Appendix D Script Reference Usrlogoncmd

Listing A.1 is the modified USRLOGON.CMD which takes advantage of Win2K's ability to map the home directory to the user's folder. Deletions from the original USRLOGON.CMD are in STRIKETHROUGH and additions are in BOLD. To use this script, you should set your ROOTDRIVE to the same drive letter that you use for your users' network home directories. Call SystemRoot Application Compatibility Scripts SetPaths.Cmd If _SETPATHS FAIL Goto Done Rem This is for those scripts that don't need the...

Application Installation

Now that you understand the process that Terminal Services uses to create an environment that can assist applications in running for simultaneous users, we can look at how the actual softwareinstallation process works on a Terminal Services server. In a perfect world, all applications would follow certain guidelines laid out in the Application Specification for Windows 2000. This document instructs programmers to take advantage of a number of Windows component services that would make the...

Managing Printing

Printing is one of the most difficult things to manage in a Terminal Services environment. Win2K's increased driver set has made the task a little easier, but there are still a number of challenges. My Computer HKEY_U5ER5 5-l-5-21-l Environment First, by default, only administrators have the right to install printer drivers on a terminal server. So unless Windows has a native driver for a printer that your users will use, an administrator will have to manually install the driver on each...

Remote Control

When you select Remote Control from the Terminal Services Manager interface, you temporarily disconnect from your session and are connected to the user's session. RDP now sends all video information to both you and the user's client device and receives keyboard and mouse movements from both of you, if you have configured remote control with interact privileges. While remote controlling, the user can observe you while you launch applications, change settings, and so on, and you can observe the...

Terminal Services Manager

When you launch the Terminal Services Manger administrative tool, you are presented with a list of all servers with Terminal Services enabled in the domain. Using this tool, you can easily see which servers users are connected to, which client devices they're accessing the servers from, and which processes and applications they are running in their sessions. Figure 4.15 shows you the Terminal Services Manger interface. A RDP-Ti (btsnirl sj nsofe (KtumsMtw) J. RL > -T (J*3 (Mcti J) RCF-Tcef 5...

Terminal Services Home Directories

You are also able to configure your user accounts to use separate home directories when logging on to a terminal server. As you learned in Chapter 3, the system uses the user's home directory as its ROOTDRIVE and stores application compatibility files there. The intention of using a separate home directory when logging on to a terminal server was to keep these files out of the user's Windows home directory. The problem is that if your users store their documents in their Windows home directory,...

Home and Profile Directories

As a systems administrator, you are familiar with network home directories and roaming profiles. These features in Windows allow us to maintain central stores for our users' documents and profile settings so that they are available regardless of which computer users sit down at. Terminal Services has the ability to maintain its own separate stores for home and profile data for the users. As with everything else in this chapter, how you utilize this ability depends on your environment and...

Loopback Group Policy Processing Order

Loopback processing allows us to take advantage of User Configuration settings from GPOs linked to the OU that contains the computer that is being accessed. As Figure 4.12 shows, there are two modes of loopback processing Replace and Merge. Merge mode instructs the system to first apply the User Configuration from the Users OU Policy (the standard processing order), then apply the User Configuration from the Computers OU Policy. Replace mode instructs the system to ignore GPOs from the Users OU...

Managing Group Policy

After you have determined the proper set of policies for your users, you need a way to apply them. NT 4.0's system policy mechanisms are not nearly as flexible as Win2K's are. NT 4.0's system policy mechanisms require that terminal server administrators set up a separate NTCONFIG.POL for their terminal servers and manage it separately from the domain policy. The Win2K Group Policy process is very flexible and allows us to centrally manage all settings in the domain, and even maintain separate...

Standard Group Policy Processing Order

Win2K Group Policy is a layered process. To determine the final settings that a user will see, you must look at all the GPOs that are being applied. GPOs are applied in a fixed order local, site, domain, organizational unit (OU). Machine settings and user settings are processed separately, although they can both come from the same GPOs. To understand how GPO processing works, let's look at a theoretical domain infrastructure and walk through GPO processing as it happens. Figure 4.11 shows our...

UI Settings

In addition to configuring permissions, timeouts, and remote control settings, you will also want to use system policies to lock down certain components of the UI. This topic is very volatile, as many users are accustomed to using features that systems administrators typically remove or disable in a Terminal Services environment, such as the command prompt, Run command, Task Manager, and so on. I would recommend using Microsoft article Q278295 How to Lock Down a Windows 2000 Terminal Server...

Controlling Session Behavior

Now that your users have permission to log on to the terminal server over RDP, you can control how their sessions behave. Almost all session-related settings can be set per-user or per-server. Per-server settings always override per-user settings, so you have the ability to make one terminal server behave differently from the rest. In W2K, each field in the user object properties (Full Name, Logon Script, Home Directory, and so on) is its own attribute in the AD schema. This setup gives...

Log On Locally

You can control the Log on locally right through the User Rights Assignment section of the machine policy. When you install Terminal Services in application server mode, this right is changed from Administrators to Users, and the local Users group includes all authenticated users in the domain. To view or change this right, use the Microsoft Management Console (MMC) Local Security Policy snap-in found in Administrative Tools. Drill down to Local Policies, User Rights Assignment. Figure 4.1...

Remote Administration Mode

Installing Terminal Services in remote administration mode is the most common and the simplest configuration. This mode gives systems administrators the ability to remotely control a Win2K server. Remote administration mode doesn't require a Terminal Services License Server, and applications installed on the server aren't tuned for multiple interactive users. Some systems administrators make the mistake of trying to use remote administration mode as a two-user Application Server because this...

Application Server Mode

Before enabling Terminal Services in application server mode, you must first consider server configuration and sizing. This consideration involves looking at disk size and partitioning scheme, the amount of physical memory required, and the number and speed of processors used. Terminal Services should typically be used to hold application executables only and not databases or user documents so that disk capacity is rarely an issue as long as you have adequate space for the OS, applications,...

Implementing Terminal Services in an Extranet Environment

As a result of the many complex data flows required by today's business-to-business B2B marketplace, many enterprises are building extranets at the periphery of their LANs. This setup enables them to place systems in a buffer zone in which they have control over access from both the external networks as well as the intranet. If you are deploying a vertical application to which both internal and external users require access, then an extranet may be the perfect solution. Think of an extranet as...

Real World Example

Let me walk you through an example of an application that needs to be modified for terminal server use. I'll change the name to protect the publisher. Let's assume that WorkGroup is a problem-tracking system that your company uses to manage projects. It references a SQL database to store project descriptions, timelines, and team members' notes. You want to install WorkGroup on your terminal server so that you can have your user's run it from within a Web page using the Microsoft Terminal...

Robo Client Robocliexe

The RoboClient program is installed on each test workstation. It communicates with the test manager system and controls execution of your test scripts. By default, when you launch ROBOCLI.EXE, it looks for a test manager system named ts-dev. If your test manager system has a different name, you can use an -s switch to specify another server name where servername is the name of the test manager system , or enter the name in the GUI, as Figure 5.2 shows.

The Terminal Services Protocols

The traditional computing model relies on the standard TCP IP protocol stack to transfer data back and forth between the workstation and server. The client server processing model, however, has very specific needs for maintaining its network link between the client and server. Since only video information and keyboard and mouse movements are communicated and data isn't communicated, the protocol used must be robust and low in latency. Two main protocols have been developed to meet this need RDP...

Group Policy and Software Installation

If you are familiar with Win2K Group Policy, you know that one of its very powerful features is the ability to install, upgrade, and manage software. Although you might be tempted to use this feature to push new software out to your terminal servers, you need to be very careful how you do so. Most MSI packages are unaware of Terminal Service's Install mode, so if you attempt to use Group Policy to deploy user applications, you will not be able to take advantage of registry and INI file mapping....

Permissions on RDP

In Chapter 2, I introduced you to the Terminal Services Configuration utility. At that point, we were only concerned with using it to tune the server for optimal performance, but you can also use this utility to set permissions on RDP as well as set overrides for user session settings. Figure 4.2 shows the connections window of the utility. Figure 4.2 Connections settings in the Terminal Services Configuration utility. Figure 4.2 Connections settings in the Terminal Services Configuration...

Terminal Services Profile Path

When a user logs on to a workstation, the system checks the profile path attribute of his or her user object to see whether the user has a centrally stored profile. If he or she does, and it is newer than any locally cached copy that may exist, the profile is downloaded for the user. In the same way, when a user logs on to a terminal server, the system queries the UserParameters attribute and looks for a Terminal Services Profile path. Figure 4.14 shows the Terminal Services Profile tab of a...

System Tuning For Terminal Services

Now that you've installed Terminal Services, there are a number of measures you can take to tune the system for optimal performance under the heavy load of numerous simultaneous users. I'll make the assumption that you're running Win2K with Service Pack 2 SP2 installed. The first step is to connect to Windows Update and install any Critical Updates and Application Compatibility Updates. These updates will ensure that you have the most up-to-date security and the most application-friendly...

Performance Monitor Perf Mon

PerfMon is the tried and true native monitoring tool for Windows systems. As Figure 5.4 shows, you can use PerfMon to view, log, and create alerts based on performance counters. In addition to the counters that you may be familiar with Free Memory, Processor Time, and so on Terminal Services also has a number of counters specific to it. I will define some of the key counters to look at, both standard and Terminal Services-specific, then go over how to set up logging and alerts. Figure 5.4...

Robo Server Robosrvexe

RoboServer is installed on the test manager system. This tool is the conductor of all activity during the test. RoboServer instructs each instance of RoboClient when to open a new connection to the terminal server and which test script to run in the session. From the GUI, you can specify the following parameters The name of the terminal server to use The number of sessions each client computer should establish How many sessions make up a test set The delay time between test sets The delay...

Allow Logon to Terminal Services

Allow Logon Terminalserver

The last requirement to log on to a terminal server is a per-user setting. In the properties of each user object in the domain, there are a few tabs that are terminal server related. Most of the settings affect session behavior once a user is logged on. But if you leave the Allow logon to terminal server check box clear, the setting will prevent that user from logging on in the first place. Figure 4.5 shows the User properties tab that holds this setting. The Allow logon to terminal server...

Configure a Workstation to Act Like a Thin Client

The following steps walk you through how to configure an NT 4.0 Workstation or Win2K Pro system to act like a thin client. 1. Install the Terminal Services Client for this, you must use the RDP 5.0 client. 2. Create a new local machine account and place it in the local administrators group. 4. Log out and log on again as the new account you created in Step 2. 5. Launch the Client Connection Manager and create or import your Terminal Services connection definitions. 6. Apply the following...

Setting up a Terminal Services License Server

Open License Terminal Services

As you read in Chapter 1, each device that connects to a terminal server in application server mode needs a TSCAL. A Terminal Services license server is used to install, distribute and manage these TSCALs. Without a license server, the terminal server will stop accepting connections after 90 days. If you're in a Win2K domain environment, you should install the Terminal Services Licensing service on one of your domain controllers. All terminal servers in the domain will automatically find the...

Application Compatibility Mechanisms

Before we dive into the application-installation process, you must understand the mechanisms that Microsoft has put in place to assist you in making applications that weren't designed with Terminal Services in mind run on a terminal server. These include Terminal Services logon scripts, application compatibility scripts, install and execute modes, registry mapping, and INI file mapping. If an application carries the Certified for Windows 2000 logo, it will generally be compatible with Terminal...

WinK Terminal Services Licensing

Under WTS, a common practice is to disable logging of TSCALs and simply purchase enough Client Access Licenses CALs to cover all your devices. Win2K Terminal Services doesn't allow you to disable license logging, so Win2K Terminal Services administrators are forced to install, configure, and maintain a Win2K Terminal Services License Server on their network. If you're using Win2K Terminal Services for remote administration only, you don't require a TSCAL and don't need a License Server. The...

Task Manager

Task Manager is one of the most common tools used in Windows and is often considered a user tool it offers a great deal of information in a very condensed format. On a terminal server, you can use Task Manager to display processes in either only your session or all sessions on the server. From here you can kill a hung process or quickly spot a leaky one. In Figure 5.8, you can see the Show processes from all sessions check box. Once this check box is selected, you should select Select Columns...

RDP Access Levels

RDP provides three basic levels of access Guest Access, User Access, and Full Control. The level assigned to a group determines the group's abilities when connected to the terminal server over RDP. Let's first examine the permissions available, then put them together into the basic access levels. Figure 4.4 shows the advanced ACL Editor's list of individual permissions, and Table 4.1 explains which abilities each permission setting bestows on the users. i Apply these permissions to objects and...

Terminal Services Compatibility Flags

When you install an application, Terminal Services creates a compatibility flag registry key, which Figure 3.15 shows, that instructs Terminal Services about which type of program the application is MS-DOS, 16-bit, 32-bit . If you're installing a legacy application that will not run on Terminal Services, you can adjust this flag so that Terminal Services makes adjustments when the application is launched. Figure 3.15 The compatibility flags registry values. Figure 3.15 The compatibility flags...

Terminal Server Maintenance

In a perfect world, Windows systems would always perform as they are supposed to. Users would be able to log on, log off, open and close applications, and recover from hung applications without causing problems to the system or other users. In reality, however, most Terminal Services administrators have found that applications will occasionally cause memory leaks and user profiles will sometimes become locked on the terminal server. Although your goal should be to find the cause of such...