This document details all existing policies in Active Directory that directly affect Terminal Services. Each policy and its configuration possibilities are detailed. We will create/edit the policies from the console “Group Policy Management” that is in the “Administrative Tools”.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Remote Desktop Connection Client” We have the following configurations:

– Allow valid publisher .rdp files and the user's default .rdp settings: This policy setting allows you to specify whether users can run RD Protocol files (.rdp) from a publisher who signed the file with a valid certificate. A valid certificate is one issued by an entity recognized by the customer, such as the issuers of the certificate store Client's third-party root CAs. This policy setting also controls whether the user can start an RDP session with the default .rdp setting; For example, when a user directly opens the Remote Desktop Connection client (DRC) without specifying an .rdp file.

Whether or not you enable this policy setting, Users can run .RDP files that are signed with a valid certificate. Users can also start an RDP session with the default .rdp configuration by directly opening the RDC client. When a user starts an RDP session, The user is asked to confirm if they want to connect.

If you disable this policy setting, Users cannot run .RDP files that are signed with a valid certificate. Likewise, users cannot start an RDP session by directly opening the RDC client and specifying the remote computer name. When a user tries to start an RDP session, The user receives a message that the publisher has been blocked.

– Allow .rdp files from unknown publishers: This policy setting allows you to specify whether users can run RD Protocol files (.rdp) unsigned and .rdp files from unknown publishers on the client computer.

Whether or not you enable this policy setting, Users can run .RDP and unsigned files and .RDP files from unknown publishers on the client computer. Before a user starts an RDP session, The user receives a warning message and is asked to confirm if they want to connect.

If you disable this policy setting, Users cannot run unsigned .RDP files and .RDP files from unknown publishers on the client computer. If the user tries to start an RDP session, The user receives a message that the publisher has been blocked.

– Not allowing passwords to be saved: Controls whether passwords can be saved on this computer from Terminal Services clients.

If you enable this option, the check box for saving passwords in Terminal Services clients will be disabled and users will no longer be able to save passwords. When a user opens an RDP file through the Terminal Services client and saves its configuration, all previously existing passwords in the RDP file will be deleted.

If you disable this option or do not configure it, the user will be able to save passwords through the Terminal Services client.

– Specifying SHA1 fingerprints of certificates that represent trusted .rdp publishers: This policy setting allows you to specify a list of strong hash algorithm certificate fingerprints 1 (SHA1) that represent RD Protocol file publishers (.rdp) reliable.

If you enable this policy setting, any certificate with a SHA1 fingerprint that matches a fingerprint in the list is considered trusted. If a user tries to launch an .rdp file signed by a trusted certificate, The user does not receive a warning message when starting the file. To obtain the fingerprint, view the certificate details and click the Fingerprint field.

If you disable or not configure this policy setting, No publisher will be treated as a trusted .rdp publisher.

– Asking for credentials on the client computer: This policy setting determines whether the user will be prompted to provide credentials for a remote connection to a Terminal Server on the client computer.

If you enable this policy setting, the user will be prompted to provide credentials for a remote connection to the Terminal Server on the client computer, instead of on the Terminal Server. Whether there are saved credentials for the user available on the client computer, The user will not be prompted to provide credentials.

– Configure Server Authentication for the Client: This policy setting allows you to specify whether the client will establish a connection to the Terminal Server when the client is unable to authenticate the Terminal Server., You must specify one of the following options:

Always connect, even if there are authentication errors: the client connects to the Terminal Server even if the client is unable to authenticate the Terminal Server.

Notify me if there are authentication errors: the client tries to authenticate the Terminal Server. If you can authenticate, the customer establishes a connection with him. If you can't authenticate, the user will be prompted to choose whether to connect to the Terminal Server without authenticating it.

Do not connect if there are authentication errors: the client establishes a connection to the Terminal Server only if the Terminal Server can be authenticated.

If you disable or not configure this policy setting, the authentication settings that are specified in Remote Desktop Connection or in the .rdp file determine whether the client establishes a connection to the Terminal Server when the client is unable to authenticate it.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Terminal Server License” We have the following configurations:

– License Server Security Group: This policy setting allows you to specify which Terminal Servers to which a Terminal Services License Server will offer Terminal Services Client Access licenses (CAL de TS).

You can use this policy setting to control which Terminal Servers will be issued TS CALs to by the Terminal Services License Server. By default, a license server issues a TS CAL to any Terminal Server that requests a.

If you enable this policy setting and it applies to a Terminal Services license server, the license server will only serve TS CAL requests from Terminal servers whose computer accounts are members of the Terminal Server Computers group on the license server.

By default, the Terminal Server Computers group is empty.

If you disable or not configure this policy setting, the Terminal Services License Server issues a TS CAL to any Terminal Server that requests a. The Terminal Server Computers group is not deleted or modified in any way if this policy setting is disabled or not set.

– Prevent license updates: This policy setting allows you to specify the Terminal Services Client Access license version (CAL de TS) which will issue a Terminal Services license server to customers who connect to Terminal Servers running other Windows-based operating systems.

License servers attempt to provide the most appropriate TS CAL for each connection. For example, a license server with Windows Server 2008 will attempt to issue a Windows Server TS CAL 2008 for clients connecting to a Terminal Server running Windows Server 2008, and will attempt to issue a Windows Server TS CAL 2003 for clients connecting to a Terminal Server running Windows Server 2003.

By default, if the most appropriate TS CAL is not available for a connection, a license server with Windows Server 2008 issue a Windows Server TS CAL 2008, if available, a:

* A client that connects to a Windows Server Terminate Server server 2003
* A client that connects to a Windows Terminal Server 2000

If you enable this policy setting, the license server will only issue a temporary TS CAL to the client if an appropriate TS CAL is not available for the Terminal Server. If a temporary TS CAL has already been issued to the customer and it has expired, the client will not be able to connect to the Terminal Server unless the TS license grace period for the Terminal Server does not expire.

If you disable or not configure this policy setting, The license server will adopt the default behavior described above.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Terminal Server” > “TS Session Agent” We have the following configurations:

– Join the TS Session Agent: This policy setting allows you to specify whether the Terminal Server should join a TS Session Agent farm. The TS Session Agent tracks the user's sessions and allows the user to reconnect to their existing session in a load-balanced Terminal Server farm. To participate in the TS Session Agent, the Terminal Server role service must be installed on the server.

If policy settings are enabled, Terminal Server joins the farm that is specified in the “TS Session Agent farm name”. The farm exists on the TS Session Agent server that is specified in the policy settings “TS Session Agent Server”.

If you disable this policy setting, the server is not joined to a TS Session Agent farm, and the user's sessions are not tracked. If the, you will not be able to use the Terminal Services Configuration tool or the Terminal Services WMI provider to join the server to the TS Session Agent.

If policy settings aren't set, The option is not specified at the Group Policy level. In such a case, you can configure the server to join the TS Session Agent by using the Terminal Services Configuration tool or the Terminal Services WMI provider.

– Configure TS Session Agent Farm Name: This policy setting allows you to specify the name of a farm to join from the TS Session Agent. TS Session Agent uses the farm name to determine which Terminal servers are located in the same Terminal Server farm. Therefore, you must use the same farm name for all terminal servers in the same load-balanced farm. The farm name does not have to correspond to an Active Directory Domain Services name.

If you specify a new farm name, a new farm will be created in the TS Session Agent. If you specify an existing farm name, the server joins this TS Session Agent farm.

If you enable this policy setting, you must specify the name of a TS Session Agent farm.

If you disable or not configure this policy setting, Group Policy Will Not Specify the Farm Name. In such a case, you can specify the farm name using the Terminal Services Configuration tool or the Terminal Services WMI provider.

– Use IP address forwarding: This policy setting allows you to specify the redirection method to use when a client device reconnects to an existing Terminal Services session in a load-balanced Terminal Server farm. This option applies to Terminal servers configured to use the TS Session Agent, and not to the TS Session Agent server.

If you enable this policy setting, a Terminal Services client makes a query to the TS Session Agent and is redirected to its existing session using the IP address of the Terminal Server on which the session is located. To use this redirect method, client computers must be able to connect directly via IP address to the farm's terminal servers.

If you disable this policy setting, the IP address of the Terminal Server is not sent to the client. Instead, IP address is embedded in a witness. When a client reconnects to load balancing, the routing token is used to redirect the client to its existing session on the correct terminal server in the farm. Disable this option only when your network load balancing solution supports the use of TS Session Agent routing tokens, and you do not want clients to connect directly via IP address to the Terminal servers in the load-balanced farm.

If you don't set this policy setting, The option is used “Use IP address forwarding” in the Terminal Services Configuration tool. By default, this option in the Terminal Services Configuration tool is enabled.

– Configure TS Session Agent Server Name: This policy setting allows you to specify the TS Session Agent server that the Terminal Server uses to track and redirect user sessions to a load-balanced Terminal Server farm. The specified server must be running the Terminal Services Session Agent service. All Terminal Servers in a load-balanced farm must use the same TS Session Agent server.

If you enable this policy setting, you must specify the TS Session Agent server using its hostname, IP address or fully qualified domain name. If you specify an invalid name or IP address for the TS Session Agent server, an error message will be logged in the Event Viewer on the Terminal Server.

If you disable or not configure this policy setting, You can specify the TS Session Agent server name or IP address using the Terminal Services Configuration tool or the Terminal Services WMI provider.

– Using TS Session Agent Load Balancing: This policy setting allows you to specify whether the load balancing feature of the TS Session Agent should be used to load balance between servers in a Terminal Server farm.

If you enable this policy setting, TS Session Agent will redirect users who do not have an existing session to the Terminal Server in the farm with fewer sessions. Redirect behavior for users with existing sessions will not be affected. If the server is configured to use the TS Session Agent, users who have an existing session will be redirected to the Terminal Server where their session is located.

If you disable this policy setting, users who do not have an existing session will log on to the first Terminal Server they connect to.

If you don't set this policy setting, you can configure the Terminal Server to participate in TS Session Agent load balancing by using the Terminal Services Configuration tool or the Terminal Services WMI provider.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Terminal Server” > “Temporary folders” We have the following configurations:

– Do not delete temporary folders when leaving: Specifies whether Terminal Services retains users' temporary folders per session when they log off.

You can use this option to persist temporary folders specific to a user's session on a remote computer, even if the user logs out. By default, Terminal Services deletes a user's temporary folders when the user logs off.

If the status is set to Enabled, Temporary folders per user session are retained when users log off.

If the status is set to Disabled, Temporary folders are deleted when the user logs out, even if the administrator specifies another action in the Terminal Services Settings tool.

If the status is set to Not configured, Terminal Services will delete temporary folders from the remote computer when you log off, unless the server administrator has specified another action.

– Do not use temporary folders per session: This policy setting allows you to prevent Terminal Services from creating session-specific temporary folders.

You can use this policy setting to disable the creation of separate temporary folders on a remote computer for each session. By default, Terminal Services creates a separate temporary folder for each active session that the user retains on a remote computer. These temporary folders are created on the remote computer, in a Temp folder in the user's profile folder, and they are assigned the name “sessionid”.

If you enable this policy setting, No temporary folders are created per session. Instead, temporary files for all user sessions on the remote computer are stored in a common temp folder in the user's profile folder on the remote computer.

If this policy setting is disabled, temporary folders are always created per session, even if you specify otherwise in the Terminal Services Configuration tool.

If this policy setting is not configured, temporary folders are always created per session, unless otherwise specified in the Terminal Services Configuration tool.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Terminal Server” > “Remote session environment” We have the following configurations:

– Automatic reconnection: Specifies whether Remote Desktop Connection clients are allowed to automatically reconnect to Terminal Services sessions if they temporarily lose network connection. By default, A maximum of twenty reconnection attempts are made in five-second intervals.

If the status is set to Enabled, automatic reconnection of all clients running Remote Desktop Connection is attempted whenever the network connection is lost.

If the status is set to Disabled, Automatic reconnection of clients is prohibited.

If the status is set to Not configured, Automatic reconnection is not specified at the Group Policy level. However, Users can configure automatic reconnection using the “Reconnect if connection is lost” on the Remote Desktop Connection Performance tab.

– Allow users to connect remotely using Terminal Services: This policy setting allows you to configure remote access to computers using Terminal Services.

If you enable this policy setting, users who are members of the Remote Desktop Users group on the target computer will be able to remotely connect to the target computer by using Terminal Services.

If you disable this policy setting, users will not be able to remotely connect to the target computer using Terminal Services. The destination team will maintain the current connections, but it will not accept any new incoming connections.

If you don't set this policy setting, Terminal Services uses the Remote Desktop option on the target computer to determine whether remote connection is allowed. This option is located on the Remote Access tab of System Properties. By default, Remote connection is not allowed.

– Denies logging off an administrator who is logged on to the session console: This policy setting determines whether an administrator who attempts to remotely connect to a server console can log off an administrator who is logged on to the console.

This policy is useful when the administrator who is logged in does not want to be logged out by another administrator. If the connected administrator is logged out, Any data that has not been previously saved will be lost.

If you enable this policy setting, It will not be possible to log out of the connected administrator.

If you disable or not configure this policy setting, It will be possible to log out of the connected administrator.

– Configure interval between connection maintenance messages: This policy setting allows you to specify an interval between connection maintenance messages to ensure that the session state on the Terminal Server is consistent with the client state.

After a Terminal Server Client Loses Connection to a Terminal Server, the session on that server can remain active instead of disconnecting, even if the client is physically disconnected from the server. If the client logs on again to the same Terminal Server, A new session can be established (if the Terminal Services configuration allows multiple sessions) and the original session can remain active.

If you enable this policy setting, You must specify an interval between connection maintenance messages. The interval between connection keep-alive messages determines the frequency (in minutes) with which the server checks the state of the session. The range of values that can be written is 1 a 999.999.

If you disable or not configure this policy setting, No interval will be set between connection maintenance messages, and the server will not check the session state.

– Limit number of connections: Specifies whether Terminal Services limits the number of concurrent connections to the server.

You can use this option to restrict the number of remote sessions that can be active on a server. If this number is exceeded, Other users who try to connect will receive an error message indicating that the server is busy so they can try again later. Restricting the number of sessions improves performance because fewer sessions consume system resources. By default, Terminal Servers allow an unlimited number of remote sessions, and Remote Desktop for Management allows two remote sessions.

To use this option, Type the number of connections you want to specify as the maximum number for the server. To specify an unlimited number of connections, scribe 999999.

If the status is set to Enabled, the maximum number of connections is limited to the specified number consistent with the version of Windows and the Terminal Services mode that is running on the server.

If the status is set to Disabled or Not Configured, Limits on the number of connections are not enforced at the Group Policy level.

– Set rules for remote control of Terminal Services user sessions: This policy setting allows you to specify the level of remote control allowed in a Terminal Services session.

You can use this policy setting to select one of the two levels of remote control: View Session or Full Control. View Session allows the remote control user to view a session. Full control allows the administrator to interact with the session. Remote control can be set with or without user permissions.

If this policy setting is enabled, administrators can remotely interact with a user's Terminal Services session based on specified rules. To establish such rules, select the desired level of control and permissions from the Options list. To disable remote control, Select “Remote control not allowed”.

If this policy setting is disabled or not configured, Remote Control rules are determined by configuring the Remote Control tab in the Terminal Services Configuration tool. By default, Remote control users have full control of the session with user permissions.

– Allow reconnects only from the original client: Specifies whether users are allowed to reconnect to a disconnected Terminal Services session using a different computer from the original client computer.

You can use this option to prevent Terminal Services users from reconnecting to disconnected sessions by using a different computer from the client computer from which they originally created the session. By default, Terminal Services allows users to reconnect to disconnected sessions from any client computer.

If the status is set to Enabled, Users can reconnect to a disconnected session only from the original client computer. If a user tries to connect to the disconnected session from another computer, A new session is created in its place.

If the status is set to Disabled, Users will always be able to connect to the disconnected session from any computer.

If the status is set to Not configured, Reconnecting the session from the original client computer will not be specified at the Group Policy level.

Important: only Citrix ICA customers that provide a serial number when connecting support this option, that is ignored if the user connects to a Windows client. Likewise, note that this option appears in both Computer Configuration and User Settings. If both options are set, the Computer Configuration option overrides the other.

– Limit Terminal Services users to a single remote session: This policy setting allows you to restrict users to a single remote Terminal Services session.

If this policy setting is enabled, users who log in remotely through Terminal Services will be limited to a single session on that server (Active or disconnected). If the user leaves the session in a disconnected state, will automatically reconnect to that session on the next login.

If you disable this policy setting, users will be able to establish an unlimited number of simultaneous remote connections using Terminal Services.

If this policy setting is not configured, the 'Restrict Each User to a Session' setting in the Terminal Services Configuration tool, determine whether users are restricted to a single remote session.

– Allow Remote Startup of Unlisted Programs: This policy setting allows you to specify whether remote users can start any program on the Terminal Server when they start a remote session, or whether they can only start programs that appear in the RemoteApp Programs list.

You can control which programs can be started remotely on a Terminal Server by using the TS RemoteApp Manager tool to create a list of RemoteApp programs. By default, Programs in the RemoteApp Programs list can only be launched when a user starts a remote session.

If you enable this policy setting, remote users will be able to launch any program on the terminal server when they start a remote session. For example, a remote user can do this by specifying the path of the program executable at the time of connection using the Remote Desktop Connection client.

If you disable or not configure this policy setting, remote users will only be able to launch programs that appear in the RemoteApp Programs list of TS RemoteApp Manager when they start a remote session.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Terminal Server” > “Licences” We have the following configurations:

– Use the specified Terminal Services license servers: This policy setting allows you to specify the order in which a Terminal Server searches for Terminal Services license servers.

If you enable this policy setting, a Terminal Server first tries to find the license servers that you specify. If these are not found, the Terminal Server will attempt automatic discovery of license servers.

In the process of auto-discovering license servers, a Terminal Server in a Windows Server-based domain attempts to contact a license server in the following order:

1. License Servers Specified in the Terminal Services Configuration Tool
2. License Servers Published to Active Directory Domain Services
3. License servers installed on domain controllers in the same domain as the Terminal Server

If you disable or not configure this policy setting, the Terminal Server uses the license server discovery mode specified in the Terminal Services Configuration tool.

– Hide notifications about Terminal Server licensing issues affecting the Terminal Server: This policy setting determines whether notifications are displayed on a Terminal Server when there are Terminal Server license issues that affect the Terminal Server.

By default, notifications are displayed on a terminal server after you log on as a local administrator, if there are problems with the Terminal Server license that affect the Terminal Server. If applicable, a notification will also be displayed with the number of days remaining before the license grace period expires for the Terminal Server.

If you enable this policy setting, these notifications will not be displayed on the Terminal Server.

If you disable or not configure this policy setting, these notifications will be displayed on the Terminal Server after you log in as a local administrator.

– Set the Terminal Services License Mode: This policy setting allows you to specify the type of Terminal Services client access license (CAL de TS) that is required to establish a connection to this Terminal Server.

You can use this policy setting to select one of two license modes: By User and By Device.

Per User License Mode requires that each user account that connects to this Terminal Server have a TS Per User CAL.

The Per Device License Mode requires that each device that connects to this Terminal Server have a TS Per Device CAL.

If you enable this policy setting, the license mode that you specify takes precedence over the license mode that is specified during Terminal Services installation or in the Terminal Services Configuration tool.

If you disable or not configure this policy setting, the license mode that is specified during the installation of Terminal Services or in the Terminal Services Configuration tool is used.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Terminal Server” > “Session Time Limit” We have the following configurations:

– Set the time limit for disconnected sessions: This policy setting allows you to configure a time limit for disconnected Terminal Services sessions.

You can use these policy settings to specify the maximum amount of time that a disconnected session remains active on the server. By default, Terminal Services allows users to disconnect from a remote session without logging out.

When a session is offline, Running programs remain active even if the user is no longer actively logged in. By default, These disconnected sessions are maintained for an unlimited time on the server.

If you enable this policy setting, Disconnected sessions will be deleted from the server after the specified time has elapsed. To apply the default behavior that keeps sessions offline for an unlimited amount of time, Select “Never”. In console sessions, Time limits for disconnected sessions do not apply.

If you disable or not configure this policy setting, Disconnected sessions are maintained for an unlimited time. You can specify time limits for disconnected sessions on the Sessions tab of the Terminal Services Settings tool.

– Set the time limit for active sessions, but in inactivity, of Terminal Services: This policy setting allows you to specify the maximum amount of time for which an active Terminal Services session can be idle (I mean, without user intervention) before it automatically disconnects.

If you enable this policy setting, you must select the desired time limit from the Idle Session Limit drop-down list. Terminal Services will automatically disconnect active sessions that have not been used within the specified time limit. The user receives a warning two minutes before the session is disconnected, allowing you to press a key or move your mouse to keep the session active. In console sessions, Time limits for inactive sessions do not apply.

If you disable or not configure this policy setting, Terminal Services allows you to keep sessions active but unused for an unlimited amount of time. Time limits can be specified for active sessions, but in inactivity, on the Sessions tab of the Terminal Services Settings tool.

If you want Terminal Services to terminate (Instead of disconnecting) a session when the time limit is reached, You can configure the "Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesTerminal ServerSession Time LimitsEnd Session When Time Limits Are Reached" policy.

– Set the time limit for active Terminal Services sessions: This policy setting allows you to specify the maximum amount of time for which a Terminal Services session can be active before it is automatically disconnected.

If you enable this policy setting, you must select the desired time limit from the Active Session Limit drop-down list. Terminal Services will automatically disconnect active sessions after the specified timeout has elapsed. The user receives a warning two minutes before the Terminal Services session is disconnected, allowing you to save open files and close programs. In console sessions, Active session time limits are not enforced.

If you disable or not configure this policy setting, Terminal Services allows you to keep sessions active for an unlimited time. Time limits for active sessions can be specified in the Sessions tab of the Terminal Services Settings tool.

If you want Terminal Services to terminate (Instead of disconnecting) a session when the time limit is reached, you can configure the "Computer ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesTerminal ServerSession Time LimitsEnd Session When Time Limit Is Reached" policy.

– Terminal sessions when time limits are reached: Specifies whether a timed out Terminal Services session is terminated instead of disconnecting it.

You can use this option to have Terminal Services terminate a session (I mean, the user session is closed and the server session is deleted) When the time limit of active or inactive sessions is reached. By default, Terminal Services disconnects sessions that reach their time limits.

Time limits are set locally by the server administrator or in Group Policy. See “Set the time limit for active Terminal Services sessions” and “Set the time limit for active sessions, but in inactivity, of Terminal Services”.

If the status is set to Enabled, Terminal Services terminates any session that reaches the timeout limit.

If the status is set to Disabled, Terminal Services always disconnects a session that has timed out, even if the server administrator has specified another action.

If the status is set to Not configured, Terminal Services disconnects a session that has timed out, unless the local settings specify another action.

– Set the time limit for logging out of RemoreApp: This policy setting allows you to specify how long a user's RemoteApp session will remain offline before it is closed from the Terminal Server.

By default, if a user closes a RemoteApp program, session is disconnected from the Terminal Server.

If you enable this policy setting, when a user closes a RemoteApp program, the RemoteApp session will remain in a disconnected state until the specified time limit is reached. When the specified time limit is reached, RemoteApp session is closed from the Terminal Server. If the user starts a RemoteApp program before the time limit is reached, reconnect to the disconnected session on the Terminal Server.

If you disable or not configure this policy setting, when a user closes a RemoteApp program, session is disconnected from the Terminal Server.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Terminal Server” > “Profiles” We have the following configurations:

– Set TS User Home Directory: Specifies whether Terminal Services uses the specified network share or a local directory path as the root of the user's home directory for a Terminal Services session.

To use this option, Select the location of the home directory (Network or Local) from the location drop-down list. If you choose to place the directory on a network share, enter the root path of the home directory as TeamNameShareResource Name and, after, Select the drive letter to which you want to map the network share.

If you choose to keep the home directory on your local computer, Type the root path of the home directory as “Unit:Path” (No quotation marks), No environment variables or ellipsis. Do not specify a placeholder for the user alias, because Terminal Services automatically appends it during login.

– Use Required Profiles on the Terminal Server: This policy setting allows you to specify whether Terminal Services uses a required profile for all users who remotely connect to the Terminal Server.

If you enable this policy setting, Terminal Services uses the path specified in the policy settings “Set TS Roaming User Profile Path” as the root folder for the required user profile. All users who connect remotely to the Terminal Server use the same user profile.

If you disable or not configure this policy setting, users who remotely connect to the Terminal Server do not use the required user profiles.

– Set TS Mobile User Profile Path: This policy setting allows you to specify the network path that Terminal Services uses for roaming user profiles.

By default, Terminal Services stores all user profiles locally on the Terminal Server. You can use this policy setting to specify a network share where user profiles can be centrally stored, which will allow a user to access the same profile for sessions on all Terminal servers that are configured to use the network share for user profiles.

If you enable this policy setting, Terminal Services will use the specified path as the root directory for all user profiles. Profiles are saved in subfolders that bear each user's account name.

To set this policy setting, enter the path to the network share in the format computernamesharename. Do not specify a placeholder for the user account name, because Terminal Services automatically adds it when the user logs in and the profile is created. If the specified network share does not exist, Terminal Services displays an error message on the Terminal Server and stores user profiles locally on the Terminal Server.

If you disable or not configure this policy setting, user profiles are stored locally on the Terminal Server. You can configure the path of a user profile on the Terminal Services Profile tab of the User Account Properties dialog box.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Terminal Server” > “Device or resource redirection” We have the following configurations:

– Allow audio redirection: Specifies whether users can choose where to play the audio output of the remote computer during a Terminal Services session (Audio Redirection).

Users can use the “Remote Computer Sound” on the Local Resources tab of Remote Desktop Connection to choose whether to play the remote audio on the remote computer or on the local computer. Users can also disable audio.

By default, users cannot apply audio redirection when connecting using Terminal Services to a server running Windows Server 2003. Users who connect to a computer running Windows XP Professional can apply audio redirection by default.

If the status is set to Enabled, Users will be able to apply audio redirection.

If the status is set to Disabled, Users won't be able to apply audio redirection.

If the status is set to Not configured, Audio redirection will not be specified at the Group Policy level. However, an administrator will still be able to enable or disable audio redirection using the Terminal Services Configuration tool.

– Do not allow clipboard redirection: Specifies whether to prevent sharing of clipboard content (Clipboard redirection) between a remote computer and a client computer during a Terminal Services session.

You can use this option to prevent users from redirecting clipboard information to and from the remote computer and the local computer. By default, Terminal Services allows clipboard redirection.

If the status is set to Enabled, users will not be able to redirect information from the clipboard.

If the status is set to Disabled, Terminal Services will always allow clipboard redirection.

If the status is set to Not configured, clipboard redirection will not be specified at the Group Policy level. However, an administrator will still be able to disable clipboard redirection using the Terminal Services Configuration tool.

– Do not allow COM port forwarding: Specifies whether or not to prevent data redirection to client COM ports from the remote computer in a Terminal Services session.

You can use this option to prevent users from redirecting data to COM port peripherals or assigning local COM ports while maintaining a Terminal Services session. By default, Terminal Services allows this COM port forwarding.

If the status is set to Enabled, users cannot redirect data from the server to the local COM port.

If the status is set to Disabled, Terminal Services always allows COM port forwarding.

If the status is set to Not configured, COM port forwarding will not be specified at the Group Policy level. However, an administrator will still be able to disable COM port forwarding using the Terminal Services Configuration tool.

– Do not allow drive redirection: Specifies whether to prevent the assignment of client drives in a Terminal Services session (Drive Redirection).

By default, Terminal Services automatically assigns client units when you connect. Mapped drives appear in the session folder tree in Windows Explorer or in My Computer in the format <letterUnity> in <TeamName>. You can use this option to override this behavior.

If the status is set to Enabled, client unit redirection is not allowed in Terminal Services sessions.

If the status is set to Disabled, Customer unit redirection is always allowed.

If the status is set to Not configured, Client drive redirection will not be specified at the Group Policy level. However, an administrator will still be able to disable client drive redirection using the Terminal Services Configuration tool.

– Do not allow LPT port forwarding: Specifies whether data redirection to client LPT ports is prevented during a Terminal Services session.

You can use this option to prevent users from assigning local LPT ports and redirecting data from the remote computer to local LPT port peripherals. By default, Terminal Services allows this LPT port forwarding.

If the status is set to Enabled, users in a Terminal Services session cannot redirect data from the server to the local LPT port.

If the status is set to Disabled, LPT port forwarding will always be allowed.

If the status is set to Not configured, LPT port forwarding will not be specified at the Group Policy level. However, an administrator will still be able to disable LPT local port forwarding using the Terminal Services Configuration tool.

– Do not allow compatible Plug and Play device redirection: This policy setting allows you to control the redirection of supported Plug and Play devices, such as Windows portable devices, to the remote computer in a Terminal Services session.

By default, Terminal Services allows redirection of compatible Plug and Play devices. Users can use the “More” on the Local Resources tab of Remote Desktop Connection to select the supported Plug and Play devices that are redirected to the remote computer.

If this policy setting is enabled, users cannot redirect their compatible Plug and Play devices to the remote computer.

If this policy setting is disabled or not configured, users can redirect their compatible Plug and Play devices to the remote computer.

– Do not allow redirection of smart card devices: This policy setting allows you to control the redirection of smart card devices in a Terminal Services session.

If you enable this policy setting, Terminal Services users will not be able to use a smart card to log in to Terminal Services.

If you disable or don't set this policy setting, Redirection of smart card devices will be allowed. By default, Terminal Services automatically redirects smart card devices during connection.

– Allow Time Zone Redirection: This policy setting determines whether the client computer redirects its time zone settings to the Terminal Services session.

If you enable this policy setting, Clients who are able to redirect their time zone will send that information to the server. The base time of the server will be used to calculate the time of the current session (Current session time = server base time + Customer Time Zone).

If you disable or not configure this policy setting, The client computer does not redirect its time zone information, and the session time zone will match the time zone of the server.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Terminal Server” > “Printer Redirection” We have the following configurations:

– Do not set default client printer as default printer in a session: This policy setting allows you to specify whether the default client printer is automatically configured as the default printer in a Terminal Services session.

By default, Terminal Services automatically designates the default client printer as the default printer for the Terminal Services session. You can use this option to override this behavior.

If you enable this policy setting, The default printer will be the printer specified on the remote computer.

If you disable this policy setting, Terminal Server will automatically assign the default client printer and set it as the default when you connect.

If you don't set this policy setting, The default printer will not be specified at the Group Policy level. However, an administrator can configure the default printer for client sessions using the Terminal Services Configuration tool.

– Do not allow client printer redirection: This policy setting allows you to specify whether to prevent the assignment of client printers in Terminal Services sessions.

You can use this policy setting to prevent users from redirecting print jobs from the remote computer to a printer connected to the local computer (customer). By default, Terminal Services allows this client printer mapping.

If you enable this policy setting, users cannot redirect print jobs from the remote computer to a local client printer in Terminal Services sessions.

If you disable this policy setting, Users can redirect print jobs with client printer mapping.

If you don't set this policy setting, The client printer assignment will not be specified at the Group Policy level. However, an administrator will still be able to disable client printer assignment with the Terminal Services Configuration tool.

– Specifying the Terminal Server Fallback Printer Driver Behavior: This policy setting allows you to specify the behavior of the Terminal Server Fallback Printer Driver.

By default, the Terminal Server Rollback Printer Driver is disabled. If the Terminal Server does not have a printer driver that matches the client printer, no printer will be available for the Terminal Server session.

If you enable this policy setting, the rollback printer driver is also enabled and the default behavior for Terminal Server will be to search for a suitable printer driver. If you can't find any, The customer's printer will not be available. You can choose to change this default behavior. The available options are:

“Do nothing if none of you are”: in case no printer driver matches, The server will try to find a suitable driver. If you can't find any, The customer's printer will not be available. This is the default behavior.

“Use PCL if none are found”: If no suitable printer driver can be found, the Printer Control Language backhaul printer driver will be used (PCL) as the default.

“Use PS if none is found”: If no suitable printer driver can be found, the PostScript BackTrack Printer Driver will be used (PS) as the default.

“Show PCL and PS if none are found”: If no suitable driver can be found, PS and PCL-based backhaul printer drivers will be displayed.

If you disable this policy setting, the Terminal Server fallback handler is also disabled and Terminal Server will not attempt to use it.

If this policy setting is not set, Rollback printer driver behavior is disabled by default.

– Use Terminal Services Easy Print Printer Driver First: This policy setting allows you to specify whether the Terminal Services Easy Print printer driver will be used first to install all of the printers on the client.

Whether or not you enable this policy setting, the Terminal Server will first attempt to use the Terminal Services Easy Print printer driver to install all of the printers on the client. Yes, For some reason, unable to use the Terminal Services Easy Print printer driver, a printer driver will be used on the Terminal Server that matches the client printer. If the Terminal Server does not have a printer driver that matches the client printer, it will not be available for the Terminal Services session.

If you disable this policy setting, the Terminal Server will try to find a suitable printer driver to install the client printer. If the Terminal Server does not have a printer driver that matches the client printer, the server will attempt to use the Terminal Services Easy Print printer driver to install the client printer. Yes, For some reason, unable to use the Terminal Services Easy Print printer driver, the customer's printer will not be available for the Terminal Services session.

– Redirect only the client's default printer: This policy setting allows you to specify whether the only printer that is redirected in Terminal Services sessions is the client's default printer.

If you enable this policy setting, only the client's default printer will be redirected in Terminal Services sessions.

If you disable or not configure this policy setting, all customer printers will be redirected in Terminal Services sessions.

In “Equipment Setup” > “Administrative Templates” > “Windows Components” > “Terminal Services” > “Terminal Server” > “Safety” We have the following configurations:

– Server Authentication Certificate Template: This policy setting allows you to specify the name of the certificate template that determines which certificate is automatically selected to authenticate a Terminal Server.

A certificate is required to authenticate a Terminal Server when using SSL (TLS 1.0) to secure communication between a client and a terminal server during RDP connections.

If this policy setting is enabled, A certificate template name must be specified. When a certificate is automatically selected to authenticate a Terminal Server, Only certificates created using the specified certificate template will be considered. Automatic certificate selection only takes place when a specific certificate has not been selected.

If no certificate is found that has been created with the specified certificate template, the Terminal Server will issue a certificate enrollment request and use the current certificate until the request is complete. If more than one certificate created with the specified certificate template is found, the certificate with a later expiration date and matching the current name of the Terminal Server will be selected.

If this policy setting is disabled or not configured, a self-signed certificate will be used by default to authenticate the Terminal Server. A specific certificate to authenticate the Terminal Server can be selected on the General tab of the Terminal Services Settings tool.

– Setting the Client Connection Encryption Level: Specifies whether a specific level of encryption is required to secure communications between Terminal Servers and clients during RD Protocol connections (RDP).

If you enable this option, all communications between clients and terminal servers made during remote connections must use the encryption method specified here. By default, the encryption level is set to High. The encryption methods available are:

* High: The High option encrypts data sent from the client to the server and from the server to the client using high-assurance encryption of 128 Bit. Use this level of encryption in environments that contain only 128 Bit (For example, clients running Remote Desktop Connection). Clients that do not support this level of encryption will not be able to connect to Terminal Servers.

* Supported Client: the Supported Client option encrypts data sent between the client and the server with the client-supported maximum key security. Use this level of encryption in environments that contain clients that do not support encryption 128 Bit.

* Low: The Low option encrypts only data sent from the client to the server using encryption of 56 Bit.

If you disable this option or do not configure it, the level of encryption to be used for remote connections to Terminal servers will not be enforced by Group Policy. However, you can configure a level of encryption required for these connections using the Terminal Services Settings.

Important:
FIPS support can be configured using the “System cryptography: use FIPS-compliant algorithms for encryption, Signature and hashing operations” in Group Policy (in Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity Options) or via the “FIPS compliant” in the Terminal Server Settings. FIPS Compliant encrypts and decrypts data sent between the client and server using the Federal Information Processing Standard encryption algorithms (FIPS) 140-1, using Microsoft cryptographic modules. Use this level of encryption when communications between clients and Terminal servers require the highest level of encryption. If FIPS compliance has already been enabled through Group Policy settings “System cryptography: use FIPS-compliant algorithms for encryption, Signature and hashing operations”, this option overrides the level of encryption specified in this Group Policy setting or in the Terminal Services Settings.

– Always ask for the password when connecting: Specifies whether Terminal Services always prompts the client for a password when connecting.

You can use this option to require users who connect to Terminal Services to require a password, even if they have already provided the password in the Remote Desktop Connection client.

By default, Terminal Services allows users to log in automatically by entering a password in the Remote Desktop Connection client.

If the status is set to Enabled, users will not be able to automatically log in to Terminal Services when entering their password in the Remote Desktop Connection client. They will be asked for a password to log in.

If the status is set to Disabled, users will always be able to automatically log in to Terminal Services by entering their password in the Remote Desktop Connection client.

If the status is set to Not configured, Automatic sign-in will not be specified at the Group Policy level. Nevertheless, an administrator will still be able to apply the password prompt with the Terminal Services Configuration tool.

– Require secure RPC communication: Specifies whether a Terminal Server requires secure RPC communications with all clients or allows insecure communications.

You can use this option to strengthen the security of RPC communication with clients by allowing only authenticated and encrypted requests.

If the status is set to Enabled, the Terminal Server accepts requests from RPC clients that support secure requests and does not allow insecure communication with untrusted clients.

If the status is set to Disabled, Terminal Server always requests security for all RPC traffic. However, non-secure communication is allowed for RPC clients that do not respond to the request.

If the status is set to Not configured, Unsecured communication is allowed.

– Require the use of a specific security level for remote connections (RDP): Specifies whether a specific security level is required to protect communications between Terminal Server clients and servers during RD Protocol connections (RDP).

If you enable this option, all communications between clients and terminal servers made during remote connections must use the security method specified herein. The available security methods are:

* Negotiate: the Negotiate method applies the most secure method supported by the client. If version is supported 1.0 Transport Layer Security (TLS), is used to authenticate the Terminal Server. If TLS is not supported, Remote Desktop Protocol encryption is used (RDP) to protect communications, but the Terminal Server is not authenticated.

* RDP: the RDP method uses native RDP encryption to secure communications between the client and the Terminal Server. If you select this option, Terminal Server Not Authenticating.

* SSL (TLS 1.0): SSL method requires the use of TLS 1.0 to authenticate the Terminal Server. If TLS is not supported, The connection is not established satisfactorily.

If you disable this option or do not configure it, the security method that will be used for remote connections to Terminal servers will not be enforced by Group Policy. However, you can configure a required security method for these connections using the Terminal Services Configuration.

– Do not allow local administrators to customize permissions: Specifies whether to disable administrator rights to customize security permissions in the Terminal Services Settings tool.

You can use these settings to prevent administrators from changing user groups on the Permissions tab of the Terminal Services Settings tool. By default, Administrators can make such changes.

If the status is set to Enabled, the Permissions tab of the Terminal Services Settings tool cannot be used to customize security descriptors per connection or to change the default security descriptors for an existing group. All security descriptors are read-only.

If the status is set to Disabled or Not Configured, Server administrators have full read/write privileges to the security descriptors on the Permissions tab of the Terminal Services Configuration tool.

– Require user authentication for remote connections using Network-Level Authentication: This policy setting allows you to specify whether user authentication will be required for remote connections to the Terminal Server using Network-Level Authentication. This policy setting improves security, as it requires user authentication to take place earlier in the remote connection process.

If you enable this policy setting, only client computers that support Network-Level Authentication will be able to connect to the Terminal Server.

To determine whether a client computer supports Network-Level Authentication, start Remote Desktop Connection on the client computer, click the icon in the upper-left corner of the Remote Desktop Connection dialog box, and then click About. In the About Remote Desktop Connection dialog box, Look for the phrase “Supports Network-Level Authentication”.

If you disable or not configure this policy setting, Network-level authentication is not required for user authentication before allowing remote connections to the Terminal Server.

You can specify that Network-Level Authentication is required for user authentication by using Terminal Services Settings or the Remote Access tab in System Properties.

Important: If this policy setting is disabled or not set, Security will be affected, since user authentication will take place later in the remote connection process.

www.bujarra.com – Héctor Herrero – Nh*****@bu*****.cOm – v 1.0