Terminal Services Group Policy
For more information about Windows Terminal Services, please visit MSTerminalServices.org.
With the introduction of Terminal Services Group Policy in Windows Server 2003, Microsoft adds new capabilities for managing Terminal Services in enterprise environments. These Group Policy settings can be used to manage many features of Terminal Services including server configuration, client sessions, security, and licensing. Some of these settings can also be specified using the Terminal Services Configuration MMC snap-in, but using Group Policy is a simpler approach when you have multiple Terminal servers in your enterprise and many Terminal Services users. We'll begin by outlining the various kinds of policies available for managing Terminal Services, then focus in on a few key policies you may want to configure. Afterward you can either configure these policies on individual Terminal servers by editing the Local Group Policy Object (LGPO) on those machines, or you can configure these policies in a Group Policy Object (GPO) linked to an organizational unit (OU) where your Terminal server computer accounts reside. It's your choice and which method you use depends on the complexity of your environment.
Overview of Terminal Services Policies
Policies for controlling Terminal Services are found in two locations:
- Per-machine settings are found at Computer Configuration\Administrative Templates\Windows Components\Terminal Services
- Per-user settings are found at User Configuration\Administrative Templates\Windows Components\Terminal Services
The large majority of the Terminal Services policies are machine-based and are shown in Figure 1:
Figure 1: Machine-based policies for managing Terminal Services.
Below is a quick summary of the different kinds of policies found under Computer Configuration\Administrative Templates\Windows Components\Terminal Services and its various subnodes (we'll look at a few key policies later on in this article):
- Root node - These are miscellaneous policies for improving Terminal server performance and enhancing the experience of Terminal Services users.
- Client/Server data redirection - These are various policies for controlling whether printers, audio devices, COM ports, and other devices and services are redirected to Terminal Services client machines.
- Encryption and Security - These are settings to enhance or control the security of Terminal Services environments.
- Licensing - These are settings specific to Terminal Server Licensing.
- Temporary folders - These are settings that determine whether Terminal Services maintains separate \temp folders for each Terminal Services user and whether these \temp folders are cleaned out when sessions are ended.
- Session directory - These are settings specific to Terminal server cluster environments.
- Sessions - These are settings that govern when Terminal Services user sessions timeout and how users can reconnect their sessions.
Figure 2: User-based policies for managing Terminal Services.
As shown in Figure 2 above, there are fewer policies to consider under User Configuration\Administrative Templates\Windows Components\Terminal Services:
- Root node - These are policies governing remote control of user sessions and whether a program should run when users connect to Terminal servers.
- Sessions - These are settings that govern when Terminal Services user sessions timeout and how users can reconnect their sessions
Note that the User Configuration\Administrative Templates\Windows Components\Terminal Services policy settings mirror those found under Computer Configuration\Administrative Templates\Windows Components\Terminal Services. If the same policy setting is configured under both machine and user policy, the machine policy will take precedence.
Some Key Policies To Configure
If you're running a Terminal Services environment, there are a few key policies you may want to configure to make your life easier as an administrator, and to make your users' lives easier also. Here are seven key policies that can be useful to implement using Group Policy (note that these policies require Windows XP on the client end and Windows Server 2003 on the server end):
- Remove disconnect option from Shut Down dialog - This policy is found under Computer Configuration\Administrative Templates\Windows Components\Terminal Services and setting it to Enabled can help enhance the performance of your Terminal server. Reason is, it prevents users from using the Shut Down dialog and disconnecting their Terminal Services session instead of terminating their session. If a Terminal Services session is disconnected, the session continues to run on the Terminal server and uses up server resources (processor, memory, disk). If a session is terminated instead, the resources used by the session are released for use for other sessions. So if your Terminal server is working near capacity to support your users, it's important that users not be allowed to disconnect their sessions and leave them running on the server and hogging resources that could be used by other users. The downside of this policy is that it only removes the disconnect option from the Shut Down dialog and doesn't prevent users from disconnecting their session in other ways, for example by disabling their network connection. As a result, you should also configure the next policy as well.
- Sets time limit for disconnected sessions - This policy is found under both Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions and User Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions and it can be used in conjunction of the previous policy above to help enhance your Terminal server's performance. By configuring disconnected sessions to time out after a short period of time, you can ensure that resources are released for your server when a Terminal Services user no longer requires them. Note that this setting has no effect on console or Remote Desktop sessions.
- Sets a time limit for active but idle Terminal Services sessions - This policy is found under both Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions and User Configuration\Administrative Templates\Windows Components\Terminal Services\Sessions and is useful for enhancing the security of a Terminal Services environment. What happens when you enable this setting and specify a timeout is that if the user's Terminal Services session is idle (that is, no keyboard or mouse activity by the user) then two minutes before the timeout expires, the user is warned that they are going to be disconnected. If the user doesn't respond in time, the session is disconnected and continues to run on the server but the user has to reconnect to the session to continue her work. This is useful if you are concerned that users might walk away from their machines and leave Terminal Services sessions running without locking their workstation, but if you enable this setting then you probably don't want to enable the previous setting above as the result will be idle sessions being terminated and users possibly losing their work.
- Keep-Alive Connections - This policy is found under Computer Configuration\Administrative Templates\Windows Components\Terminal Services and is useful in environments where a Terminal Services user's network connection is unreliable, for example when a remote user is connecting to a Terminal server over a WAN link. What happens is that when you enable this policy and specify a keep-alive time interval, the Terminal server periodically checks to make sure the user's session is still connected. Then if the network link is determined by the server to have gone down, the server puts the user's session into a disconnected state so that when the link comes back up the user can reconnect to their session and continue their work. What might happen if you don't enable this policy is that the network link could go down and leave the user's session in an active but orphaned state, and then when the link comes back up the user won't be able to reconnect to their session on the server because it is considered active (in use) and not disconnected. The user may then start a new Terminal Services session, leaving the orphaned session still running on the server and consuming resources that could be used for other users.
- Automatic reconnection - This policy is found under Computer Configuration\Administrative Templates\Windows Components\Terminal Services and can be used in conjunction with the previous policy to ensure that users are automatically reconnected with their Terminal server when their network link unexpectedly goes down. What happens when you enable this setting is that when the network link goes down the Terminal server tries to reconnect with the remote client every five seconds, and continues trying this up to twenty times before giving up. If your network link is buggy and often goes down for brief periods (something common with certain types of WAN links) then the result is that users will have a better Terminal Services experience because they won't have to manually reconnect to disconnected sessions.
- Restrict Terminal Services users to a single remote session - This policy is found under Computer Configuration\Administrative Templates\Windows Components\Terminal Services and can help protect your Terminal server from excessive hogging of resources by preventing users from starting more than one session with the Terminal server. This may be a useful setting to enable in an environment where users are allowed to log on to the network from multiple computers instead of being restricted only to their own desktops.
- Limit maximum color depth - This policy is found under Computer Configuration\Administrative Templates\Windows Components\Terminal Services and can help boost performance on a Terminal server that is already working near capacity. What enabling this policy does is to restrict the color depth of the display on the Terminal Services client machines to the specified number of bits. By restricting the color depth this way, the amount of network bandwidth used by the RDP protocol is reduced and this can both lessen the load on the Terminal server and prevent slow WAN links from being saturated.
Using Group Policy can considerably simplify the task of managing Terminal servers and remote users. In this article we've surveyed the lay of the land as far as Terminal Services policy is considered, and have also keyed in on seven useful policies you may want to configure. If you have other recommendations for configuring Terminal Services policy settings, I'd be glad to hear from you, so feel free to contact me at [email protected]. Be sure also to check out my blog ITreader.net where I often post tips and suggestions concerning Group Policy and other aspects of Windows administration. My blog also has an RSS feed so you can subscribe to it if you use a newsreader.
For more information about Windows Terminal Services, please visit MSTerminalServices.org.