Windows: Terminal Services GPO: Deploying Roaming Profiles, User Home Directory, and Session management

Created: 2/25/14

Updated: 8/14/17

 

I’ve always wanted to document the Terminal Server GPO Policy since it might be useful for some people that don’t know exactly which settings are needed to get the ball rolling. There is 6 basic settings, to me, that are needed for a Terminal Server to work like a normal Windows Desktop for end users. These settings are: Roaming Profiles, User Home Directory, Desktop Experience, Compression Algorithm, Session Management, and Windows Update Control.

 

1st I need to cover some ground rules that need to be in-place for this GPO to work correctly with a New GPO called “Terminal Services”, this GPO should be placed in a folder called for instance “Terminal Server’s” that is created in Active Directory (Active Directory design in not explained since it assumed you have a structured Active Directory already in-place). The Terminal Servers that you wish to have this GPO would need to be moved to this folder in Active Directory in order for this Linked GPO setting to take effect and the security settings for the GPO should be set to ‘Authenticated Users’.

 

Below is a direct configuration of the paths to each of these 6 settings.

 

Computer Configuration/Policies/Windows Settings/Security Settings/

Local Policies/User Rights Assignment

1. Allow log on locally
2. Allow log on through Terminal Services.

Computer Configuration/Policies/Administrative Templates/

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Printer Redirection

1. Do not allow client printer redirections – Enabled

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Profiles

1. Set path for Remote Desktop Services Roaming User Profile – Enabled
a. Profile path: \\[File Server]\[Profiles of Users]
2. Set remote desktop services user home directory
a. Location: On the network
b. Home Dir root path: \\[File Server]\[User’s ‘My Document’s Folder’]
c. if home path is on the network, specify drive letter for the mapped drive: “M:”

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Remote Session Environment

1. Optimize visual experiences for Remote Desktop Services sessions – Enabled
a. visual experience – rich multimedia
2. Set compression algorithm for RDP data – Enabled
a. RDP compression algorithm – Balances memory and network bandwidth

(you can specify which RDP compression algorithm to use. If you select the algorithm that is optimized to use less memory, this option is less memory-intensive, but uses more network bandwidth. If you select the algorithm that is optimized to use less network bandwidth, this option uses less network bandwidth, but is more memory-intensive. Additionally, a third option is available that balances memory usage and network bandwidth; I prefer to choose the balanced setting as it works best in more environments.)

Windows Components/Remote Desktop Services/Remote Desktop Session Host/Session Time Limits

1. Set time limit for active but idle Remote Desktop Services sessions – Enabled
a. Idle session limit – 1 hour (can mess with these settings right for your environment)
2. Set time limit for disconnected sessions – Enabled
a. End a disconnected session – 1 hour (can mess with these settings right for your environment)

Windows Components/Windows Update

1. Allow automatic updates immediate installation – Disabled
2. Allows non-administrators to receive update notifications – Disabled

 

After the GPO has been applied in Group Policy Management, you will need to log into each Terminal Server that will have this GPO applied to it with a domain administrator login and go to command prompt and type the following command:

 

“gpupdate /force”

 

After you apply this command it will update the User and Computer configurations, once completed you will need to reboot the server for the GPO’s to take effect.

NOTE: User Configuration take effect immediately after applying the above command, but Computer Configuration will only go into affect after a reboot.

These settings are to me the basis of what makes a terminal server a Terminal Server, some may want to enable other features but these are the basics required to get a Terminal Server Farm working for users. As for designing a Terminal Server Farm, well that for another posting altogether and I’ll be sure to make it fun! 🙂