Home | Site Map | Cisco How To |  Net How To | Windows Vista | Case Studies | Forums | Services | Donations | Careers | About Us | Contact Us|

From: Jeff Pitsch <Jeff@Jeffpitschconsulting.com>

To: none

Subject: Re: Windows 2000 Terminal migration to 2003.

Date: 09/25/2007 09:55:21

I would not recommend saving the profiles as profile migration from one

version to another is typically ripe with problems. I think you'll save

yourself a lot of trouble over the long run by simply using new

profiles. If you are truly concerned about the printers you could

export the key for each user and reimport that.

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

Lasse wrote:

> Hi

>

> We have a Windows 2000 Terminal server and I am planning to change it to

> 2003. My idea was to save all the important data and each users profile and

> then do a fresh installation of Server 2003.

> My problem is that I am not sure how to backup the user profiles so I can

> import them when the 2003 server is running. If I can't save the user

> profiles all the printers need to be installed again and I would like to

> avoid that.

>

> Any ideas?

Top

From: Jeff Pitsch <Jeff@Jeffpitschconsulting.com>

To: none

Subject: Re: Where are my TS Device CALs going?

Date: 09/27/2007 14:46:17

WBT would be Windows Based Terminals. WI does look like a web interface

name, maybe a contractor or consultant came in that way. The 192's

could be linux devices or something without a registry. As for the rest

i would guess home users. there really isn't much else you can do to

identify them except maybe if your auditing logons you could track down

that way.

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

Daniel Segel wrote:

> We have 140 Per-Device CALs installed on our licensing server. At this point

> they have all been issued, but the TS Licensing Manager doesn't tell me

> who/what device each Device CAL has been issued to other than giving a simple

> name. The problem is that there are seemingly many licenses issued to devices

> I can't identify and there are several cases where there are multiple

> licenses issued to the same device (by name).

>

> For example, I have licenses issued to:

>

> jsmith

> jsmith

> jsmith

> default

> dafault

> LH-UAGS5F2WL7GZ

> 192.168.0.13

> 192.168.1.2

> WBT00806439040D

> WBT0080643905C8

> WI_JyeXK7iFyI9b1t

>

> Note that we do not use any 192.168.x.x IPs anywhere on our network, and all

> systems here have real (identifiable) names. I suspect the 192.168.x.x

> devices are coming in via our Juniper SSL VPN box (because I've seen similar

> IPs there before), but there aren't enough to account for all users who come

> in that way. The WI_Jxxxx device looks like a Citrix Web Interface generated

> ID, but I'm not sure why there would be any of those at this point (we're not

> running Citrix WI at this time).

>

> Is there any way to get further information on what device these CALs have

> been issued to?

>

> Thanks,

>

> Daniel

Top

From: Jeff Pitsch <Jeff@Jeffpitschconsulting.com>

To: none

Subject: Re: W2K3 Enterprise 32-bit RAM Allocation

Date: 09/27/2007 10:46:30

/PAE doesn't reduce kernel memory, the /3gb switch does. Windows 2003

standard cannot address 8gb of ram so that would be a waste. If there

is a reduction of kernel space it is because of the PTE's needing to be

virtualized which does introduce a bit of performance hit but if the

terminal servers are memory constrained then this is what you need to

do. /PAE is required to address memory over 4gb on enterprise.

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

cendrars wrote:

> Hello,

>

> Customers are purchasing blades with 8GB of RAM and running W2K3 Enterprise

> Edition to run terminal services. I am seeing build sheets with the /PAE

> switch applied to these servers to support RAM beyond the 32-bit 4GB

> threshold.

>

> Is the /PAE switch indeed required for W2K3 Enterprise to address 8GB of

> RAM? As the /PAE switch reduces kernel memory as result of additional RAM

> addressing beyond the 4GB limit, this strikes me as a questionable move for

> TS.

>

> Does W2K3 Enterprise indeed require the /PAE switch to address 8GB of RAM?

> Is this reduction in kernel memory an issue for TS?

>

> I am recalling a white paper I read some time back referencing server sizing

> for TS. My recollection is that W2K3 Enterprise with 32GB RAM allocation via

> /PAE offers a 15% reduction in application service when compared to a

> standard W2K3 server running 8GB. I am tracking down my recollection this

> morning. If anyone here should care to comment on my recollection, I would

> be grateful. Thanks.

Top

From: Rong Chen [MSFT] <rochen@online.microsoft.com>

To: none

Subject: Re: Virtual channel reconnect on longhorn (Win2k8)

Date: 09/24/2007 14:59:40

Are you re-opening the channel when reconnected? Longhorn requires the

channel to be reopend when reconnected (includes auto-reconnect) which

differs from Win2k3

Thanks

Rong

--

This posting is provided "AS IS" with no warranties, and confers no rights.

--

This posting is provided "AS IS" with no warranties, and confers no rights.

wrote in message

news:1190624915.004409.21020@w3g2000hsg.googlegroups.com...

> Hi All,

>

> On Win2003 I have created a virtual channel to send data from client

> to server by writing an add-in. This add-in works fine for new session

> as well as reconnected session, on win2003.

> But when I use same add-in while connecting to longhorn

> server then for new session virtual channel works perfectly but when I

> disconnect this session and again reconnect it then

> "WTSVirtualChannelWrite" on server application fails for reconnected

> session with error 1. ie. Incorrect function.

>

> So can any one tell me the reason for this problem. Is there

> any specific setting to do on terminal server, so that existing

> virtual channel works correctly as that of on win2003.

>

> Please guide me.

> Any help will be appreciated.

>

>

> Thanks

> Amit

>

Top

From: amitmane82@gmail.com

To: none

Subject: Re: Virtual channel reconnect on longhorn (Win2k8)

Date: 09/26/2007 01:48:12

On Sep 24, 12:59 pm, "Rong Chen [MSFT]"

wrote:

> Are you re-opening the channel when reconnected? Longhorn requires the

> channel to be reopend when reconnected (includes auto-reconnect) which

> differs from Win2k3

>

> Thanks

>

> Rong

>

> --

> This posting is provided "AS IS" with no warranties, and confers no rights.

>

> --

> This posting is provided "AS IS" with no warranties, and confers no rights. wrote in message

>

> news:1190624915.004409.21020@w3g2000hsg.googlegroups.com...

>

> > Hi All,

>

> > On Win2003 I have created a virtual channel to send data from client

> > to server by writing an add-in. This add-in works fine for new session

> > as well as reconnected session, on win2003.

> > But when I use same add-in while connecting to longhorn

> > server then for new session virtual channel works perfectly but when I

> > disconnect this session and again reconnect it then

> > "WTSVirtualChannelWrite" on server application fails for reconnected

> > session with error 1. ie. Incorrect function.

>

> > So can any one tell me the reason for this problem. Is there

> > any specific setting to do on terminal server, so that existing

> > virtual channel works correctly as that of on win2003.

>

> > Please guide me.

> > Any help will be appreciated.

>

> > Thanks

> > Amit

Hi Rong,

Thanks for your valuable help.

Can you give me any MSDN or any other link where you mentioned point

is explained in more detail .

And do you have any idea why longhorn changed this behavior since

2k3.

Thanks

Amit

Top

From: David G. Hoch <dhoch@dghtechnologies.com>

To: none

Subject: Re: Video clips - Poor quality on Terminal Server 2003

Date: 09/21/2007 13:36:20

Does the Video card on the server have any affect on the quality of the

video that is passed along to the thin client session? If I were to upgrade

the server to a video card that as more RAM (the current one has 16MB), is

there any reason to believe the video quality would improve?

--David

"Munindra Das [MSFT]" wrote in message

news:uJUSSfX8HHA.5424@TK2MSFTNGP02.phx.gbl...

> David, since TS uses bitmap remoting, the quality of streaming video is

> compromised. We are continously tring to improve it, but it is unlikely to

> become as good as the local case.

>

> --

> This posting is provided "AS IS" with no warranties, and confers no

> rights.

> "David G. Hoch" wrote in message

> news:n8LDi.6682$pe7.2873@newsfe12.lga...

>> I'm running a Windows 2003 Server as a Terminal Server. It has plenty of

>> processing power and RAM, and I've tested it with very few users

>> connected. When watching streaming video in a Terminal Server session the

>> video and audio are choppy and really not watchable.

>>

>> Watching the same video clips on a PC attached to the same network, but

>> not running a Terminal Server session shows smooth video and audio. Any

>> thoughts on why the Terminal Server would be having this problem?

>>

>> Thanks for your help.

>> --David

>>

>

Top

From: TP <tperson.knowspamn@mailandnews.com>

To: none

Subject: Re: Video clips - Poor quality on Terminal Server 2003

Date: 09/21/2007 13:43:16

No, it has no effect.

-TP

David G. Hoch wrote:

> Does the Video card on the server have any affect on the quality of

> the video that is passed along to the thin client session? If I were

> to upgrade the server to a video card that as more RAM (the current

> one has 16MB), is there any reason to believe the video quality would

> improve?

>

> --David

Top

From: David G. Hoch <dhoch@dghtechnologies.com>

To: none

Subject: Re: Video clips - Poor quality on Terminal Server 2003

Date: 09/22/2007 23:11:58

Interestingly (and the reason that I brought it up), is that I support

several Terminal Server 2003 installations, all of which have very powerful

servers (i.e. Server-class hardware with Core2Duo processors, 4GB RAM, SAS

RAID 5 Array, etc.). These Server-class machines all have basic integrated

video cards with 16MB of RAM, and all have problems with video in TS

sessions (regardless of the number of users currently connected). This is

true whether the user is connecting within the building on the LAN, or

across the Internet.

I also have a Terminal Server 2003 box set up in my office for testing.

This test box is a workstation class machine and is very under-powered as

Terminal Servers go. It's a P4, with 1GB of RAM, 5400RPM ATA hard drive,

but it has a workstation-class video card (NVidia GeForce) with 64MB of RAM.

When I connect to my server (via either LAN or WAN) I do not have any

problem viewing videos. On this machine videos are smooth and clear, unlike

the broken-up, jerky video that I see on the other boxes.

Since my box is so much less powerful than the server-class machines, and

the one major difference is the video RAM, I thought that might be the cause

of the better quality on my machine.

Any thoughts on why I have good quality on mine but not elsewhere?

Thanks.

--David

"TP" wrote in message

news:uJQ0J8H$HHA.5160@TK2MSFTNGP05.phx.gbl...

> No, it has no effect.

>

> -TP

>

> David G. Hoch wrote:

>> Does the Video card on the server have any affect on the quality of

>> the video that is passed along to the thin client session? If I were

>> to upgrade the server to a video card that as more RAM (the current

>> one has 16MB), is there any reason to believe the video quality would

>> improve? --David

Top

From: Jeff Pitsch <Jeff@Jeffpitschconsulting.com>

To: none

Subject: Re: Users sessions get reset

Date: 09/27/2007 10:49:57

Is your policy setup to reset a session limit reached or broken

connection? If so, change it so that it disconnects the session. Then

you can start troubleshooting the problem of why they are getting

disconnected in the first place.

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

Chip wrote:

> Over the past week and in the past I've had it happen to me. A user can be in

> the middle of working on an e-mail or something of the sort, and the user get

> disconnected corection they get reset. Originally I thought it was the GPO

> doing this, but I'm now wondering if it is anything else since the GPO is not

> set to disconnect or log off an idle session.

> When the user that was working on an e-mail in outlook does relog back in,

> it is a completely new session, there is now sign of them ever being logged

> in before. I've had this happen to myself then logged in as Admin and did not

> see my session as disconnected in termianal services manager.

> It's almost like they got reset by the server. Has anyone else seen this

> happen? or have any idea as to what is causing it?

>

> Thanks

>

> Chip

Top

From: Chip <Chip@discussions.microsoft.com>

To: none

Subject: Re: Users sessions get reset

Date: 09/27/2007 14:39:01

Jeff,

Not to sound like a Newbie, but I've seen in the GPO where I can disconnect

a session after so many minutes and also seen I can log off a disconnected

session ut I don;t recall seeing a reset option. Also can this be done in a

local policy on the term servers? Reason I ask is becasue I'm not part of any

GPO, while I got disconnected as did other users. I'd think it would be

network then but I'm on a cable modem and they are on a P2P network so that

ruins that thought.

So while I send this I'll also search through the GPO's and term server for

a clue.

Thanks,

Chip

"Jeff Pitsch" wrote:

> Is your policy setup to reset a session limit reached or broken

> connection? If so, change it so that it disconnects the session. Then

> you can start troubleshooting the problem of why they are getting

> disconnected in the first place.

>

> Jeff Pitsch

> Microsoft MVP - Terminal Server

> Citrix Technology Professional

> Provision Networks VIP

>

> Forums not enough?

> Get support from the experts at your business

> http://jeffpitschconsulting.com

>

> Chip wrote:

> > Over the past week and in the past I've had it happen to me. A user can be in

> > the middle of working on an e-mail or something of the sort, and the user get

> > disconnected corection they get reset. Originally I thought it was the GPO

> > doing this, but I'm now wondering if it is anything else since the GPO is not

> > set to disconnect or log off an idle session.

> > When the user that was working on an e-mail in outlook does relog back in,

> > it is a completely new session, there is now sign of them ever being logged

> > in before. I've had this happen to myself then logged in as Admin and did not

> > see my session as disconnected in termianal services manager.

> > It's almost like they got reset by the server. Has anyone else seen this

> > happen? or have any idea as to what is causing it?

> >

> > Thanks

> >

> > Chip

>

Top

From: Jeff Pitsch <Jeff@Jeffpitschconsulting.com>

To: none

Subject: Re: Users sessions get reset

Date: 09/27/2007 14:43:19

This setting can be found in the user account properties and the RDP-TCP

properties on the terminal server itself.

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

Chip wrote:

> Jeff,

>

> Not to sound like a Newbie, but I've seen in the GPO where I can disconnect

> a session after so many minutes and also seen I can log off a disconnected

> session ut I don;t recall seeing a reset option. Also can this be done in a

> local policy on the term servers? Reason I ask is becasue I'm not part of any

> GPO, while I got disconnected as did other users. I'd think it would be

> network then but I'm on a cable modem and they are on a P2P network so that

> ruins that thought.

> So while I send this I'll also search through the GPO's and term server for

> a clue.

>

> Thanks,

> Chip

>

> "Jeff Pitsch" wrote:

>

>> Is your policy setup to reset a session limit reached or broken

>> connection? If so, change it so that it disconnects the session. Then

>> you can start troubleshooting the problem of why they are getting

>> disconnected in the first place.

>>

>> Jeff Pitsch

>> Microsoft MVP - Terminal Server

>> Citrix Technology Professional

>> Provision Networks VIP

>>

>> Forums not enough?

>> Get support from the experts at your business

>> http://jeffpitschconsulting.com

>>

>> Chip wrote:

>>> Over the past week and in the past I've had it happen to me. A user can be in

>>> the middle of working on an e-mail or something of the sort, and the user get

>>> disconnected corection they get reset. Originally I thought it was the GPO

>>> doing this, but I'm now wondering if it is anything else since the GPO is not

>>> set to disconnect or log off an idle session.

>>> When the user that was working on an e-mail in outlook does relog back in,

>>> it is a completely new session, there is now sign of them ever being logged

>>> in before. I've had this happen to myself then logged in as Admin and did not

>>> see my session as disconnected in termianal services manager.

>>> It's almost like they got reset by the server. Has anyone else seen this

>>> happen? or have any idea as to what is causing it?

>>>

>>> Thanks

>>>

>>> Chip

Top

From: Munindra Das [MSFT] <munind@online.microsoft.com>

To: none

Subject: Re: Users can't disconnect after printing (and only printing)

Date: 09/22/2007 02:03:31

You might want to try the Citrix newsgroups

http://support.citrix.com/forums/index.jspa?categoryID=1.

--

This posting is provided "AS IS" with no warranties, and confers no rights.

"azevon" wrote in message

news:46EB3EEE-C4AC-4D34-A3A9-52E500B5C0B3@microsoft.com...

> Greetings All,

>

> Windows2003TS Enterprise SP2 with Citrix MetaFrame 3.0

>

> With any of my published applications, when the users tries to print (and

> after it successfully prints), when they exit the application, they

> receive a

> blue screen and their connection to my server still remains active. If

> they

> launch the same application and don't print, log off the app, their

> connection is logged out and disconencted normally.

>

> This only happens with PUBLISHED apps - if I establish a connection to the

> server (with desktop and all apps, etc), and I run and print something, I

> can

> disconnect normally.

>

> Now I'm not sure if this is a Citrix issue - but I am assuming there must

> be

> a setting somewhere concerning this (printing, security, rights, etc).

>

> Any help would be great.

>

> -andy-

Top

From: azevon <azevon@discussions.microsoft.com>

To: none

Subject: Re: Users can't disconnect after printing (and only printing)

Date: 09/25/2007 11:56:05

Solution was to use postscript drivers on all the printers.

"Munindra Das [MSFT]" wrote:

> You might want to try the Citrix newsgroups

> http://support.citrix.com/forums/index.jspa?categoryID=1.

>

> --

> This posting is provided "AS IS" with no warranties, and confers no rights.

> "azevon" wrote in message

> news:46EB3EEE-C4AC-4D34-A3A9-52E500B5C0B3@microsoft.com...

> > Greetings All,

> >

> > Windows2003TS Enterprise SP2 with Citrix MetaFrame 3.0

> >

> > With any of my published applications, when the users tries to print (and

> > after it successfully prints), when they exit the application, they

> > receive a

> > blue screen and their connection to my server still remains active. If

> > they

> > launch the same application and don't print, log off the app, their

> > connection is logged out and disconencted normally.

> >

> > This only happens with PUBLISHED apps - if I establish a connection to the

> > server (with desktop and all apps, etc), and I run and print something, I

> > can

> > disconnect normally.

> >

> > Now I'm not sure if this is a Citrix issue - but I am assuming there must

> > be

> > a setting somewhere concerning this (printing, security, rights, etc).

> >

> > Any help would be great.

> >

> > -andy-

>

>

Top

From: John <John@discussions.microsoft.com>

To: none

Subject: Re: User sees printers from old location

Date: 09/20/2007 10:22:08

TP,

The clients are brand new machines with a clean image. All printers are auto

created. Local printers have been installed on the client and when TS'd into

a server the auto creation occurs. I am now told the users profile is still

stored locally on the old workstation at the old location but i wouldn't

think this would have anything to do with it. Any ideas?

Thanks,

"TP" wrote:

> Hi,

>

> When they are logged on to their new workstation do they see

> the old printers in their *local* printers folder?

> When the user is logged on to the TS, check and see what type

> of printer each one is. For example, are the printers auto-created,

> network, or local? Examples of each (notice that auto-created

> have "in session xxx" on the end):

>

> Auto-Created

> HP LaserJet P3005 PCL 6 (from DG31H76) in session 72

> HP LaserJet 3200 Series PCL on FS01 (from DG31H76) in session 72

>

> Network

> HP LaserJet 2300 Series PCL 6 on FS01

> HP LaerJet 4050 Series PCL on PSERVER

>

> Local

> HP DeskJet 970Cxi

> HP LaserJet 6P

>

> Thanks for answering my questions.

>

> -TP

>

> John wrote:

> > Hi,

> >

> > does anyone know why a user that has moved to a new location still

> > sees the printers from the old location when TS'd into a server? We

> > have a user that has moved from one building to another. The client

> > is a new workstation with XP pro and the server is Windows server

> > 2003. User properties connect client printers at logon and default to

> > main client printer. Local profiles are used, print drivers are on

> > the server.

> > Any ideas?

> >

> > Thanks in advance,

>

Top

From: TP <tperson.knowspamn@mailandnews.com>

To: none

Subject: Re: User sees printers from old location

Date: 09/20/2007 11:31:23

Hi again,

If the administrator used manual TS printer redirection (which

becomes automatic thereafter) *and* roaming profiles are

in use on the local PC user account you would see printers

auto-creating that do not exist on the local machine.

You can check this by opening up regedit on the *local*

machine while logged on as the user and navigating to the

following key:

HKCU\Software\Microsoft\Terminal Server Client\Default\AddIns\RDPDR

Look at each subkey below the above for a REG_BINARY value

named PrinterCacheData (not AutoPrinterCacheData, that is different).

If there are keys present for the old printers then go ahead and

delete them.

When they are logged on to their new workstation do they see

the old printers in their *local* printers folder? Please verify

this with the user.

When a user connects to a TS, the Remote Desktop Client

enumerates the list of locally installed printers and passes

the list to the TS which attempts to create each one on the

server (if a matching driver can be found or the fallback printer

driver is enabled). There is no mechanism for auto-creating

printers that are not on the local machine *except* for manual

redirection mentioned above.

One thing that occurs sometimes is that auto-created printers

may not be removed after the user logs off of the TS. These

are easy to spot because the session id will not match the

user's current session id. For example, you see the user is

logged on using Terminal Services Manager as session 31,

but notice one of their auto-created printers shows session 56

in its name. These are referred to as "orphaned printers".

Also keep in mind that printers could be deployed automatically

to a user and/or machine using Active Directory, logon script,

etc. If the user has a roaming profile that contained network

printer connections then they would be on the new machine as

well.

Please reply back with your findings or more questions.

Thanks.

-TP

John wrote:

> TP,

>

> The clients are brand new machines with a clean image. All printers

> are auto created. Local printers have been installed on the client

> and when TS'd into a server the auto creation occurs. I am now told

> the users profile is still stored locally on the old workstation at

> the old location but i wouldn't think this would have anything to do

> with it. Any ideas?

>

> Thanks,

Top

From: Jeff Pitsch <Jeff@Jeffpitschconsulting.com>

To: none

Subject: Re: User Profiles

Date: 09/25/2007 09:59:14

when you say normal users do you mean their normal desktop? Read my

article on loopback processing and group policy and see if that helps.

As well if you could be more specific on what your trying to do and what

you've done that would help as well.

See this link and Understanding Group POlicy in a TS environment:

http://www.jeffpitschconsulting.com/downloads.aspx?c=13?

Jeff Pitsch

Microsoft MVP - Terminal Server

Citrix Technology Professional

Provision Networks VIP

Forums not enough?

Get support from the experts at your business

http://jeffpitschconsulting.com

Ferbalex wrote:

> Currently running TS where all users load one application - our business

> system.

> I'm now trying to allocate individual desktops to certain users but, with a

> Group Policy only suceeded in restricting normal users to no start button and

> no icons!!

> Im obviously missing the point - could someone please direct me to a simple

> step by step starter??

Top

From: Ferbalex <Ferbalex@discussions.microsoft.com>

To: none

Subject: Re: User Profiles

Date: 09/26/2007 06:48:01

Thanks Jeff and good article. Having got to the end of it, I now have the TS

server in its own OU, two policies, machine and users in the OU, user and

machine disabled where needed, and the loopback enabled. From here I would

like to have users log onto the server and receive various different secure

desktops. If I edit the user policy, I would think that effects all users

logging on. How would I differentiate between them for different desktops??

Many Thanks for your help -

much appreciated

"Jeff Pitsch" wrote:

> when you say normal users do you mean their normal desktop? Read my

> article on loopback processing and group policy and see if that helps.

> As well if you could be more specific on what your trying to do and what

> you've done that would help as well.

>

> See this link and Understanding Group POlicy in a TS environment:

> http://www.jeffpitschconsulting.com/downloads.aspx?c=13?

>

> Jeff Pitsch

> Microsoft MVP - Terminal Server

> Citrix Technology Professional

> Provision Networks VIP

>

> Forums not enough?

> Get support from the experts at your business

> http://jeffpitschconsulting.com

>

> Ferbalex wrote:

> > Currently running TS where all users load one application - our business

> > system.

> > I'm now trying to allocate individual desktops to certain users but, with a

> > Group Policy only suceeded in restricting normal users to no start button and

> > no icons!!

> > Im obviously missing the point - could someone please direct me to a simple

> > step by step starter??

>

Top

From: Vera Noest [MVP] <vera.noest@remove-this.hem.utfors.se>

To: none

Subject: Re: User Profiles

Date: 09/26/2007 07:45:27

From

http://ts.veranoest.net/ts_faq_configuration.htm#desktopredirection

Q: How can I configure different TS desktops, based on user group

membership?

A: There are a number of 3rd party add-ons which can do this for

you, but it is also possible with native Windows techniques, using

Group Policies.

Let's assume you have 3 different user groups, which need different

desktop icons.

1. Create 3 security groups in your AD and populate them with the

user accounts

2. Create 3 different shared folders on a file server and populate

the folders with the desktop icons (shortcuts) which you want the

user groups to see

3. Create 3 different GPOs, linked to the OU which contains your

Terminal Server computer account (but not the user accounts!)

4. In each of the GPOs, configure redirection of the desktop to one

of the custom desktop folders which you created in step 2. This is

done in User Configuration - Windows Settings - Folder Redirection

5. Configure each of the GPOs with loopback processing of the GPO,

with the "Replace" option. This is done in Computer Configuration -

Administrative Templates - System - Group Policy - "User Group

Policy loopback processing mode"

6. Configure the security settings on each of the GPOs so that only

the appropriate user group and the TS machine account is allowed to

read and apply the GPO

Further reading:

231287 - Loopback Processing of Group Policy

http://support.microsoft.com/?kbid=231287

816100 - How To Prevent Domain Group Policies from Applying to

Administrator Accounts and Selected Users in Windows Server 2003

http://support.microsoft.com/?kbid=816100

Another way to do this is by using Access Based Enumeration, which

is a free add-on to Windows Server 2003.

For a detailed example of using ABE, see:

Build a start menu with ABE

http://www.datacrash.net/howtos/howto/build-a-start-menu-with-

abe.html

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RmVyYmFsZXg=?=

wrote on 26 sep 2007 in

microsoft.public.windows.terminal_services:

> Thanks Jeff and good article. Having got to the end of it, I

> now have the TS server in its own OU, two policies, machine and

> users in the OU, user and machine disabled where needed, and the

> loopback enabled. From here I would like to have users log onto

> the server and receive various different secure desktops. If I

> edit the user policy, I would think that effects all users

> logging on. How would I differentiate between them for

> different desktops??

> Many Thanks for your help -

> much appreciated

>

> "Jeff Pitsch" wrote:

>

>> when you say normal users do you mean their normal desktop?

>> Read my article on loopback processing and group policy and see

>> if that helps. As well if you could be more specific on what

>> your trying to do and what you've done that would help as well.

>>

>> See this link and Understanding Group POlicy in a TS

>> environment:

>> http://www.jeffpitschconsulting.com/downloads.aspx?c=13?

>> nload

>>

>> Jeff Pitsch

>> Microsoft MVP - Terminal Server

>> Citrix Technology Professional

>> Provision Networks VIP

>>

>> Forums not enough?

>> Get support from the experts at your business

>> http://jeffpitschconsulting.com

>>

>> Ferbalex wrote:

>> > Currently running TS where all users load one application -

>> > our business system.

>> > I'm now trying to allocate individual desktops to certain

>> > users but, with a Group Policy only suceeded in restricting

>> > normal users to no start button and no icons!!

>> > Im obviously missing the point - could someone please direct

>> > me to a simple step by step starter??

Top

From: Ferbalex <Ferbalex@discussions.microsoft.com>

To: none

Subject: Re: User Profiles

Date: 09/26/2007 12:50:07

Hi, this is different from the first suggestion but looked shorter so gave it

a try.

Created 1 security group in AD the TS Group- put one user1 in it - created 1

shared folder on the TS server and put shortcut icons in it, gave TSGroup

access to it - created 1 GPO linked to OU that has TS Svr in it, no users -

in GPO redircted desktop to the shared folder - enabled various other

settings - enabled GPO loopback/replace - allowed the TS Svr and the TS group

in the security filtering.

Logged into the TS Svr via TS client, as user1, 'my documents' redirected to

Home folder (not specified in the TS settings) but no other changes take

place, same as logging into the server directly. Deleted everything and

tried it all again - same result.

Thanks for your help - any ideas would be appreciated

"Vera Noest [MVP]" wrote:

> From

> http://ts.veranoest.net/ts_faq_configuration.htm#desktopredirection

>

> Q: How can I configure different TS desktops, based on user group

> membership?

>

> A: There are a number of 3rd party add-ons which can do this for

> you, but it is also possible with native Windows techniques, using

> Group Policies.

>

> Let's assume you have 3 different user groups, which need different

> desktop icons.

>

> 1. Create 3 security groups in your AD and populate them with the

> user accounts

> 2. Create 3 different shared folders on a file server and populate

> the folders with the desktop icons (shortcuts) which you want the

> user groups to see

> 3. Create 3 different GPOs, linked to the OU which contains your

> Terminal Server computer account (but not the user accounts!)

> 4. In each of the GPOs, configure redirection of the desktop to one

> of the custom desktop folders which you created in step 2. This is

> done in User Configuration - Windows Settings - Folder Redirection

> 5. Configure each of the GPOs with loopback processing of the GPO,

> with the "Replace" option. This is done in Computer Configuration -

> Administrative Templates - System - Group Policy - "User Group

> Policy loopback processing mode"

> 6. Configure the security settings on each of the GPOs so that only

> the appropriate user group and the TS machine account is allowed to

> read and apply the GPO

>

> Further reading:

>

> 231287 - Loopback Processing of Group Policy

> http://support.microsoft.com/?kbid=231287

>

> 816100 - How To Prevent Domain Group Policies from Applying to

> Administrator Accounts and Selected Users in Windows Server 2003

> http://support.microsoft.com/?kbid=816100

>

> Another way to do this is by using Access Based Enumeration, which

> is a free add-on to Windows Server 2003.

> For a detailed example of using ABE, see:

>

> Build a start menu with ABE

> http://www.datacrash.net/howtos/howto/build-a-start-menu-with-

> abe.html

>

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?RmVyYmFsZXg=?=

> wrote on 26 sep 2007 in

> microsoft.public.windows.terminal_services:

>

> > Thanks Jeff and good article. Having got to the end of it, I

> > now have the TS server in its own OU, two policies, machine and

> > users in the OU, user and machine disabled where needed, and the

> > loopback enabled. From here I would like to have users log onto

> > the server and receive various different secure desktops. If I

> > edit the user policy, I would think that effects all users

> > logging on. How would I differentiate between them for

> > different desktops??

> > Many Thanks for your help -

> > much appreciated

> >

> > "Jeff Pitsch" wrote:

> >

> >> when you say normal users do you mean their normal desktop?

> >> Read my article on loopback processing and group policy and see

> >> if that helps. As well if you could be more specific on what

> >> your trying to do and what you've done that would help as well.

> >>

> >> See this link and Understanding Group POlicy in a TS

> >> environment:

> >> http://www.jeffpitschconsulting.com/downloads.aspx?c=13?

> >> nload

> >>

> >> Jeff Pitsch

> >> Microsoft MVP - Terminal Server

> >> Citrix Technology Professional

> >> Provision Networks VIP

> >>

> >> Forums not enough?

> >> Get support from the experts at your business

> >> http://jeffpitschconsulting.com

> >>

> >> Ferbalex wrote:

> >> > Currently running TS where all users load one application -

> >> > our business system.

> >> > I'm now trying to allocate individual desktops to certain

> >> > users but, with a Group Policy only suceeded in restricting

> >> > normal users to no start button and no icons!!

> >> > Im obviously missing the point - could someone please direct

> >> > me to a simple step by step starter??

>

Top

From: Vera Noest [MVP] <vera.noest@remove-this.hem.utfors.se>

To: none

Subject: Re: User Profiles

Date: 09/26/2007 15:01:03

Since your new GPO settings don't work, and you still see the

effects of another GPO (redirection of My Documents), maybe all you

have to do is to run "gpupdate" on the Terminal Server, in a

command window.

If that doesn't help, use Resultant Set of Policies (RSoP) to see

which GPOs affect user1 on the TS.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RmVyYmFsZXg=?=

wrote on 26 sep 2007 in

microsoft.public.windows.terminal_services:

> Hi, this is different from the first suggestion but looked

> shorter so gave it a try.

>

> Created 1 security group in AD the TS Group- put one user1 in it

> - created 1 shared folder on the TS server and put shortcut

> icons in it, gave TSGroup access to it - created 1 GPO linked to

> OU that has TS Svr in it, no users - in GPO redircted desktop to

> the shared folder - enabled various other settings - enabled GPO

> loopback/replace - allowed the TS Svr and the TS group in the

> security filtering.

>

> Logged into the TS Svr via TS client, as user1, 'my documents'

> redirected to Home folder (not specified in the TS settings) but

> no other changes take place, same as logging into the server

> directly. Deleted everything and tried it all again - same

> result.

>

> Thanks for your help - any ideas would be appreciated

>

>

> "Vera Noest [MVP]" wrote:

>

>> From

>> http://ts.veranoest.net/ts_faq_configuration.htm#desktopredirect

>> ion

>>

>> Q: How can I configure different TS desktops, based on user

>> group membership?

>>

>> A: There are a number of 3rd party add-ons which can do this

>> for you, but it is also possible with native Windows

>> techniques, using Group Policies.

>>

>> Let's assume you have 3 different user groups, which need

>> different desktop icons.

>>

>> 1. Create 3 security groups in your AD and populate them with

>> the user accounts

>> 2. Create 3 different shared folders on a file server and

>> populate the folders with the desktop icons (shortcuts) which

>> you want the user groups to see

>> 3. Create 3 different GPOs, linked to the OU which contains

>> your Terminal Server computer account (but not the user

>> accounts!) 4. In each of the GPOs, configure redirection of the

>> desktop to one of the custom desktop folders which you created

>> in step 2. This is done in User Configuration - Windows

>> Settings - Folder Redirection 5. Configure each of the GPOs

>> with loopback processing of the GPO, with the "Replace" option.

>> This is done in Computer Configuration - Administrative

>> Templates - System - Group Policy - "User Group Policy loopback

>> processing mode" 6. Configure the security settings on each of

>> the GPOs so that only the appropriate user group and the TS

>> machine account is allowed to read and apply the GPO

>>

>> Further reading:

>>

>> 231287 - Loopback Processing of Group Policy

>> http://support.microsoft.com/?kbid=231287

>>

>> 816100 - How To Prevent Domain Group Policies from Applying to

>> Administrator Accounts and Selected Users in Windows Server

>> 2003 http://support.microsoft.com/?kbid=816100

>>

>> Another way to do this is by using Access Based Enumeration,

>> which is a free add-on to Windows Server 2003.

>> For a detailed example of using ABE, see:

>>

>> Build a start menu with ABE

>> http://www.datacrash.net/howtos/howto/build-a-start-menu-with-

>> abe.html

>>

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?RmVyYmFsZXg=?=

>> wrote on 26 sep 2007 in

>> microsoft.public.windows.terminal_services:

>>

>> > Thanks Jeff and good article. Having got to the end of it, I

>> > now have the TS server in its own OU, two policies, machine

>> > and users in the OU, user and machine disabled where needed,

>> > and the loopback enabled. From here I would like to have

>> > users log onto the server and receive various different

>> > secure desktops. If I edit the user policy, I would think

>> > that effects all users logging on. How would I differentiate

>> > between them for different desktops??

>> > Many Thanks for your help -

>> > much appreciated

>> >

>> > "Jeff Pitsch" wrote:

>> >

>> >> when you say normal users do you mean their normal desktop?

>> >> Read my article on loopback processing and group policy and

>> >> see if that helps. As well if you could be more specific on

>> >> what your trying to do and what you've done that would help

>> >> as well.

>> >>

>> >> See this link and Understanding Group POlicy in a TS

>> >> environment:

>> >> http://www.jeffpitschconsulting.com/downloads.aspx?c=13?

>> >> dow nload

>> >>

>> >> Jeff Pitsch

>> >> Microsoft MVP - Terminal Server

>> >> Citrix Technology Professional

>> >> Provision Networks VIP

>> >>

>> >> Forums not enough?

>> >> Get support from the experts at your business

>> >> http://jeffpitschconsulting.com

>> >>

>> >> Ferbalex wrote:

>> >> > Currently running TS where all users load one application

>> >> > - our business system.

>> >> > I'm now trying to allocate individual desktops to certain

>> >> > users but, with a Group Policy only suceeded in

>> >> > restricting normal users to no start button and no icons!!

>> >> > Im obviously missing the point - could someone please

>> >> > direct me to a simple step by step starter??

Top

From: Ferbalex <Ferbalex@discussions.microsoft.com>

To: none

Subject: Re: User Profiles

Date: 09/27/2007 09:35:01

Thank you very much, it worked great. Just one thing, I have disabled

evrything I can find in the GPOE but cant restrict the start button, My

Computer in the start menu, or Printers and Faxes in the start menu. Is it

not possible to restrict these? In My Computer users still have access to

System Task and Other Places? I also have two icons appearing from the

Default Domain Policy. Is it possible to restrict this without editing the

domain policy? Windows Server 2003. Thanks again for your great advice.

"Vera Noest [MVP]" wrote:

> Since your new GPO settings don't work, and you still see the

> effects of another GPO (redirection of My Documents), maybe all you

> have to do is to run "gpupdate" on the Terminal Server, in a

> command window.

> If that doesn't help, use Resultant Set of Policies (RSoP) to see

> which GPOs affect user1 on the TS.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?RmVyYmFsZXg=?=

> wrote on 26 sep 2007 in

> microsoft.public.windows.terminal_services:

>

> > Hi, this is different from the first suggestion but looked

> > shorter so gave it a try.

> >

> > Created 1 security group in AD the TS Group- put one user1 in it

> > - created 1 shared folder on the TS server and put shortcut

> > icons in it, gave TSGroup access to it - created 1 GPO linked to

> > OU that has TS Svr in it, no users - in GPO redircted desktop to

> > the shared folder - enabled various other settings - enabled GPO

> > loopback/replace - allowed the TS Svr and the TS group in the

> > security filtering.

> >

> > Logged into the TS Svr via TS client, as user1, 'my documents'

> > redirected to Home folder (not specified in the TS settings) but

> > no other changes take place, same as logging into the server

> > directly. Deleted everything and tried it all again - same

> > result.

> >

> > Thanks for your help - any ideas would be appreciated

> >

> >

> > "Vera Noest [MVP]" wrote:

> >

> >> From

> >> http://ts.veranoest.net/ts_faq_configuration.htm#desktopredirect

> >> ion

> >>

> >> Q: How can I configure different TS desktops, based on user

> >> group membership?

> >>

> >> A: There are a number of 3rd party add-ons which can do this

> >> for you, but it is also possible with native Windows

> >> techniques, using Group Policies.

> >>

> >> Let's assume you have 3 different user groups, which need

> >> different desktop icons.

> >>

> >> 1. Create 3 security groups in your AD and populate them with

> >> the user accounts

> >> 2. Create 3 different shared folders on a file server and

> >> populate the folders with the desktop icons (shortcuts) which

> >> you want the user groups to see

> >> 3. Create 3 different GPOs, linked to the OU which contains

> >> your Terminal Server computer account (but not the user

> >> accounts!) 4. In each of the GPOs, configure redirection of the

> >> desktop to one of the custom desktop folders which you created

> >> in step 2. This is done in User Configuration - Windows

> >> Settings - Folder Redirection 5. Configure each of the GPOs

> >> with loopback processing of the GPO, with the "Replace" option.

> >> This is done in Computer Configuration - Administrative

> >> Templates - System - Group Policy - "User Group Policy loopback

> >> processing mode" 6. Configure the security settings on each of

> >> the GPOs so that only the appropriate user group and the TS

> >> machine account is allowed to read and apply the GPO

> >>

> >> Further reading:

> >>

> >> 231287 - Loopback Processing of Group Policy

> >> http://support.microsoft.com/?kbid=231287

> >>

> >> 816100 - How To Prevent Domain Group Policies from Applying to

> >> Administrator Accounts and Selected Users in Windows Server

> >> 2003 http://support.microsoft.com/?kbid=816100

> >>

> >> Another way to do this is by using Access Based Enumeration,

> >> which is a free add-on to Windows Server 2003.

> >> For a detailed example of using ABE, see:

> >>

> >> Build a start menu with ABE

> >> http://www.datacrash.net/howtos/howto/build-a-start-menu-with-

> >> abe.html

> >>

> >> _________________________________________________________

> >> Vera Noest

> >> MCSE, CCEA, Microsoft MVP - Terminal Server

> >> TS troubleshooting: http://ts.veranoest.net

> >> ___ please respond in newsgroup, NOT by private email ___

> >>

> >> =?Utf-8?B?RmVyYmFsZXg=?=

> >> wrote on 26 sep 2007 in

> >> microsoft.public.windows.terminal_services:

> >>

> >> > Thanks Jeff and good article. Having got to the end of it, I

> >> > now have the TS server in its own OU, two policies, machine

> >> > and users in the OU, user and machine disabled where needed,

> >> > and the loopback enabled. From here I would like to have

> >> > users log onto the server and receive various different

> >> > secure desktops. If I edit the user policy, I would think

> >> > that effects all users logging on. How would I differentiate

> >> > between them for different desktops??

> >> > Many Thanks for your help -

> >> > much appreciated

> >> >

> >> > "Jeff Pitsch" wrote:

> >> >

> >> >> when you say normal users do you mean their normal desktop?

> >> >> Read my article on loopback processing and group policy and

> >> >> see if that helps. As well if you could be more specific on

> >> >> what your trying to do and what you've done that would help

> >> >> as well.

> >> >>

> >> >> See this link and Understanding Group POlicy in a TS

> >> >> environment:

> >> >> http://www.jeffpitschconsulting.com/downloads.aspx?c=13?

> >> >> dow nload

> >> >>

> >> >> Jeff Pitsch

> >> >> Microsoft MVP - Terminal Server

> >> >> Citrix Technology Professional

> >> >> Provision Networks VIP

> >> >>

> >> >> Forums not enough?

> >> >> Get support from the experts at your business

> >> >> http://jeffpitschconsulting.com

> >> >>

> >> >> Ferbalex wrote:

> >> >> > Currently running TS where all users load one application

> >> >> > - our business system.

> >> >> > I'm now trying to allocate individual desktops to certain

> >> >> > users but, with a Group Policy only suceeded in

> >> >> > restricting normal users to no start button and no icons!!

> >> >> > Im obviously missing the point - could someone please

> >> >> > direct me to a simple step by step starter??

>

Top

From: Vera Noest [MVP] <vera.noest@remove-this.hem.utfors.se>

To: none

Subject: Re: User Profiles

Date: 09/27/2007 15:02:44

You can use Folder redirection for the Start Menu, exactly in the

same way as you used Folder redirection for the Desktop.

Also make sure that you delete unwanted shortcuts from the C:

\Documents and Settings\All Users\Start Menu on the Terminal

Server.

Exactly what icons are you getting from the Default Domain Policy,

and in which GPO setting are they defined?

Have you tried "undoing" them by configuring the same setting in

your GPO with a value of "Disabled"?

You could block policy inheritance, but that's normally not a good

idea. A Default Domain Policy should only contain settings which

*must* be configured for the whole domain. If that's not true, the

setting is configured at the wrong level.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RmVyYmFsZXg=?=

wrote on 27 sep 2007 in

microsoft.public.windows.terminal_services:

> Thank you very much, it worked great. Just one thing, I have

> disabled evrything I can find in the GPOE but cant restrict the

> start button, My Computer in the start menu, or Printers and

> Faxes in the start menu. Is it not possible to restrict these?

> In My Computer users still have access to System Task and Other

> Places? I also have two icons appearing from the Default Domain

> Policy. Is it possible to restrict this without editing the

> domain policy? Windows Server 2003. Thanks again for your great

> advice.

>

>

>

> "Vera Noest [MVP]" wrote:

>

>> Since your new GPO settings don't work, and you still see the

>> effects of another GPO (redirection of My Documents), maybe all

>> you have to do is to run "gpupdate" on the Terminal Server, in

>> a command window.

>> If that doesn't help, use Resultant Set of Policies (RSoP) to

>> see which GPOs affect user1 on the TS.

>> _________________________________________________________

>> Vera Noest

>> MCSE, CCEA, Microsoft MVP - Terminal Server

>> TS troubleshooting: http://ts.veranoest.net

>> ___ please respond in newsgroup, NOT by private email ___

>>

>> =?Utf-8?B?RmVyYmFsZXg=?=

>> wrote on 26 sep 2007 in

>> microsoft.public.windows.terminal_services:

>>

>> > Hi, this is different from the first suggestion but looked

>> > shorter so gave it a try.

>> >

>> > Created 1 security group in AD the TS Group- put one user1 in

>> > it - created 1 shared folder on the TS server and put

>> > shortcut icons in it, gave TSGroup access to it - created 1

>> > GPO linked to OU that has TS Svr in it, no users - in GPO

>> > redircted desktop to the shared folder - enabled various

>> > other settings - enabled GPO loopback/replace - allowed the

>> > TS Svr and the TS group in the security filtering.

>> >

>> > Logged into the TS Svr via TS client, as user1, 'my

>> > documents' redirected to Home folder (not specified in the TS

>> > settings) but no other changes take place, same as logging

>> > into the server directly. Deleted everything and tried it

>> > all again - same result.

>> >

>> > Thanks for your help - any ideas would be appreciated

>> >

>> >

>> > "Vera Noest [MVP]" wrote:

>> >

>> >> From

>> >> http://ts.veranoest.net/ts_faq_configuration.htm#desktopredir

>> >> ect ion

>> >>

>> >> Q: How can I configure different TS desktops, based on user

>> >> group membership?

>> >>

>> >> A: There are a number of 3rd party add-ons which can do this

>> >> for you, but it is also possible with native Windows

>> >> techniques, using Group Policies.

>> >>

>> >> Let's assume you have 3 different user groups, which need

>> >> different desktop icons.

>> >>

>> >> 1. Create 3 security groups in your AD and populate them

>> >> with the user accounts

>> >> 2. Create 3 different shared folders on a file server and

>> >> populate the folders with the desktop icons (shortcuts)

>> >> which you want the user groups to see

>> >> 3. Create 3 different GPOs, linked to the OU which contains

>> >> your Terminal Server computer account (but not the user

>> >> accounts!) 4. In each of the GPOs, configure redirection of

>> >> the desktop to one of the custom desktop folders which you

>> >> created in step 2. This is done in User Configuration -

>> >> Windows Settings - Folder Redirection 5. Configure each of

>> >> the GPOs with loopback processing of the GPO, with the

>> >> "Replace" option. This is done in Computer Configuration -

>> >> Administrative Templates - System - Group Policy - "User

>> >> Group Policy loopback processing mode" 6. Configure the

>> >> security settings on each of the GPOs so that only the

>> >> appropriate user group and the TS machine account is allowed

>> >> to read and apply the GPO

>> >>

>> >> Further reading:

>> >>

>> >> 231287 - Loopback Processing of Group Policy

>> >> http://support.microsoft.com/?kbid=231287

>> >>

>> >> 816100 - How To Prevent Domain Group Policies from Applying

>> >> to Administrator Accounts and Selected Users in Windows

>> >> Server 2003 http://support.microsoft.com/?kbid=816100

>> >>

>> >> Another way to do this is by using Access Based Enumeration,

>> >> which is a free add-on to Windows Server 2003.

>> >> For a detailed example of using ABE, see:

>> >>

>> >> Build a start menu with ABE

>> >> http://www.datacrash.net/howtos/howto/build-a-start-menu-with

>> >> - abe.html

>> >>

>> >> _________________________________________________________

>> >> Vera Noest

>> >> MCSE, CCEA, Microsoft MVP - Terminal Server

>> >> TS troubleshooting: http://ts.veranoest.net

>> >> ___ please respond in newsgroup, NOT by private email ___

>> >>

>> >> =?Utf-8?B?RmVyYmFsZXg=?=

>> >> wrote on 26 sep 2007 in

>> >> microsoft.public.windows.terminal_services:

>> >>

>> >> > Thanks Jeff and good article. Having got to the end of

>> >> > it, I now have the TS server in its own OU, two policies,

>> >> > machine and users in the OU, user and machine disabled

>> >> > where needed, and the loopback enabled. From here I would

>> >> > like to have users log onto the server and receive various

>> >> > different secure desktops. If I edit the user policy, I

>> >> > would think that effects all users logging on. How would

>> >> > I differentiate between them for different desktops??

>> >> > Many Thanks for your help -

>> >> > much appreciated

>> >> >

>> >> > "Jeff Pitsch" wrote:

>> >> >

>> >> >> when you say normal users do you mean their normal

>> >> >> desktop? Read my article on loopback processing and group

>> >> >> policy and see if that helps. As well if you could be

>> >> >> more specific on what your trying to do and what you've

>> >> >> done that would help as well.

>> >> >>

>> >> >> See this link and Understanding Group POlicy in a TS

>> >> >> environment:

>> >> >> http://www.jeffpitschconsulting.com/downloads.aspx?c=13?

>> >> >> pe= dow nload

>> >> >>

>> >> >> Jeff Pitsch

>> >> >> Microsoft MVP - Terminal Server

>> >> >> Citrix Technology Professional

>> >> >> Provision Networks VIP

>> >> >>

>> >> >> Forums not enough?

>> >> >> Get support from the experts at your business

>> >> >> http://jeffpitschconsulting.com

>> >> >>

>> >> >> Ferbalex wrote:

>> >> >> > Currently running TS where all users load one

>> >> >> > application - our business system.

>> >> >> > I'm now trying to allocate individual desktops to

>> >> >> > certain users but, with a Group Policy only suceeded in

>> >> >> > restricting normal users to no start button and no

>> >> >> > icons!! Im obviously missing the point - could someone

>> >> >> > please direct me to a simple step by step starter??

Top

From: Vera Noest [MVP] <vera.noest@remove-this.hem.utfors.se>

To: none

Subject: Re: Upgrading Windows 2000 Terminal Server to Windows 2003 Terminal Se

Date: 09/25/2007 13:17:59

I'm not sure what you mean.

Can it be that you are referring to the licenses in the TS Licensing

Manager?

They will not be upgraded. You will need to nuy a 2003 TS license for

every client or user who connects to the 2003 Terminal Server.

The licenses which are present in both a W2K and a 2003 TS Licensing

Server with Amount: Unlimited are "Existing Windows 2000 Per Device

licenses". These licenses are issued for free to W2K Pro and XP Pro

clients when they connect to a *W2K* Terminal Server. A 2003 TS

requires purchased TS CALs.

Does this answer your question? If not, please explain in some more

detail what it is that you want.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?TUo=?= wrote on 25 sep

2007 in microsoft.public.windows.terminal_services:

> I had a Windows 2000 Server with unlimited Terminal Service

> Connections. After installing the Windows 2003 Standard Server,

> the Windows 2000 Terminal Server was inherited by the new

> operational system. How do I get the server to reflect that I

> am upgrading to Windows 2003 Terminal Services?

Top

From: TP <tperson.knowspamn@mailandnews.com>

To: none

Subject: Re: Updating status - REMOTE INTERACTIVE LOGON vs. INTERACTIVE

Date: 09/24/2007 12:50:20

There is no built-in way to have XP automatically update

the user's security token because of a session state change.

I imagine you could program something yourself but it would

be non-trivial.

What specific resources/objects are you attempting to secure

based on console versus RDP? Perhaps I can think of another

way to accomplish your goal.

-TP

oldemusicke@gmail.com wrote:

> XP sp2 assigns you to the special groups REMOTE INTERACTIVE LOGON or

> INTERACTIVE (etc.) only at logon. Is there any way to get Remote

> Desktop or a session unlock to update this group assignment?

>

> Situation 1: You log in at the console. As expected, you're now part

> of the special INTERACTIVE group. You lock the session (ctrl-alt-del,

> Lock Workstation). Later, you connect via Remote Desktop. This gives

> you the existing session. Even though you're now in a remote session,

> you're still part of INTERACTIVE, and not part of REMOTE INTERACTIVE

> LOGON (confirmed by whoami /groups).

>

> Situation 2: The console isn't logged in. You start a Remote Desktop

> session. As expected, you're now part of the special REMOTE

> INTERACTIVE LOGON. Next, you disconnect (as opposed to logging out).

> Later, you visit the console and unlock the session. Even though

> you're now logged in at the console, you're still in REMOTE

> INTERACTIVE LOGON, but not INTERACTIVE (confirmed by whoami /groups).

>

> If Remote Desktop Connection or the session unlock would re-assess

> membership in these special groups, it would move you between

> INTERACTIVE and REMOTE INTERACTIVE LOGON as appropriate, but

> apparently this assessment happens only once at logon.

>

> Goal: Allow non-admin users to use Remote Desktop Connection, but make

> certain resources accessible only at the console, not over a remote

> connection. An ACL entry denying all access to REMOTE INTERACTIVE

> LOGON seemed like the way to go, until we discovered that it reflected

> conditions of the initial logon, not conditions at the moment.

>

> Session timeouts don't really solve the problem, by the way. One,

> they'd shrink the window of opportunity but otherwise wouldn't solve

> the problem. Two, any arbitrary ending of sessions affects the people

> who are working normally too (in INTERACTIVE when they're really

> interactive, and in REMOTE INTERACTIVE LOGON when they're really a

> remote interactive logon).

>

> Thanks.

Top

From: oldemusicke@gmail.com

To: none

Subject: Re: Updating status - REMOTE INTERACTIVE LOGON vs. INTERACTIVE

Date: 09/24/2007 13:14:46

The other catch with programming something ourselves is that it

probably needs to be privileged, which means it'll probably have to

run as a service (vs. an app executed by a non-privileged user).

Kernel-touching apps are also the apps most likely to break each time

you update Windows.

We want to secure the full contents of a particular local drive

against remote access. The intended approach had been to add to the

ACL for the root folder of that volume with a Deny for REMOTE

INTERACTIVE LOGON.

One workaround we'd rather avoid is to give each person two usernames,

one that's a member of Remote Desktop Users but that has no access to

the restricted drive (denied by ACL), and one that has access to the

restricted drive but isn't in Remote Desktop Users. We want to avoid

that approach because it requires users to remember two passwords

instead of one, to switch personas each time they change what they're

working on, etc.

We want to keep the user hassles to a minimum because the bigger the

hassle, the more likely it is that users will bypass the security

setup for the sake of convenience. They're basically trusted

individuals, but people are still people. We want the right thing to

be easier to do than the wrong thing.

On Sep 24, 1:50 pm, "TP" wrote:

> There is no built-in way to have XP automatically update

> the user's security token because of a session state change.

> I imagine you could program something yourself but it would

> be non-trivial.

>

> What specific resources/objects are you attempting to secure

> based on console versus RDP? Perhaps I can think of another

> way to accomplish your goal.

>

> -TP

>

>

>

> oldemusi...@gmail.com wrote:

> > XP sp2 assigns you to the special groups REMOTE INTERACTIVE LOGON or

> > INTERACTIVE (etc.) only at logon. Is there any way to get Remote

> > Desktop or a session unlock to update this group assignment?

>

> > Situation 1: You log in at the console. As expected, you're now part

> > of the special INTERACTIVE group. You lock the session (ctrl-alt-del,

> > Lock Workstation). Later, you connect via Remote Desktop. This gives

> > you the existing session. Even though you're now in a remote session,

> > you're still part of INTERACTIVE, and not part of REMOTE INTERACTIVE

> > LOGON (confirmed by whoami /groups).

>

> > Situation 2: The console isn't logged in. You start a Remote Desktop

> > session. As expected, you're now part of the special REMOTE

> > INTERACTIVE LOGON. Next, you disconnect (as opposed to logging out).

> > Later, you visit the console and unlock the session. Even though

> > you're now logged in at the console, you're still in REMOTE

> > INTERACTIVE LOGON, but not INTERACTIVE (confirmed by whoami /groups).

>

> > If Remote Desktop Connection or the session unlock would re-assess

> > membership in these special groups, it would move you between

> > INTERACTIVE and REMOTE INTERACTIVE LOGON as appropriate, but

> > apparently this assessment happens only once at logon.

>

> > Goal: Allow non-admin users to use Remote Desktop Connection, but make

> > certain resources accessible only at the console, not over a remote

> > connection. An ACL entry denying all access to REMOTE INTERACTIVE

> > LOGON seemed like the way to go, until we discovered that it reflected

> > conditions of the initial logon, not conditions at the moment.

>

> > Session timeouts don't really solve the problem, by the way. One,

> > they'd shrink the window of opportunity but otherwise wouldn't solve

> > the problem. Two, any arbitrary ending of sessions affects the people

> > who are working normally too (in INTERACTIVE when they're really

> > interactive, and in REMOTE INTERACTIVE LOGON when they're really a

> > remote interactive logon).

>

> > Thanks.- Hide quoted text -

>

> - Show quoted text -

Top

From: Vera Noest [MVP] <vera.noest@remove-this.hem.utfors.se>

To: none

Subject: Re: Unable to log into Server

Date: 09/20/2007 14:21:33

Are you sharing your user account with someone else, like several

persons using the same Administrator account? Sounds like the screen

saver has kicked in when you take over a disconnected session.

Disable the screen saver on the TS.

_________________________________________________________

Vera Noest

MCSE, CCEA, Microsoft MVP - Terminal Server

TS troubleshooting: http://ts.veranoest.net

___ please respond in newsgroup, NOT by private email ___

=?Utf-8?B?RGVyZWsgRGEgU2lsdmE=?=

wrote on 20 sep 2007 in

microsoft.public.windows.terminal_services:

> Hi Everyone,

>

> When I log into the server I am confronted with a black screen

> and I cannot proceed. This usually happens when someone RDP

> into the server and forgot to log off. Is there a way to allow

> me to log in without having to restart the server?

>

> Thank you,

> D

Top

From: Derek Da Silva <DerekDaSilva@discussions.microsoft.com>

To: none

Subject: Re: Unable to log into Server

Date: 09/20/2007 16:20:01

Yes- I share the admin account with other users. How do I disable the ssaver

under TS? Is there a way I can log on and get to the server without

rebooting it?

Thanks,

D

"Vera Noest [MVP]" wrote:

> Are you sharing your user account with someone else, like several

> persons using the same Administrator account? Sounds like the screen

> saver has kicked in when you take over a disconnected session.

>

> Disable the screen saver on the TS.

> _________________________________________________________

> Vera Noest

> MCSE, CCEA, Microsoft MVP - Terminal Server

> TS troubleshooting: http://ts.veranoest.net

> ___ please respond in newsgroup, NOT by private email ___

>

> =?Utf-8?B?RGVyZWsgRGEgU2lsdmE=?=

> wrote on 20 sep 2007 in

> microsoft.public.windows.terminal_services:

>

> > Hi Everyone,

> >

> > When I log into the server I am confronted with a black screen

> > and I cannot proceed. This usually happens when someone RDP

> > into the server and forgot to log off. Is there a way to allow

> > me to log in without having to restart the server?

> >

> > Thank you,

> > D