Section 10.8. Terminal Services Administration

10.8. Terminal Services Administration

You can administer a Terminal Services machine from three points:

The Terminal Services Manager console

You can run this console from any station to display and control Terminal Services connections on a network.

The Terminal Services Configuration console

This console runs on each Terminal Services machine to adjust the individual Terminal Services configurations on each machine.

The Terminal Services Licensing console

This console manages licensing across all Terminal Services machines in a domain.

I covered the Terminal Services Licensing applet in the previous section. In this section, I'll cover the basic administrative functions that the Terminal Services Manager applet can perform, and then I will focus on some common tasks using the Terminal Services Configuration applet.

10.8.1. Terminal Services Manager

Terminal Services Manager (TSM ) is the focal point where all connections between client computers and Terminal Services machines come into view. Think of it as "mission control."

TSM's full functionality only works when you run the console from a machine connected to Terminal Services through a TS session. Running TSM locally on the machine running Terminal Services will limit the functionality available to you.

Figure 10-4 shows the basic TSM layout.

Figure 10-4. The default Terminal Services Manager window

By default, TSM shows all Terminal Services servers in your domain. You can connect to all of them at once if you so choose, but TSM looks at only one server at a time by default. To find servers, use the following procedures:

• To find all Terminal Services servers in your domain, in the left pane right-click the name of your domain, and select Refresh Servers in Domain.

• To find all Terminal Services servers on your network, in the left pane right-click All Listed Servers, and choose Refresh Servers in All Domains.

• To connect to any particular server, right-click its name in any list and select Connect.

Using TSM, you can perform a variety of network- and domain-wide session management functions. You can monitor a session, disconnect it, log it off, send messages to users, and take control of a session, among many other things.

10.8.1.1. Connecting to a session

Connecting to another session on a server is a useful tool for an administrator working remotely, for example, to fix a problem with a user's configuration in Microsoft Office while the user is at lunch. You always can connect to any active session or to a session that is disconnected. You can also connect to a session that is logged on inside your current security context (meaning basically your username), or if you have the appropriate permissions (Full Control or User Access permissions over Terminal Services sessions), you can connect to any session.

To connect to a session, follow these steps:

1. Right-click the appropriate session in the right pane of TSM. Alternatively, to connect to a session that is run by a user, right-click the appropriate user's name. Choose Connect in either case.

2. You are prompted for a password if needed. Otherwise, control is switched to the new session, and the active session is disconnected.

10.8.1.2. Disconnecting a session

A session that is disconnected is unique, in that it continues to run on the server, but the actual network link between the client and the Terminal Services machine is severed. Using a disconnected session, a user can return to a previous session at any time by simply reestablishing the connection, alleviating the need for either logging off or logging on. The catch to this is that, of course, server resources are finite, and if all users leave their sessions disconnected, everybody's copy of Outlook is still receiving mail, and everyone's PowerPoint presentations are still open to be edited. But disconnecting a session is still a handy way to clear your screen to take off to lunch, knowing that when you come back your desktop will be as you left it. It's sometimes useful to disconnect a session when Remote Desktop fails to pick up your old connection.

A user can disconnect any session of his own, and an administrator can disconnect any session over which he has Full Control rights.

To disconnect a session, follow these steps:

1. Right-click the appropriate session in the right pane of TSM, and choose Disconnect.

2. You are prompted to confirm your choice. Click OK, and the session will be disconnected.

You can select multiple sessions at a time in the right pane by pressing and holding the Ctrl key and clicking each session that you want to disconnect.

10.8.1.3. Logging off a session

Logging off a session ends that particular user's session on a host, thereby making available to other users any RAM and CPU resources that the particular session was using. Users must then log on the next time they connect to the Terminal Services server. A user can log off any session of his own, and an administrator can log off any session over which he has Full Control rights.

To log off a session, follow these steps:

1. Right-click the appropriate session in the right pane of TSM, and choose Log Off.

2. You are prompted to confirm your choice. Click OK, and the session will be disconnected.

Keep in mind that forcibly logging off users will result in data loss for those users, so always make them aware of any automatic logoffs before they happen.

You also can log off a session by issuing the LOGOFF command, followed by the session ID or name (which you can find inside TSM), at the terminal server's command prompt. To log off session number 8, for example, use the following command:

     logoff 8 

10.8.1.4. Resetting a session

When you reset a session, it forcibly terminates that session: programs are closed, open data is lost, and memory that those programs were occupying is immediately returned to the Terminal Services host. A user can reset any session of his or her own, and an administrator can reset any session over which he has Full Control rights.

To reset a session, follow these steps:

1. Right-click the appropriate session in the right pane of TSM, and choose Reset.

2. You are prompted to confirm your choice. Click OK, and the session will be reset.

You can select multiple sessions at a time in the right pane by pressing and holding the Ctrl key and clicking each session that you want to reset.

You also can reset a session by issuing the RESET command, followed by the session ID or name, at the terminal server's command prompt. To reset session number 8, for example, use the following command:

     reset session 8 

10.8.1.5. Viewing session information

Using TSM, you can get a wealth of detail about any particular session on a Terminal Services host machine, including the following:

• Originating computer

• Running process

• Session image resolution and color depth

• Data encryption level

To view this information, find the session in the left pane of TSM, and select it. Then, to view currently running programs and services, click the Processes tab. You'll see a listing much like that found in the Windows Task Manager. On the Information tab in the same pane, you find a listing of the username, client name, data encryption level, originating computer, and more.

But let's say you want information on all sessions, including their processes and logged-on users, for a particular Terminal Services machine, domain, or even an entire network. This is possible with TSM: simply select the machine, domain, or network in the left pane of TSM and use the Users, Sessions, or Processes tabs in the right pane to control the display of information.

Figure 10-5 shows this in action.

You also can view this information from the command line with the query process, query session, query termserver, and query user commands. These simple commands display a table or list of the desired information. Here is example output from the four commands:

     C:\>query process     USERNAME SESSIONNAME ID PID IMAGE     >administrator rdp-tcp#10 1 4900 rdpclip.exe     >administrator rdp-tcp#10 1 4980 explorer.exe     >administrator rdp-tcp#10 1 3488 ducontrol.exe     >administrator rdp-tcp#10 1 5780 ctfmon.exe     >administrator rdp-tcp#10 1 3308 sqlmangr.exe     >administrator rdp-tcp#10 1 5056 cmd.exe     >administrator rdp-tcp#10 1 3088 query.exe     >administrator rdp-tcp#10 1 5844 qprocess.exe     C:\>query session     SESSIONNAME USERNAME ID STATE TYPE DEVICE     console 0 Conn wdcon     rdp-tcp 65536 Listen rdpwd     >rdp-tcp#10 administrator 1 Active rdpwd     C:\>query user     USERNAME SESSIONNAME ID STATE IDLE TIME LOGON     >administrator rdp-tcp#10 1 Active .     7/15/2004 5:49 PM     C:\>query termserver     NETWORK NETWORK     mercury hasselltech.local 

Figure 10-5. Viewing information on multiple sessions in TSM

10.8.1.6. Sending a message to a user

Sometimes it's necessary to send a message to all users logged on to a specific host, whether to mention that there might be downtime that evening, or that a virus or worm (God forbid) has invaded the Terminal Services machine and it needs to be shut down immediately. To send a message to a user, follow these steps:

1. In the right pane of TSM, right-click either the sessions or users to whom you want to send a message, and select Send Message.

2. In the Send Message dialog box, enter the text for your message. If you want to use separate lines, press Ctrl-Enter to begin a new line.

3. Click OK when you've finished entering the message.

A notification will be sent to the appropriate people. A sample is shown in Figure 10-6.

Figure 10-6. User messaging with Terminal Services

You also can send a message via the command line, which might be helpful if you are planning on scripting a message transmission that is triggered by a certain event. The MSG command is used to send these messages; some examples are presented here:

• To send a message to user lmjohnson on server WTS1:

   msg lmjohnson /server:WTS1 message 

  
  

• To send a message to a particular session name:

   msg RDP-tcp#4 message 

  
  

• To send a message that will display on a user's screen for 30 seconds:

   msg lmjohnson /server:WTS1 /time:30 message 

  
  

For more information on the switches and arguments available with the MSG command, type MSG /? at any command prompt.

10.8.1.7. Taking control of a session

Have you ever been on a troubleshooting call that was an intensely frustrating exercise in walking a user through a procedure in Excel or Access? What if the user could watch you perform the actions on his screen, and what if you could show the user the steps without leaving your desk? If the user has a session on a Terminal Services machine, you as the administrator can take control of his session, giving you full access to whatever the user's screen displays. The user can watch whatever you do in his session, making the tool wonderful for quick problem solving. The user also can control his session while you have control so that both sides can interact.

This is exactly like the Remote Assistance feature, which is available in Windows XP and Windows Server 2003 but recommended for use only with client computers running Windows XP. You shouldn't use Remote Assistance on servers for security reasons and should rely on the Terminal Services remote control feature instead.

To take control of a particular session, follow these steps:

1. In the right pane of TSM, right-click either the sessions or users to whom you want to send a message, and select Remote Control.

2. The Remote Control dialog appears. Here, select the appropriate key to be pressed along with the Ctrl key to end a remote control session.

3. By default, when you select OK, the user is prompted inside his session with a box asking him to confirm your request to take over his session. The user must acknowledge this prompt before remote control can begin.

It's possible to turn off the aforementioned user confirmation requirement through the user's properties inside Active Directory Users and Computers. On the Remote Control tab, uncheck the Require User's Permission checkbox, as shown in Figure 10-7.

Figure 10-7. Disabling the user notification requirement for remote control

Later in this chapter, I will discuss a way to turn this notification on and off on a per-server basis.

You also can remotely control a user's session from the command line using the SHADOW command. You must know the session's name or identification number. For example, to connect to session 3 on the current server, issue the following command:

     shadow 3 

To connect to session 2 on server WTS2, and to have the SHADOW utility tell you exactly what it does, issue the following command:

     shadow 2 /server:WTS2 /v 

10.8.2. Terminal Services Configuration

The Terminal Services Configuration applet provides a way to configure settings that are relevant to a specific server. When you open Terminal Services Configuration, you'll note that the tree in the left pane of the console has two nodes: Connections and Server Settings. Let's focus on the Server Settings section in this part of the chapter.

When you select Server Settings, you're provided with either six or seven options in the right pane, depending on whether your terminal server machine is a member of a cluster. These options, and their intended purpose, are described here:

Delete temporary folders on exit

If this option is set to Yes, any temporary folders created by Windows will be deleted. If the option is set to No, all temporary folders will remain. The default is Yes.

Use temporary folders per session

If this option is set to Yes, each session will have its own set of temporary folders for its exclusive use. If this option is set to No, all sessions will use one set of server-based temporary folders. The default is Yes.

Licensing

If this option is set to Per Device, Terminal Services CALs are given to each client computer that connects to the host. If this option is set to Per User, CALs are distributed to each user that connects to the host. The default is Per Device.

Active Desktop

If this option is set to Enable, users will be allowed to enable Active Desktop on their sessions. If this option is set to Disable, users will be prevented from enabling Active Desktop. The default is Disable.

Permission Compatibility

If this option is set to Full Security, users will not have full access to the Registry and to some parts of the filesystem through their applications, which might cause some older programs to fail. If this option is set to Relaxed Security, users will have access to these previously restricted areas, and older programs should still work. The default is Full Security.

Restrict Each User to One Session

If this option is set to Yes, no user can log on more than once to a particular Terminal Services host machine. If this option is set to No, a user can log on multiple times to the same server. The default is Yes.

The following subsections will take you through common administrative tasks using the Connections node inside Terminal Services Configuration.

10.8.2.1. Creating a new connection listener

Use the Terminal Services Configuration applet to create a new Terminal Services connection by following these steps:

1. Open the Terminal Services Configuration applet.

2. In the console tree, select Connections.

3. Pull down the Action menu and select Create New Connection.

4. The configuration wizard starts. Follow the prompts on the wizard to configure your connection.

Windows permits only one RDP-based connection per network card in the machine running Terminal Services. Usually, administrators find that the preconfigured connection created when Terminal Services is installed is really the only one they need. However, if you need more RDP connections, you'll need to install an additional network adapter for each connection needed.

10.8.2.2. Restricting Terminal Services connections

You can restrict the total number of RDP connections to any given server, which can be helpful if you have bandwidth problems on your network or your Terminal Services server machine has limited hardware resources.

To restrict the total number of RDP connections to a server through the Terminal Services Configuration applet, follow these steps:

1. Open the Terminal Services Configuration applet.

2. In the console tree, select Connections.

3. In the Details pane, select the applicable connection, right-click it, and choose Properties.

4. Move to the Network Adapter tab and click Maximum Connections.

5. Enter the maximum number of sessions you want to connect to this server.

6. Click Apply to finish.

To do so using GP, which overrides and takes precedence over the settings specified in Terminal Services Configuration, follow the steps described next.

1. Open the Group Policy Object Editor snap-in.

2. Navigate through Computer Configuration Administrative Templates Windows Components in the tree in the left pane.

3. Click Enabled.

4. Move to the TS Maximum Connections allowed box. In it, enter the maximum number of connections you want to allow, and then click OK.

You might want to restrict the number of Terminal Services sessions by server to improve performance and decrease load. This technique works especially well when you have a terminal server farm consisting of machines of various capabilities and configurations. You can adjust each server to the optimal number of connections to ensure a consistent response time across the farm for your users.

RDP connections, by default, are configured to allow an unlimited number of sessions on each server.

10.8.2.3. Encryption levels

Terminal Services supports multiple levels of encryption to secure communications between the client and the server. To change these levels through Terminal Services Configuration, follow these steps:

1. Open the Terminal Services Configuration applet.

2. Select Connections from the console tree.

3. Find the connection you want to modify in the righthand pane, right-click it, and select Properties.

4. Navigate to the General tab, and select the encryption level that best suits your needs. (I provide a description of the levels shortly.)

5. Check the Use standard Windows authentication checkbox if you want the connection to default to the standard authentication even if another authentication package exists.

You can also change the TS encryption level using Group Policy:

1. Open the Group Policy applet.

2. Navigate through Computer Configuration Administrative Templates Windows Components Terminal Services.

3. In the righthand pane, double-click the Set Client Connection Encryption Level setting, and then click Enabled.

4. In the Encryption Level list, click the desired security level.

5. Click OK to finish the procedure.

Use the following guide to determine which security setting is best for your environment:

FIPS Compliant

Encrypts client-to-server and server-to-client communications strongly enough to be in accordance with the Federal Information Processing Standard (FIPS). This method uses Microsoft-developed cryptographic modules.

If you have already established FIPS encryption through a system cryptography policy object or through the Terminal Services Set Client Encryption Level option, you cannot change the encryption level through the Terminal Services Configuration applet or through a GPO.

High

Encrypts client-to-server and server-to-client communications using strong 128-bit encryption; useful only when the terminal server resides in an environment composed of 128-bit compliant clients only (i.e., one of the Windows Server 2003 operating systems). Other clients using non-compliant OSes will not be able to connect unless they download a separate Terminal Services client that supports high encryption from Microsoft's web site at:

http://www.microsoft.com/downloads/details.aspx?FamilyID=33AD53D8-9ABC-4E15-A78F-EB2AABAD74B5&displaylang=en

Client Compatible

Encrypts client-to-server and server-to-client communications at the maximum possible level (key strength) supported on the client end. This option is best when the terminal server resides in a mixed client environment.

Low

Encrypts client-to-server communications only, using 56-bit encryption.

It's also important to note that the aforementioned GP procedure will work for local security policy configurations. However, if you have a domain environment and want to push this policy onto an existing domain or organizational unit, you need to connect to the domain controller using an account with administrator rights. Then you need to make the change through the Group Policy Management Console.

Also be aware that data sent from the server to the client (and not vice versa) is not encrypted.

10.8.2.4. Remote control permissions

You can adjust how administrators will be able to "shadow" a Terminal Services session. You can restrict a user to viewing a session only, or allow him or her to have full control of the keyboard and mouse. To adjust these settings through Terminal Services Configuration, follow these steps:

1. Open the Terminal Services Configuration applet.

2. In the console tree, click Connections.

3. Find the connection for which you want to configure remote control in the righthand pane. Right-click the connection and select Properties.

4. Navigate to the Remote Control tab.

5. Click Use Remote Control with the Following Settings to configure remote control for the connection. Or, to disallow remote control, click Do Not Allow Remote Control.

6. To display a message on the client, asking permission to view or take part in the session, check the Require user's permission checkbox.

7. Under Level of Control, click View the Session to specify that the user's session can be viewed only, or click Interact with the Session to specify that the user's session can be actively controlled with your keyboard and mouse.

8. Click OK to complete the procedure.

To do so using GP, follow these steps:

1. Open the Group Policy applet.

2. Navigate through Computer Configuration Administrative Templates Windows Components.

3. In the righthand pane, double-click the Set Rules for Remote Control of Terminal Services User Sessions setting, and then click Enabled.

4. In the Options box, click the desired remote control permissions as described previously. Or, to disallow remote control, click No Remote Control Allowed.

5. Click OK to complete the procedure.

You should thoroughly test any changes you make to GP settings before applying them to users or computers. Use the RSoP tool to test new policy settings and confirm they will be applied as you intend. Chapter 6 contains detailed discussions and procedures for using this tool.

The aforementioned GP procedure also will work for local system policies. If you're using an Active Directory-based domain, though, and you want to push this policy onto an existing domain or organizational unit, you need to connect to the domain controller using an account with administrator rights and then make the change through the Group Policy Management Console.

Policies in effect are applied to and therefore are in full force for every client that connects to the terminal server.

10.8.2.5. Connecting to drives and printers

Terminal Services enables you to preserve mapped drives, mapped printers, and associated settings between sessions so that users don't have to recreate them each time they log on. To adjust the settings for this feature through Terminal Services Configuration, follow these steps:

1. Open the Terminal Services Configuration applet.

2. In the console tree, click Connections.

3. Find the connection for which you want to configure remote control in the righthand pane. Right-click the connection and select Properties.

4. Navigate to the Client Settings tab.

5. In the Connections section, uncheck the Use connection settings from user settings checkbox. (This will ensure that any changes you make in this procedure will apply globally to all connections.)

6. Select one of the following options:

   
   

   Connect client drives at logon

   Reconnects to all mapped client drives during the logon process.

   
   

   Connect client printers at logon

   Reconnects to all mapped local client printers during the logon process.

   
   

   Default to main client printer

   Prints to the default printer of the client. If one doesn't exist, the session reverts to the default printer of the server.

To do so through GP, follow these steps:

1. Open the Group Policy applet.

2. Navigate through Computer Configuration Administrative Templates Windows Components Terminal Services.

3. In the righthand pane, select the specific options you want to configure (as described previously) and select Enabled/Disabled as appropriate.

4. Click OK to complete the procedure.

These settings affect all clients that use the connection to log on to a terminal server. If you want to define settings on a per-user basis, use Terminal Services Group Policies or the Terminal Services Extension to Local Users and Groups.

Again, you can use these settings when configuring local security policy, but if you want to push them out throughout a domain, you need to change your domain's security policy through the Group Policy Management Console.

10.8.2.6. Session device mapping

One of the neat features of RDP is the ability to redirect local drives and local printers to your remote session so that through the remote computer's user interface you can still access the drives and printers on your personal machine. This is great when using hosted applications because Save As... and Open... dialog boxes work the same way as users expect.

To adjust the settings for this feature through Terminal Services Configuration, follow these steps:

1. Open the Terminal Services Configuration applet.

2. In the console tree, click Connections.

3. Find the connection for which you want to configure remote control in the right-hand pane. Right-click the connection and select Properties.

4. Navigate to the Client Settings tab.

5. Select one of the following options and enable or disable it as appropriate:

   • Drive mapping (enabled by default)

   • Windows printer mapping (enabled by default)

   • LPT port mapping (enabled by default)

   • COM port mapping (enabled by default)

   • Clipboard mapping (enabled by default)

   • Audio mapping (disabled by default)

6. Click OK to finish.

To do so through GP, follow these steps:

1. Open the Group Policy applet.

2. Navigate through Computer Configuration Administrative Templates Windows Components Terminal Services.

3. In the righthand pane, select the specific options you want to configure (as described previously) and select Enabled/Disabled as appropriate.

4. Click OK to complete the procedure.

As before, you can use these settings when configuring local security policy. However, if you want to push them out throughout a domain, you need to modify your domain's security policy through the Group Policy Management Console.

10.8.2.7. Default Terminal Services permissions

You might want to give permission for specific users and groups to use Terminal Services.

You can accomplish this using the Terminal Services Configuration applet. The procedure is much like granting and revoking permissions on files and folders. To do so, follow these steps:

1. Open the Terminal Services Configuration applet.

2. In the console tree, click Connections.

3. Find the connection for which you want to configure remote control in the right-hand pane. Right-click the connection and select Properties.

4. Move to the Permissions tab and click Add.

5. The Select Users of Groups dialog box appears. Click Locations... to identify places to search, and click Object Types... to specify the types of objects you want to search for.

6. Click the Check Names button.

When the name is located, click OK. The name now appears in the Group or User Names list on the Permissions tab.

If you want to change the default permissions applied to users and groups that can access Terminal Services, follow these steps to use the Terminal Services Configuration applet to modify the default Terminal Services permissions assigned to users:

1. Open the Terminal Services Configuration applet.

2. In the console tree, click Connections.

3. Find the connection for which you want to configure remote control in the right-hand pane. Right-click the connection and select Properties.

4. Move to the Permissions tab and click the Advanced...button.

5. The Advanced Security Settings dialog box appears. In Permission Entries, select the user or group for which you want to change permissions. Click Edit... to open the Permission Entry dialog box.

6. Select or clear as appropriate the Allow/Deny boxes to grant or revoke privileges to the users you have selected.

Follow this procedure to remove a group from the list of users authorized to access Terminal Services:

1. Open the Terminal Services Configuration applet.

2. In the console tree, click Connections.

3. Find the connection for which you want to configure remote control in the right-hand pane. Right-click the connection and select Properties.

4. Move to the Permissions tab. In Group or User Names, select the user whose privileges you want to revoke and click Remove.

To change permissions and revoke permissions for specific users, you absolutely must use the Remote Desktop Users group, which is built-in and configured during the operating system installation, to manage remote access to Terminal Services and Windows' Remote Desktop for Administration features.

10.8.2.8. Ensuring RPC-based security

If you want to secure Terminal Services-based RPC traffic to and from the server, use Group Policies to accomplish this. Simply follow these steps:

1. Open the Group Policy applet.

2. Navigate through Computer Configuration Administrative Templates Windows Components Terminal Services Encryption RPC Security Policy in the left pane.

3. Click Enabled, and then click OK to finish.

You use the RPC interface to manage and configure Terminal Services. By setting the Secure Server (Require Security) option to Enabled, only RPC clients that support secure transactions are allowed to communicate with the server. If the setting is disabled, the terminal servers will always request a secure channel, but will allow connections that are unsecured if the client doesn't support secure transactions. The default status for this setting is not configured, which allows for unsecured transactions.