Configuring Terminal Services Client Settings
The
Terminal Services client, Remote Desktop Connection (RDC), is highly
configurable. For example, you can configure the client to display
remote desktops with a certain screen resolution or to make certain
local drives available in the session. These features can be configured
in the client application itself or at the domain level by using a
Group Policy Object (GPO).
Configuring Remote Desktop Connection Options
RDC,
also known as Mstsc.exe, is the primary client program used to connect
to Terminal Services. The other client program is Remote Desktops,
which is available as a snap-in through Microsoft Management Console
(MMC). Through its options tabs, RDC enables you to customize a
Terminal Services connection within the limitations set at the server
or in Group Policy.
To explore the configuration options available through RDC, open RDC, and then click the Options button, as shown in Figure 1.
This
step reveals the six RDC options tabs. The following section describes
the features you can configure on these RDC options tabs.
General The General tab, shown in Figure 2,
enables you to define a target computer and a set of authentication
credentials for the connection. It also enables you to save the options
defined for the connection in an RDP (Remote Desktop) file.
Display The Display tab, shown in Figure 3, enables you to define the screen resolution and color bit depth for the TS client window.
Local Resources
The Local Resources tab enables you to choose which local resources
(such as the Clipboard, any locally defined printers, and any local
drives) should be made available within the TS session. This tab also
enables you to determine the behavior of features such as sounds and
keystrokes in the TS session.
The Local Resources tab is shown in Figure 4.
Programs This tab enables you to define any program you want to start automatically when the TS connection begins.
The Programs tab is shown in Figure 5.
Experience The Experience tab, shown in Figure 6,
enables you to choose which optional graphical user interface (GUI)
effects you want to display from the terminal server. For example, the
Desktop background and font smoothing features visually enhance the TS
session but can also strain network resources and slow TS client
performance. Performance settings will be selected automatically, as a
suggestion, when you choose a connection type.
Advanced The Advanced tab, shown in Figure 7,
enables you to configure client behavior for the Server Authentication
and Terminal Services Gateway (TS Gateway) features. Server
Authentication is a feature, native to Windows Vista and Windows Server
2008,
through which a terminal server can confirm that its identity is the
computer specified by the TS client. On the Advanced tab, you can
configure a TS client to warn, block, or enable a connection to a
server on which Server Authentication has failed.
The
Terminal Services Gateway feature enables a TS client to traverse a
corporate firewall and connect to any number of terminal servers in an
organization.
Saving RDP Files
After
you have defined the desired options for a TS client in RDC, these
settings are saved automatically in the Documents folder to a hidden
file named Default.rdp. This file contains the settings used for RDC
when you open the program from the Start menu. However, you can also
save TS client configuration settings in custom .rdp files by clicking
the Save As button on the General tab. These .rdp files can then be
used to initiate TS sessions with specific client options (such as
server name and authentication information).
Configuring Terminal Services Clients Through Group Policy
Group
Policy enables you to enforce settings centrally on users or computers
in an Active Directory environment. As a way to manage many TS clients,
you can use a GPO to ensure that Remote Desktop Connection is always
configured with the settings you choose. In many cases, this is the
most efficient and effective way to manage TS clients.
In
the Computer Configuration section of a GPO, you can specify client
settings such as whether the passwords should be saved in RDC, whether
the client should always be prompted for credentials, how server
authentication should be performed, and which resources should be
redirected to the TS session. You can explore these settings in a GPO
by browsing to Computer Configuration\Policies\Administrative
Templates\Windows Components\Terminal Services.
In
the User Configuration section of a GPO, you can configure settings
related to session time limits, remote control, and the remote session
environment. You can explore these settings in a GPO by browsing to
User Configuration\Policies\Administrative Templates\Windows
Components\Terminal Services.
Single Sign-on
A
particularly useful Terminal Services client feature that you can
configure in Group Policy is Single Sign-on (SSO). In an Active
Directory domain environment, you can use SSO to eliminate the need to
enter user credentials when you use RDC to connect to a terminal
server. With SSO, instead of prompting for your credentials, RDC
automatically uses the credentials of the user currently logged on to
the local computer running Microsoft Windows.
To
configure SSO, enable the Allow Delegating Saved Credentials policy
setting, which you can find in Computer
Configuration\Policies\Administrative Templates\System\Credentials
Delegation. After enabling the policy, you then need to create in the
same policy a server list that specifies the terminal servers that will
accept SSO credentials. Add each server name in the form
TERMSRV/<Your server name>. To enable all terminal servers within
the scope of the policy to accept SSO credentials, you can add the
entry TERMSRV/*.
Configuring User Profiles for Terminal Services
In general terms, a user profile
simply refers to the collection of data that comprises a user’s
individual environment—data including a user’s individual files,
application settings, and desktop configuration. In more specific
terms, a user profile
also refers to the contents of the personal folder, automatically
created by Windows, that bears the name of an individual user. By
default, this personal folder is created in the C:\Users folder when a
user logs on for the first time to a computer running Windows Vista or
Windows Server 2008. It contains subfolders such as Documents, Desktop,
and Downloads as well as a personal data file named Ntuser.dat. For
example, by default, a user named StefanR will store the data that
makes up his personal environment in a folder named C:\Users\StefanR.
In
a Terminal Services environment, user profiles are stored on the
terminal server by default. This point is important because when many
users access the terminal server, profiles are centralized and can
consume a large amount of server disk space. If storage space on the
terminal server is insufficient, plan to store user data and profiles
on a disk that is separate from the operating system installation disk
drive. Also consider using disk quotas to limit the amount of space
available to each user. (You can configure disk quotas through the
properties of the drive on the terminal server where the profiles are
stored.)
Another
way to manage TS user profiles is to configure users with a Terminal
Services–specific roaming user profile that is stored on a central
network share. Such a profile is downloaded to the user’s TS session
whenever and wherever such a session is initiated. This TS-specific
roaming user profile can be defined on the Terminal Services Profile
tab of a user account’s properties, as shown in Figure 8.
Alternatively, you can use Group Policy to define these TS roaming user
profiles. (You can find Terminal Services profile settings in a GPO in
Computer Configuration \Policies\Administrative Templates\Windows
Components\Terminal Services\Terminal Server\Profiles. The specific
policy setting used to configure TS-specific roaming user profiles is
named Set Path For TS Roaming User Profile.)
Caution: Roaming user profiles and Terminal Services
Ordinary
roaming user profiles are those that follow a user as he or she logs on
and off from various computers in a Windows domain. Ordinary roaming
user profiles should not be used for Terminal Services sessions because
they can lead to unexpected data loss or corruption. If you have
configured roaming user profiles in your organization, be sure to
implement TS-specific user profiles as well.
Configuring Home Folders
When a user chooses to save a file, the default path points to a location known as the home folder.
For Terminal Services, the home folder by default is located on the
terminal server. However, it is usually helpful to configure the home
folder either on the local disk drive or on a network share.
Configuring the home folder in this way ensures that users can locate
their saved files easily. As with TS-specific roaming user profiles,
you can define home folder locations for Terminal Services either in
the properties of the user account or in Group Policy. (Home folder
settings for Terminal Services can be found in a Group Policy object in
Computer Configuration \Policies\Administrative Templates\Windows
Components\Terminal Services\Terminal Server\Profiles. The policy
setting used to configure home folders is named Set TS User Home
Directory.)