Planning Terminal Server User Rights and Logon
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
You can use the Remote Desktop Users group to manage user rights on a terminal server. There are also special logon configurations and Internet Explorer security configurations you can set for Terminal Server.
The Remote Desktop Users Group
Before users can create a remote connection with Remote Desktop, they must have the appropriate permissions. By default, members of the Administrator group can connect remotely to the server. Members of the Remote Desktop Users built-in local group also have remote logon permissions. This built-in group gives administrators control over the resources that Terminal Server users can access. Access to Terminal Server is distributed with a default set of user rights that you can change for extra security. To provide users or groups with the appropriate rights, use the Terminal Services Configuration snap-in Permissions tab to add these groups or users and to modify permissions. For more information about managing permissions, see Managing Permissions on Connections in Help and Support Center for Windows Server 2003.
By default, the Remote Desktop Users local group for Windows Server 2003 Terminal Server is empty.
Populate the Remote Desktop Users group with your Terminal Services users group by using the Computer Management tool. For more information about populating the Remote Desktop Users group, see "Add users to the Remote Desktop Users group" in Help and Support Center for Windows Server 2003.
To control who can add members to the Remote Desktop Users group, add this group to Restricted Groups by using the following procedure:
To add the Remote Desktop Users group to Restricted Groups
In the Security Templates Microsoft Management Console (MMC) snap-in, create a new template, or use an existing one.
In the navigation pane, right-click Restricted Groups in the template, click Add Group, and then type Remote Desktop Users.
In the details pane, double-click Remote Desktop Users, click Add Members, and select the users who you want to add to this group.
Planning for Automatic Logon
With Terminal Server, you can allow users to connect without entering a user name and password. You can do this on a per-user basis through the Remote Desktop Connection tool or on a per-server basis through TSCC or through Group Policy.
When you enable this, anyone with a Remote Desktop client can log on to the server. Use this connection method only in conjunction with starting users directly into a line-of-business application, especially if the application itself requires a password for access. You can enable this setting on a per-user basis through the Remote Desktop Connection tool or Group Policy or on a per-server basis through TSCC or through Group Policy. A per-server automatic logon policy is appropriate when a server is dedicated to a particular task-based application. If a server hosts more than one application, assign automatic logon on a per-user basis.
Editing User-Specific Logon Information
When users log on to the system, Terminal Services executes a batch file called UsrLogon.cmd in the system32 directory to make any modifications to the end-user environment and to ensure that users can run their applications correctly. If Terminal Server modifications are necessary to the user environment, you can make them by editing this file. Be aware that editing this file can affect the logon compatibility scripts that were written for applications. For more information about compatibility scripts, see "Identifying Ideal Candidates for Hosting" earlier in this chapter.
In your logon scripts, consider checking for the presence of the environment variables clientname or sessionname. These environment variables are Terminal Server–specific, and they only appear in a user environment when the user is logged on to a terminal server. You might choose to make changes to the user environment, for example omitting the execution of antivirus software, if the script determines that the environment is running on Terminal Server.
Internet Explorer Enhanced Security Configuration
Windows Server 2003 is installed with the Internet Explorer Enhanced Security Configuration enabled. This configuration decreases the exposure of your server to attacks that can occur through Web content and application scripts. As a result, some Web sites might not display or perform as expected. For a better user experience with Terminal Server, remove the enhanced security configuration from members of the Users group. Because these users have fewer privileges on the server, they present a lower level of risk if they are victims of an attack. This configuration allows users to browse Internet and intranet sites much as if they were using a stand-alone desktop computer.
For more information about Internet Explorer Enhanced Security Configuration settings, see "Internet Explorer Enhanced Security Configuration" in Help and Support Center for Windows Server 2003.
You can also configure Internet Explorer Enhanced Security Configuration through Unattended Setup. For more information, see "Enabling Terminal Server Using an Automated Installation Method" later in this chapter.