all means!

Note that this will still create a local copy of the roaming

profile in C:\Documents and Settings. But you can use this GPO

settings to get rid of them again:

 

Computer Configuration - Administrative Templates - System - User

profiles

"Delete cached copies of roaming profiles"

 

so your server will never store more cached profiles than the

number of concurrent users connecting to it.

I've never used delprof, but as I understand it, it does more or

less the same as the GPO setting mentioned above.

 

Using a roaming profile can (but doesn't have to) cause slightly

longer logon times, because the centrally stored profile on the

file server has to be copied to the locally cached profile on the

terminal Server. You can and should therefore minimize the size of

the profile by using Folder redirection settings in the GPO. At the

minimum, redirect the My Documents folder to the users home

directory.

> Also, I don't understand what a "Home Directory" is and

> therefore I don't understand how "TS User Home Directory" may

> help here. I'm thinking a "Home Directory" is a legacy to NT

> and it doesn't apply to my 2003 server and XP clients?

 

The TS home directory is the folder in which the \windows subfolder

is created. In this \windows subfolder, user-specific settings are

stored (like ini files), which would reside in %systemroot% on a

workstation.

 

Using Home Directories with Terminal Server

http://technet2.microsoft.com/windowsserver/en/library/a60adb56-

7f30-4984-a062-7e43143852111033.mspx

 

246132 - User Profile and Home Directory Behavior with Terminal

Services

http://support.microsoft.com/?kbid=246132

> Security:

> --------

> Not a GPO question, but one about access. I now have VPN access

> to my environment, but the users have a tough time setting it up

> on their home computers. What risks do I run if I open port

> 3389 on my router and direct it to my TS server (which is

> everything else too - DC, Exchange, etc). (I believe by opening

> this port, the VPN Client Access software on the remote

> computers is no longer necessary).

 

Don't do this!

That would mean that there's only a single password between your

domain, mailserver, and TS and the rest of the world.

Even if you enforce strong passwords on all of your users, I would

*not* recommend it.

 

Running TS on a DC is not recommended either, for both security and

performance reasons, but is sometimes the only way in a very small

business.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

Guest Ken Zhao [MSFT]

Guest Ken Zhao [MSFT]

Posted
Posted

Re: GPO Settings

 

Hello Bob,

 

Thank you for using newsgroup and thanks Vera Noest for his great

information sharing.

 

From your post,

 

Thanks & Regards,

 

Ken Zhao

 

Microsoft Online Support

Microsoft Global Technical Support Center

 

Get Secure! - http://www.microsoft.com/security <http://www.microsoft.com/security>

====================================================

When responding to posts, please "Reply to Group" via your newsreader so

that others may learn and benefit from your issue.

====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

 

 

 

 

--------------------

| Subject: Re: GPO Settings

| From: "Vera Noest [MVP]" <vera.noest@remove-this.hem.utfors.se>

| References: <ew8XQxp$HHA.1164@TK2MSFTNGP02.phx.gbl>

| Message-ID: <Xns99B5E7E83AE0Averanoesthemutforsse@207.46.248.16>

| User-Agent: Xnews/06.08.25

| Newsgroups: microsoft.public.windows.terminal_services

| Date: Mon, 24 Sep 2007 13:47:50 -0700

| NNTP-Posting-Host: h249n2fls309o851.telia.com 81.224.241.249

| Lines: 1

| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP05.phx.gbl

| Xref: TK2MSFTNGHUB02.phx.gbl

microsoft.public.windows.terminal_services:11181

| X-Tomcat-NG: microsoft.public.windows.terminal_services

|

| comments inline

|

| "Bob" <86c6c2e6-2146512712@news.postalias> wrote on 24 sep 2007 in

| microsoft.public.windows.terminal_services:

|

| > Hi,

| >

| > I've a few things I'd like to do with TS and I think the

| > following GPO's will help, but I'm not sure. Could someone

| > please confirm my thoughts?

| >

| > EXISTING SETTINGS:

| > ------------------------

| > In Computer Configuration, Administrative Templates, Windows

| > Components, Terminal Services:

| >

| > Enabled - Restrict Terminal Services users to a single remote

| > session

| > Enabled - Set time limit for disconnected sessions (2

| > hours)

| > Enabled - Sets a time limit for active but idle Terminal

| > Services sessions (2 hours)

| > Enabled - Terminate session when time limits are reached

| > Not Configed - Limit number of connections

| >

| > QUESTIONS:

| > ------------------

| >

| > "Keep-Alive Connections"

| > --------------------------

| > By enabling this, I think I will return to my prior session

| > after a disconnect and all my previously opened applications

| > will return as I left them before my disconnect. There is the

| > "Keep-alive interval" setting, but I don't understand its

| > description. I would think this is used to set how long my

| > sessions is kept alive after a disconnect, but the description

| > indicates how often my session is checked? Anyway, if I set

| > this for "10", does this mean that my that I have 10 minutes to

| > re-establish my connection before my work is lost?

|

| KeepAlive does what the description says, it puts a heartbeat on

| the connection to detect if the connection is still alive. Without

| this mechanism, a session may not transition to a disconnected

| state and may remain active even though the client is physically

| disconnected from the Terminal Server. And that would mean that you

| cannot reconnect to the session, because the server thinks that it

| is still an active session.

| If your session disconnects because of a network problem, and the

| server detects this in time because of the KeepAlive meachanism,

| the session will exist on the server for the time specified in the

| setting "Set time limit for disconnected sessions (2 hours)". When

| you connect to the server again, you will be reconnected to the

| disconnected session.

|

|

| > "Set path for TS Roaming Profiles"

| > ----------------------------------

| > I have roaming user profiles set for my local domain environment

| > and when these same users connect via TS, they create a local

| > profile on the server at "C:\Documents and Settings". This in

| > turn can fill my C-Drive up with a lot of local profiles. I use

| > the DelProf.exe every 30-days to clear these out.

| >

| > Can I use the "Set path for TS Roaming Profiles" to place these

| > profiles on a different partition? And if so, will DelProf.exe

| > find them in the future?

|

| Yes, by all means!

| Note that this will still create a local copy of the roaming

| profile in C:\Documents and Settings. But you can use this GPO

| settings to get rid of them again:

|

| Computer Configuration - Administrative Templates - System - User

| profiles

| "Delete cached copies of roaming profiles"

|

| so your server will never store more cached profiles than the

| number of concurrent users connecting to it.

| I've never used delprof, but as I understand it, it does more or

| less the same as the GPO setting mentioned above.

|

| Using a roaming profile can (but doesn't have to) cause slightly

| longer logon times, because the centrally stored profile on the

| file server has to be copied to the locally cached profile on the

| terminal Server. You can and should therefore minimize the size of

| the profile by using Folder redirection settings in the GPO. At the

| minimum, redirect the My Documents folder to the users home

| directory.

|

| > Also, I don't understand what a "Home Directory" is and

| > therefore I don't understand how "TS User Home Directory" may

| > help here. I'm thinking a "Home Directory" is a legacy to NT

| > and it doesn't apply to my 2003 server and XP clients?

|

| The TS home directory is the folder in which the \windows subfolder

| is created. In this \windows subfolder, user-specific settings are

| stored (like ini files), which would reside in %systemroot% on a

| workstation.

|

| Using Home Directories with Terminal Server

| http://technet2.microsoft.com/windowsserver/en/library/a60adb56-

| 7f30-4984-a062-7e43143852111033.mspx

|

| 246132 - User Profile and Home Directory Behavior with Terminal

| Services

| http://support.microsoft.com/?kbid=246132

|

| > Security:

| > --------

| > Not a GPO question, but one about access. I now have VPN access

| > to my environment, but the users have a tough time setting it up

| > on their home computers. What risks do I run if I open port

| > 3389 on my router and direct it to my TS server (which is

| > everything else too - DC, Exchange, etc). (I believe by opening

| > this port, the VPN Client Access software on the remote

| > computers is no longer necessary).

|

| Don't do this!

| That would mean that there's only a single password between your

| domain, mailserver, and TS and the rest of the world.

| Even if you enforce strong passwords on all of your users, I would

| *not* recommend it.

|

| Running TS on a DC is not recommended either, for both security and

| performance reasons, but is sometimes the only way in a very small

| business.

| _________________________________________________________

| Vera Noest

| MCSE, CCEA, Microsoft MVP - Terminal Server

| TS troubleshooting: http://ts.veranoest.net

| ___ please respond in newsgroup, NOT by private email ___

|

  • 2 weeks later...
Guest Bob

Guest Bob

Posted
Posted

Re: GPO Settings

 

Thanks, Vera for all your comments. (just getting around to reading through

my posts today).

 

Bob.

 Share
Go to topic listing
×
×
  • Create New...