Appendix A: Configuring the Virtual Machine Manually

Applies To: Windows Server 2008 R2

Using the Windows PowerShell script mentioned in Step 3 of this guide is recommended. However, the steps can be completed manually by doing the following:

  • Enable Remote Desktop.

  • Add the user accounts that will be using this virtual machine to the local Remote Desktop Users security group.

  • Allow Remote RPC.

  • Create a firewall exception to allow Remote Services Management.

  • Add permissions to the RDP protocol.

First, you must enable Remote Desktop.

To enable Remote Desktop

  1. Log on to VDP1-CLNT as a member of the local Administrators group.

  2. Click Start, right-click Computer, and then click Properties.

  3. Click Remote settings.

  4. Under Remote Desktop, click Allow connections only from computers using Remote Desktop with Network Level Authentication (more secure), and then click OK.

  5. Repeat steps 1 – 4 for the VDP2-CLNT computer.

Next, add the user accounts that will be using this virtual machine to the local Remote Desktop Users security group on PVD1-CLNT. In this guide, we will add Morgan Skinner.

To add Morgan Skinner to the local Remote Desktop Users group

  1. Click Start, and then click Control Panel.

  2. Click System and Security, click Administrative Tools, and then double-click Computer Management.

  3. Expand Local Users and Groups, and then click Groups.

  4. Right-click Remote Desktop Users, and then click Add to Group.

  5. Click Add, and in the Select Users, Computers, Service Accounts, or Groups dialog box, type contoso\mskinner and then click OK.

  6. Close the Remote Desktop Users Properties dialog box.

Next, allow Remote RPC on VDP1-CLNT.

To allow Remote RPC for Remote Desktop Services

  1. Log on to VDP1-CLNT as a member of the local Administrators group.

  2. Click Start, and in the Search programs and files box, type regedit.exe and then press ENTER.

Warning

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer.

  1. Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer.

  2. Double-click the AllowRemoteRPC registry entry. In the Value data box, type 1 and then click OK.

  3. Close Registry Editor.

  4. Repeat steps 1 – 6 for the VDP2-CLNT computer.

Next, enable the Remote Service Management Windows Firewall exception.

To enable the Remote Service Management Windows Firewall exception

  1. Click Start, click Control Panel, and then click System and Security.

  2. Under the Windows Firewall heading, click Allow a program through Windows Firewall.

  3. Select the Remote Service Management check box, and then click OK.

Finally, you must grant the RDVH-SRV computer account permissions to the RDP protocol on VDP1-CLNT and then restart the Remote Desktop Services service on VDP1-CLNT. The RDVH-SRV computer account needs the WINSTATION_QUERY, WINSTATION_LOGOFF, and WINSTATION_DISCONNECT permissions on VDP1-CLNT.

To add RDP protocol permissions to a virtual machine

  1. Click Start, point to All Programs, and then click Accessories.

  2. Right-click Command Prompt, and then click Run as administrator.

  3. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

  4. At the command prompt, type the following commands:

    • wmic /node:localhost RDPERMISSIONS where TerminalName="RDP-Tcp" CALL AddAccount "contoso\rdvh-srv$",1

    • wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='Console') and AccountName='contoso\\rdvh-srv$'" CALL ModifyPermissions 0,1

    • wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='Console') and AccountName='contoso\\rdvh-srv$'" CALL ModifyPermissions 2,1

    • wmic /node:localhost RDACCOUNT where "(TerminalName='RDP-Tcp' or TerminalName='Console') and AccountName='contoso\\rdvh-srv$'" CALL ModifyPermissions 9,1

    • Net stop termservice

    • Net start termservice

  5. Log off the VDP1-CLNT computer. This is required in order for Morgan Skinner to log on to the personal virtual desktop successfully.

  6. Repeat steps 1 – 5 for the VDP2-CLNT computer.