Active Directory
Preparation
In
most environments, when Terminal Services is deployed, settings that are applied
to the regular computers (i.e. desktop wallpapers, themes, ability to shutdown
the machine, etc) are usually not applied to the Terminal Servers. This means a
different set of rules should exist to deal only with the user experience when
connected to a terminal server and these rules may not be the same ones that
apply to the user regular machine (i.e. his desktop on his
desk).
This guide assumes
you have a properly configured and working Windows Server 2003 Active Directory
environment but as you will see many of the concepts/ideas discussed will apply
to pretty much any Active Directory version (2000, 2003 or
2008).
We also assume you
have rights to perform such changes on your Active Directory. In case you do not
have rights, you will need to discuss your requirements with your administrator
guys.
OUs
The
first change is quite simple. You should create an Organizational Unit (OU)
where all your Terminal Servers will stay. To keep things easy to understand we
normally create an OU called ‘Terminal Servers’ and then move all
the computer objects (your TSs) to this OU, as seen below.
Fig
4
Active Directory
Users and Computers, Terminal Servers OU
As
you can see above I created the Terminal Servers OU (you can create it anywhere
you want; in my case I created it at the root level) and moved my Terminal
Server Computer Object (named TSFLABS-TS01) to it. To move computer objects
simply right-click them and select ‘Move’. Then browse to the OU you
just created and click ‘Ok’.
Profiles/Home
Directories
For
a single server environment this step may not be required but I do recommend it
as it will definitely help you when you decide to expand the environment by
adding more terminal servers to serve your
users!
Usually users logging
in to a computer network will get assigned what we call a home directory. This
is simply a unique location on the network where the user can save his files
(i.e. Word documents, Excel spreadsheets, etc) and folders and most companies
already have this set for its users so when they logon to their PCs a network
drive is mapped to that location (i.e., an H:
drive).
A profile in the
other hand is a collection of user settings/preferences that are usually stored
on the computer registry (some may be saved on files like MyApp.INI). When the
user has a need to logon to multiple computers, the only way to make these
preferences/settings follow the user is to save the profile to a network
location that all computers can see. This is what we call a roaming
profile.
As in our case
users will be logging in on our terminal servers, we do not want the
‘regular’ profile (i.e., the one they use to save their
preferences/settings on their Windows XP workstation) to be used for our
terminal servers as these machines will not even run the same OS as the
users’ PCs! That is the reason why under Active Directory Users and
Computers, if you look at the properties for a user you will find a tab
specifically for Terminal Services (Terminal Services
Profile):
Fig
5
Active Directory
Users and Computers, User Properties
What
needs to be set here is the Terminal Services User Profile and the Terminal
Services Home Folder. Usually the home folder is already set on the
‘Profile’ tab (right above the ‘Terminal Services
Profile’ one). If you set it there, users will always get their home drive
mapped, regardless whether the user logs in to a workstation or to a terminal
server. And for this particular setting it is usually a great idea that your
users always get the same home directory regardless of where they are logging in
(so they can always find their files at the same place). So if it is already set
under the ‘Profile’ tab there is no need to set it again under the
‘Terminal Services Profile’
tab.
A profile carries the
user’s settings and preferences. We may not want certain options on the
user interface to be available when logging in to a terminal server. In this
case you must set a profile path under the ‘Terminal Services
Profile’ tab. If you do not set it and you set one under the
‘Profile’ tab, it will be used for both regular workstations and TSs
what we do NOT want. For this reason make sure you do set the ‘Terminal
Services User Profile’ under the ‘Terminal Services Profile’
tab.
This setting will also
allow your users to have the same settings/preferences regardless of the TS they
are logging in to! Imagine having to setup Outlook options and preferences every
single time you logon to a new TS. So later on, if you add a new terminal server
to provide the same applications to your users, nothing else needs to be done
regarding their
profiles.
The steps you need
to follow to setup the home directories and profiles are:
- Create
two folders on a file server (preferably not a TS as if that TS is down, all
your shares will go down with it!) and share them with meaningful names (one
folder for the home directories, assuming you do not have it already, and one
for the terminal services profiles). In my example I created the folders
TSProfiles and TSHome and shared them as TSProfiles$ and TSHome$. You must give
your users enough rights to these folders and to the share (this usually means
‘Read/Change’ to the share and ‘Read&Execute/Write/List
Contents for the Folder itself –
NTFS).
Fig
6
Folders for Home
Directory and Profiles
- Once
the folders are shared, simply go to the user properties and set the
‘Terminal Services Profile Path’ (and if you did not set the Home
Directory anywhere else, set it under ‘Terminal Services Home
Folder’) to point to your file server TSProfiles$ share. In my case this
will be \\tsflabs-dc01\TSProfiles$\%username%.
Note I am using the %username% variable so it gets resolved to the correct
username once you press click or Ok. For the Home Folder make sure you select
‘Connect’ and choose a drive letter that does not conflict with any
other drive mappings you may have. And remember to point it to the TSHome$ share
(in my example, \\tsflabs-dc01\TSHome$\%username%).
Fig
7
Active Directory
Users and Computers, User Properties, Terminal Services Profile tab
- Once
you set all the above, the first time a user logs in you will see folders
created under the TSHome$ and the TSProfiles$ for the user home directory and
for his profile. For the profile, by default, administrators do NOT have rights
to the folder. If you want administrators to have full rights over the user
profile folder you should set this in a group policy (do not worry about this
right now; we will explain it in details later on this guide). The setting you
must enable is shown below (under Computer Configuration | Administrative
Templates | System | User Profiles. The setting is ‘Add the Administrators
security group to roaming user
profiles).
Fig
8
Policy settings
to give administrators rights on the user profiles
Note:
As you get more familiar with group policies, there are many settings, including
the TS Roaming Profile path that can be set using Group Policies and not
necessarily in the User properties on AD!
Groups
For
this particular environment we are setting up we will create a group called
‘TS Users’ and add all the users we want to provide access to the TS
here and a group called ‘TS Servers’ and add all the TS computer
objects to this group.
Simply
launch ‘Active Directory Users and Computers’ and create these two
groups. Remember to add your users and your terminal servers to the respective
groups we just created. We will need these down the
road!
That is all for Active
Directory!
