■
Use temporary folders per session Creates a separate temporary folder for each new
user session created on the server.This typically does not need to remain on the server
after the session has been terminated.This setting is configured to Yes by default.
■
Licensing Allows for the administrator to configure the server as a terminal server or
Remote Desktop for Administration computer.This setting is configured to Remote
Desktop for Administration if the terminal server role has not been installed. If it has, this
setting reflects the licensing choice made when you installed the terminal server role (per
Device or per User) and can be changed here.
■
Active Desktop Enables the use of Active Desktop technologies in Terminal Services
sessions.These desktops can use considerably more bandwidth than traditional desktops.
This setting is configured to be enabled by default.
■
Permission Compatibility Full security is the only choice available for Remote
Desktop for Administration. A second mode, Relaxed Security, is added when the terminal
server role is installed on the server, which loosens security to accommodate older
Windows computers and legacy applications.This is configured as Full Security by default.
■
Restrict each user to one session Can be used to ensure that users do not establish
more than one session to a Terminal Services system. Savvy users may be able to work
around this setting by specifying a different program to start upon connection for each dif-
ferent session.
User Account Extensions
Windows 2003 user accounts contain four property tabs that are designed for the control of the
Terminal Services session at the user level.The tabs are entitled Terminal Services Profile, Sessions,
Environment, and Remote Control.The same tabs exist in domain and local user accounts.The
same tabs are present whether the Terminal Services computer is configured for Remote Desktop
for Administration or the terminal server role.You can use these dialog boxes to control Terminal
Services settings on a per-user basis.The settings you make here will apply only to that user

account.
To access these tabs, right-click the user account you wish to configure in either the Active
Directory Users and Computers, Computer Management, or Local Users and Groups
MMC snap-in. From the context menu, select Properties and click the appropriate tab.
The Terminal Services Profile Tab
The bottom of the Terminal Services Profile tab contains perhaps the most important check box
contained on any of the Terminal Services property tabs, Allow logon to terminal server.This
check box is selected by default on all user accounts and enables any user to log on and use either
Remote Desktop for Administration (if his or her account is added to the Remote Desktop Users
list) or the terminal server. If you want to prevent a single user from accessing Terminal Services,
simply clear this check box in the user’s account properties.
966 Chapter 27 • Managing and Troubleshooting Terminal Services
301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 966
The top section of this tab enables you to specify a separate profile and home directory for use
when the user is logged on to a Terminal Services session. By default, these are blank.That means
that the effective settings come from the Profile tab in the user’s properties.The Profile tab was
originally intended to be used to specify the profile and home directory locations when the user is
logged on locally. Many companies leave the Terminal Services Profile tab blank, allowing the set-
tings on the user’s Profile tab to be the effective settings whether the user is logged on locally or
with Terminal Services. Because the user’s profile contains that user’s desktop settings, sometimes a
user can get confused when logging on to a session and finding a different desktop than when
logged on locally. Likewise, if the user saves files to the home directory all day long and then is con-
nected to a different home directory when using Terminal Services, this can be confusing.
Figure 27.18 shows the Terminal Services Profile tab on a user’s account properties.
The Sessions Tab
The Sessions tab in the user’s properties contains many of the same settings that we saw while we
were examining the Terminal Services Configuration tool. At that level, they applied to all users
connecting over a specified connection to the server. Here they apply to only one user.Thus, if the
Override user settings check box is selected on any of the settings at the connection level, those
that are set here at the user level are ignored. Likewise, if the defaults are left in place at the connec-

tion level, the configurations in the user’s properties are the effective settings.
The settings on this tab include the following:
■
End a disconnected session (select a duration from Never to 2 days)
■
Active session limit (select a duration from Never to 2 days)
■
Idle session limit (select a duration from Never to 2 days)
Managing and Troubleshooting Terminal Services • Chapter 27 967
Figure 27.18 The Terminal Services Profile Tab in a User’s Properties
301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 967
■
When a session limit is reached or broken:
■
Disconnect from session
■
End session
■
Allow reconnection:
■
From any client
■
From originating client only
Again, the settings on this tab affect only the user whose properties are being modified.
However, they perform the exact same actions as described in the Terminal Services Configuration
section.This tab is displayed in Figure 27.19.
The Environment Tab
As with the Sessions tab, the settings on the Environment tab in the user’s properties are identical
to several settings we’ve already seen in the Terminal Services Configuration tool. As with the
Sessions tab, when overridden at the connection level or by Group Policy, the settings on this tab

are ignored. However, by default they are the effective settings.The top section of the tab contains
the Start the following program at logon check box, which is not selected by default. When
selected, the Program file name: and Start in: text boxes are enabled.The Program file name:
text box corresponds to the Program path and file name: text box on the Environment tab in
the Terminal Services Configuration tool. Likewise, the Start in: text box is identical to the box of
the same name on that tab in Terminal Services Configuration. Refer to the Terminal Services
Configuration section of this chapter for more information about how to use these.
968 Chapter 27 • Managing and Troubleshooting Terminal Services
Figure 27.19 The Sessions Tab in a User’s Properties
301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 968
The lower section of the Environment tab in the user’s properties also contains settings iden-
tical to several we’ve already discussed in the section on the Client Settings tab in the Terminal
Services Configuration tool.These include the following:
■
Connect client drives at logon
■
Connect client printers at logon
■
Default to main client printer
Again, by default the user’s settings are effective unless overridden with the Terminal Services
Configuration tool or by Group Policy.The Environment tab is shown in Figure 27.20.
The Remote Control Tab
As with the previous two tabs, the settings on the Remote Control tab also mirror those in the
Terminal Services Configuration tool and were described in that section of this chapter.As with the
other settings, the default is for the settings at the user property level to be effective. As we saw ear-
lier, these settings can be overridden at the connection level using Terminal Services Configuration
if desired, or by Group Policy.The following settings are available at the user property level:
■
Enable remote control
■

Require user’s permission
■
Level of control:
■
View the user’s session
■
Interact with the session
For more detailed information on each of these settings, refer to the Terminal Services
Configuration section of the chapter.The Remote Control tab is shown in Figure 27.21.
Managing and Troubleshooting Terminal Services • Chapter 27 969
Figure 27.20 The Environment Tab
301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 969
Using Group Policies to Control Terminal Services Users
There are over 900 group policy settings in Windows 2003, of which approximately 50 relate specif-
ically to Terminal Services components.There are separate settings that can be applied at the com-
puter and user levels, as well as separate settings for Terminal Services and RA. Virtually all of the
actions performed by these settings have already been described, because similar settings exist on
many of the tabs and property sheets we’ve already discussed.
Terminal services settings can be found in the following locations within the Group Policy
Object Editor:
■
Computer Configuration | Administrative Templates | Windows Components |
Terminal Services
■
Computer Configuration | Administrative Templates | System | Remote
Assistance
■
User Configuration | Administrative Templates | Windows Components |
Terminal Services
Some of the key Group Policy settings that have not already been covered else-

where in this chapter include the following:
■
Deny log off of an administrator logged in to the console session, which can be
used to prevent the automatic logoff of the administrator currently using the Terminal
Services computer’s console session by another administrator attempting to connect to it.
Remember that by default, only one administrator can be logged on and viewing the con-
sole session at a time. When an administrator attempts to connect, by default any currently
connected administrator is logged off and all unsaved work is lost. It is also important to
note that the console session is the only one that cannot be used with Remote Control, in
either View Only or Interaction mode.
970 Chapter 27 • Managing and Troubleshooting Terminal Services
Figure 27.21 The Remote Control Tab in a User’s Properties
301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 970
■
Remove Windows Security item from Start menu, which can be used to control
how a user may terminate his or her session.The Windows Security dialog is the dialog
box that comes up on a local system when you use the key combination CTRL + ALT
+ DEL. Because this key combination is never redirected to a remote session, Microsoft
puts a link to it on the Start menu in a session.The Windows Security dialog box contains
buttons for locking the remote desktop, logging off, shutting down (if you have the appro-
priate permissions and this is not grayed out, it will shut down the Terminal Services com-
puter not the local computer), changing your password, and accessing Task Manager on the
Terminal Services computer. It may be appropriate in your environment to remove this
link for security or log-off control purposes. However, even if this link is not present, the
key combination CTRL + ALT + END can be used to bring up the Windows Security
dialog box within the terminal session.
■
Remove Disconnect option from Shut Down dialog, which enables you to remove
the disconnect option from the Shut Down Windows dialog box.This dialog box appears
when you select Shut Down from the Windows Start menu or Windows Security dialog

box. It is important to note that removing this option from the Shut Down dialog does
not prevent someone from disconnecting.The user can still click the X button in the top
righthand corner of the Remote Desktop window to disconnect.
There are many more Group Policy templates that can be used to control Terminal Services. For
some settings, Group Policy is the only way to configure a particular setting. For example, you can
specify whether to allow time zone redirection, prevent license upgrade, or enable users to offer
remote assistance.
Using the Terminal Services Command-Line Tools
In addition to the graphical tools and clients described earlier, Windows 2003 also provides a
number of command-line utilities for both administrators and end users to manage connections.The
primary benefit of these command-line tools is that they can be used in scripts to automate
Terminal Services tasks.The basic set of commands, as listed in the Windows Server 2003 Help files,
is described in Table 27.3.
Table 27.3 Terminal Services Command-Line Tools
Command Description
change logon Temporarily disables logons to a terminal server
change port Used to change COM port mappings for MS-DOS program compati-
bility
change user Changes the .ini file mapping for the current user
Cprofile Removes user-specific file associations from a user profile
Flattemp Enables or disables flat temporary directories
Logoff Logs off a user from a session and deletes the session from the server
Msg Sends a message to a user or group of users
Managing and Troubleshooting Terminal Services • Chapter 27 971
Continued
301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 971
Table 27.3 Terminal Services Command-Line Tools
Command Description
Mstsc Displays the Remote Desktop Connection to establish a connection
with a terminal server

query process Displays information about processes running on a terminal server
query session Displays information about sessions on a terminal server
query termserver Displays a list of all terminal servers on the network
query user Displays information about user sessions on a terminal server
Register Registers applications to execute in a global context on the system
reset session Resets a session to known initial values
Shadow Monitors another user’s session
Tscon Connects to another existing terminal server session
Tsdiscon Disconnects a client from a terminal server session
Tskill Ends a process
Tsprof Copies user configuration and changes profile path
Tsshutdn Shuts down a terminal server
Use Terminal Services Manager to Reset a Session
1. Open Terminal Services Manager from Administrative Tools in the Windows Start |
Programs menu.
2. If necessary, expand the This Computer node.
3. If necessary, expand the node that corresponds to the name of your Windows 2003 server.
4. Right-click the session you wish to terminate.
5. In the context menu that appears, select Reset.
6. Close Terminal Services Manager.
Troubleshooting Terminal Services
Troubleshooting Terminal Services components is never an easy task.The complexity of Terminal
Services often makes for strange occurrences, which are difficult to track down so this section con-
tains a number of troubleshooting tips you can use to find and solve Terminal Server problems.
The most important keys to understanding how to troubleshoot Terminal Services come from
all the background knowledge presented in this chapter. Knowing how it all works is essential to
troubleshooting problems quickly and effectively.
972 Chapter 27 • Managing and Troubleshooting Terminal Services
301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 972
Not Automatically Logged On

A common problem occurs when you want to be able to automatically log on to the server, but
you’re still prompted for your user credentials when you connect to the terminal server.There are a
number of possible causes and solutions.
If you are using a Windows NT 4.0 Terminal Services client, be aware that these clients are not
always able to detect and pass on the underlying system logon credentials to the Windows Server
2003 terminal server even if your system logon credentials are the same as those for the terminal
server. In the NT 4.0 Client Connection Manager, configure Automatic logon on the General
tab in the Properties box for the connection. Enter the appropriate logon credentials in the User
name, Password and Domain text boxes.
If you are using a Windows 2000 TS client or the RDC client, it is possible that you entered
the incorrect credentials on the General tab. If you mistyped the user name or password, the ter-
minal server will not be able to verify your credentials and will prompt you for the correct ones.
The solution is to edit the User name, Password, and/or Domain text box(es) on the General
tab of the client utility.
Another possibility is that your client settings are configured correctly, but Group Policy is con-
figured to require users to enter at least part of the credentials (the password). Group Policy settings
override client settings.The only way to correct this is to remove the Group Policy setting that is
enforcing this restriction.
“This Initial Program Cannot Be Started”
Occasionally a client may receive a message stating,“This initial program cannot be started.”At the
client level, a user can specify that program be launched when they connect to a server instead of
receiving a desktop. Likewise, an administrator can specify this at the connection level for all users
that connect to a specific listener connection. Finally, this can also be set in Group Policy.
The error may be caused by something as simple as an input error.You should first check to
ensure that the path and executable names specified are correct. If you have entered them incor-
rectly, they will be pointing to a file that does not exist.This will make it impossible for Windows
Server 2003 to launch the application.
Another possibility is that the correct permissions are not set on the executable file. If Windows
cannot access the file, it will not be able to launch the program for you.You should verify that the
appropriate read and execute permissions are applied to both the file and the working directory (if

specified). If neither of these two possible solutions resolves the issue, the application may have
become corrupt.Try to launch the application from the server console. If it will not open, you may
need to uninstall and reinstall the application.
Clipboard Problems
Ordinarily, when you copy text to the clipboard in a session, it is synchronized with the local clipboard
on the client. Because the text is available on each clipboard, it should be available to paste into local
applications as well as applications running remotely in a session.You should note that it works the
same way when you copy text to the clipboard locally. It is synchronized with the clipboard running
in your Terminal Services session and can be used in either local or remote applications.
Managing and Troubleshooting Terminal Services • Chapter 27 973
301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 973
Microsoft states that there are instances in which text that is copied to the clipboard in a remote
session is unable to be pasted into an application on the local client. Currently, there is no fix avail-
able for this problem. First, try to reinstall the client application you are using. If it is still malfunc-
tioning, try to uninstall the client application and reinstall it.
License Problems
For remote administration, licenses come built in to the Windows Server 2003.The terminal server
role, however, requires the installation and proper configuration of the terminal server licensing
component. Because of this, license problems typically relate only to the terminal server role. If you
receive messages similar to those below, you have license component problems.
■
The remote session was disconnected because there are no terminal server client access
licenses available for this computer. Please contact the server administrator.
■
The remote session was disconnected because there are no Terminal Server License Servers
available to provide a license. Please contact the server administrator.
Error messages such as these can indicate several different types of issues. First, verify that the
license server is online and able to communicate on the network. It’s also important to verify name
resolution during this step. Next, ensure that the license server component has been activated prop-
erly. Check event logs on the license server and look for more subtle problems than simple connec-

tivity checks will not spot.
Verify that the license server has a sufficient number of valid client licenses for your network,
and that the licenses are valid.The terminal server draws licenses from the license server so you
should also ensure that these two servers can communicate with each other. Finally, don’t forget to
check the clients. It is possible that the clients never received a valid license. By default, clients often
receive temporary licenses that expire after 90 days and prevent further connections. If they did
receive full licenses, the licenses may have become corrupt and need to be replaced or overwritten.
974 Chapter 27 • Managing and Troubleshooting Terminal Services
301_BD_W2k3_27.qxd 5/14/04 12:21 PM Page 974
975
Index
3DES (strong encryption algorithm),
820
401 errors, 926
404 errors, 923–924
4GB tuning (4GT), 245
503 errors, 925
6to4 tunneling, 753
802.11 wireless standards, 851, 862
A
.aas files, 607
ABR (area border router), 769
access control
in Active Directory, 364–368
restricting logon hours, computers,
396–397
role-based, 367
SIDs and, 376–377
access control entries (ACEs), 355,
377–379

access control lists (ACLs), 364, 731
accessing
group account properties, 410–415
server over Internet, 33
shared resources over networks, 329
account policies in security templates, 82
accounts
cluster service, 215
computer. See computer accounts
lockout policies, 436–437
passwords. See passwords
troubleshooting, 429
unnecessary, removing, 73
user. See user accounts
ACEs (access control entries), 355,
377–379
ACLS (access control lists), 364, 731
activation wizard, 15
Active Directory
access control in, 364–368
administrative tools, using, 347
authentication, 368–369
availability, 627–630, 649–658
backing up and restoring, 640–649
-based IPSec policies, 812
configuring DNS servers for use with,
491–494
configuring Group Policy SUS server
redirection, 102–104
creating user objects in, 389–390

data store, 323
database. See AD database
database, modifying, 628–629
defining password policies, 433–437
described, 321
development of, 322
distinguished names and, 62
distribution of services information,
508–509
Domains and Trusts tool, 496
extensions, 344
forest and domain functionality,
449–465
functional levels described, 370–372
Global Catalog. See Global Catalog
group accounts. See group accounts
hierarchical structure, 325
implementing security and access
control, 363–369
installing, 331–334
-integrated zone replication scope,
679–682
logical vs. physical components,
341–347
managing with ntdutil, 362
master roles, 342–344
moving objects in, 425–428
namespace hierarchy, 381
naming scheme, 328–329
new features, 3–4, 370–374

and organizational units (OUs), 340
performing maintenance tasks,
631–640
protecting your data, 326–327
quotas, 452
relationship of sites to other
components, 510–511
replication in, 324
Replication Monitor, 525–527
schemas. See schemas
and server roles, 54–55
setting permissions on objects, 366
structure overview, 334–335
supporting with BIND, 694
Active Directory Domains and Trusts
console
described, using, 351–354
raising domain and forest functionality,
373–374
raising levels with, 371
Active Directory GPO Editor, 611–621
Active Directory Installation Wizard
(ADIW), managing DCs with,
532–533
Active Directory Installation Wizard
(DCPROMO), 55, 331, 466,
470–471
Active Directory Object Manager tool,
427
Active Directory Sites and Services

console, 354
Active Directory Users and Computers
tool (ADUC)
creating computer accounts with,
417–418
creating group accounts with,
408–409
creating, managing OUs, 500–503
creating user accounts with, 388–393
described, using, 349–351
managing user accounts with, 385
moving account objects with,
425–426
new feature, 3–4
Active Server Pages (ASP) and HTTP,
58
AD database
availability. See Active Directory
defragmenting, 631–633
monitoring, 636–640
moving, 633–635
semantic database analysis, 653–655
Add or Remove Programs applets, 899
addiag.exe, 625
adding
IIS, 59–60
objects to Active Directory, 358
printer drivers, 39–40
snap-ins from console, 348
snap-ins to MMC, 89–91

adjacencies and routers, 768
administration
Active Directory user accounts,
375–376
configuring remote control (Terminal
Services), 961–962
deciding which tool to use, 37
developing authentication strategies,
431
and DNS namespace design, 666
IIS 6.0, 905–920
MMC management tools, 347
policy-based, 327
print management tasks, 38
privileges for IIS installation, 896
remote. See remote administration
role-based, 367
301_BD_W2k3_Ind.qxd 5/14/04 12:09 PM Page 975