Configuring User Group Policy Settings
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Under User Configuration in the Group Policy Object Editor, you can set several Group Policy settings that are particularly useful for Terminal Server. Use these settings to control the user experience and prevent access to areas of the terminal server. For more information about each of the settings listed here, see the Group Policy Explain text associated with each setting. For a job aid to assist you in recording your Terminal Server Group Policy configuration decisions, see "Group Policy Configuration Worksheet" (SDCTS_2.xls) on the Windows Server 2003 Deployment Kit companion CD (or see "Group Policy Configuration Worksheet" on the Web at http://www.microsoft.com/reskit).
See the following resources for more specific information about using Group Policy:
For general information about Group Policy, see the Management Services link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
For more information about designing a Group Policy infrastructure, see "Designing a Group Policy Infrastructure" in Designing a Managed Environment of this kit.
For information about using Group Policy to lock down a Terminal Server session, see article 278295, "How to Lock Down a Windows 2000 Terminal Server Session" in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
For more information about applying Group Policy to Terminal Server, see article 260370, "How to Apply Group Policy Objects to Terminal Services Servers." To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Because these settings apply to the user, and not the computer, they affect the user environment regardless of which computer the user accesses. When applying settings that you want to apply only when users have a session on the terminal server (as opposed to their own desktop computer), use computer settings that apply to the terminal server. For more information, see "Designing Terminal Server Installation and Configuration" later in this chapter.
Configuring the User Display
A graphic-intensive display can affect performance for users of Terminal Server. To ensure the best possible performance, you can control what users can put on their desktops by configuring the Group Policy settings located under User Configuration/Administrative Templates/Control Panel/Display.
Configuring desktop items
Many organizations permit users to choose their own desktop wallpaper or screen savers. However, in a Terminal Server environment, these graphics can have an effect on performance. Use the following Group Policy settings to control users’ ability to change wallpaper and screen savers.
Screen savers You can use several Group Policy settings to affect the user’s screen saver. You can disable screen savers altogether by disabling the Screen Saver policy. You can also specify the screen saver by enabling this policy and also by enabling and specifying the screen saver executable name in the Screen Saver executable name policy. For more information about these Group Policy settings, see the Explain tab located on the property sheet for each policy.
Wallpaper By enabling the Prevent changing wallpaper setting you can disable all the options in the Desktop tab of Display in Control Panel. This includes changing the wallpaper and changing the appearance of the desktop icons. By not allowing these changes, you can ensure that users do not choose desktop display items that might affect the performance of the server.
Configuring the desktop theme
If you are hosting the full desktop with Terminal Server, by default the desktop environment resembles a Windows Classic desktop. By default Windows Server 2003 does not have themes enabled. You can enable themes by starting the Themes service and configuring it to start automatically. For more information about starting the Themes service, see "Configure how a service is started" in Help and Support Center for Windows Server 2003.
After you have configured the Themes service to start automatically, you can enforce a specific desktop theme or the Windows XP theme for your Terminal Server users by using the following procedure. For more information about choosing to use desktop themes with Terminal Server, see "Hosting Full Desktops with Terminal Server" earlier in this chapter.
To load a specific theme for the desktop
In the Group Policy Object Editor, navigate to User Configuration/Administrative Templates/Control Panel/Display/Desktop Themes.
Open the Load a specific visual style file or force Windows Classic setting.
Take one of the following actions, depending on what you are trying to achieve:
To force Windows Classic, enable this setting.
To load the Windows XP theme, enable the setting and type %windir%\resources\Themes\Luna\Luna.msstyles in the Path to Visual Style dialog box. For information about using the Windows XP theme with Terminal Server, see "Choosing Applications to Host" earlier in this chapter.
To load another theme or a custom theme, type the path to that theme in the dialog box.
- To force Windows Classic, enable this setting.
Restricting Access to Drives on a Terminal Server
You can use Group Policy settings to hide and restrict access to drives on the terminal server. By enabling these settings you can ensure that users do not inadvertently access data stored on other drives, or delete or damage program or other critical system files on the C drive. The following settings are located in the Group Policy Object Editor under User Configuration/Administrative Templates/Windows Components/Windows Explorer:
Hide these specified drives in My Computer. You can remove the icons for specified drives from a user’s My Computer folder by enabling this setting and using the drop-down list to select the drives you would like to hide. However, this setting does not restrict access to these drives.
Prevent access to drives from My Computer. Enable this setting to prevent users from accessing the chosen combination of drives. Use this setting to lock down the terminal server for users accessing it for their primary desktop.
Configuring Start Menu and Taskbar Items
You can use Group Policy settings to remove and to restrict access to items from the Start menu for Terminal Server users. The following settings are located in User Configuration/Administrative Templates/Start Menu and Taskbar:
Enabling the Remove Run menu from Start Menu setting removes this menu from the Start menu. It also removes the New Task command from Task Manager and blocks the user from accessing Universal Naming Convention (UNC) paths, local drives, and local folders from the Internet Explorer address bar. While these are not the only methods for running applications, enabling this setting makes it difficult for users to access resources on the server or network.
Enabling the Remove Logoff on the Start Menu setting prevents users from logging off the server from the Start menu. Enabling this setting does not prevent users from logging off using CTRL+ALT+DEL.
Enabling the Remove and Prevent access to the Shut Down command prevents administrators from accidently shutting down the terminal server.
Enabling the Remove links and access to Windows Update setting prevents users from attempting to download updates to Windows on to the server.
Enabling the Remove Favorites menu from Start Menu setting reduces confusion for users who do not have access to the Internet.