Manage Terminal Services
Take advantage of the new Group Policies in Windows Server 2003 to manage Terminal Services from a central point.
by Danielle Ruest and Nelson Ruest

October 2003 Issue

For This Solution: Windows Server 2003, Windows Server 2003 Command-line Tools

Q:
We make extensive use of Terminal Services in our organization because we have mission-critical applications based on old code and don't want to manage the application deployment on a massive number of PCs. I know Windows Server 2003 offers significant improvements in Terminal Services management. What are they?

—Richard, Newark, N.J.

A:
Danielle: You're right, Richard, Terminal Services are one of Windows Server 2003's greatest features because they provide a richer user experience than the Windows 2000 version. For example, Terminal Services now support sound redirection to client PCs. So, if you operate a multimedia application on the server, users will hear the audio just as if the application were running on their workstations. It also supports higher quality graphics, including True Color and the highest level of resolution supported by client hardware. Resolution and color must be set on both the client and the server to operate.

Terminal Services can now also provide load balancing of terminal applications automatically. For this feature to work, you must cluster Terminal Servers (TS) at the network level so they work together to run a common set of applications and appear as a single system to clients and applications. This means you must cluster servers through the Network Load Balancing service. Once this is done, you can use Session Directories to balance workloads transparently between groups of TSs. Once the Session Directories are in place, Windows Server can support roaming Terminal Services users. Users can then open a session on a TS or a TS cluster, disconnect from the server without closing the session, move to another computer, and reconnect to their existing remote session. This feature is something previous Terminal Services couldn't do, and you can control it all through Group Policy.

Make sure you document the settings you apply through Group Policy Objects (GPOs) thoroughly. It will help you gain better control of your managed environment. You can use two tools to do this. One is a GPO Documentation Spreadsheet you can download from our second book's companion Web site; the other is a spreadsheet documenting additions to GPOs for Windows Server 2003 (see Resources).

Nelson: Before talking about Terminal Services GPOs, however, I should caution you about the Theme service on Windows Server 2003. In my opinion, it's important to activate this service on a Windows Server 2003 TS and enable the Windows XP theme, especially if your client PCs are running Windows XP. Otherwise Windows XP users will be faced with a Windows 2000-like interface when accessing remote applications in Terminal Services mode. And this most certainly will lead to confusion (Windows XP on the desktop and the appearance of Windows 2000 on remote sessions) and increase support calls.

Terminal Services have 47 GPO settings, and you can manage almost every Terminal Services setting through GPOs. If they're used properly, these settings let you avoid tasks such as entering individual user Terminal Service information in the user account properties (see Figure 1). You can set user parameters through a GPO's User Configuration, and Server and PC settings through the a GPO's Computer Configuration (see Table 1). Settings that have no comment are optional or aren't required because the default setting is appropriate for most networks. Also, settings are focused mostly on PCs and servers because this way they affect all users by default. User configurations are applied only if they need to be different from PC configurations.

Make sure you apply settings to GPOs that affect all the servers running Terminal Services and all the PCs using them. Once you're done, your Terminal Services environment will be ready for production. Ensure that you use a thorough testing process before giving users access to the applications you host on Terminal Servers.

Q:
We often use a laboratory to test the changes we want to introduce into our network, but my test network doesn't have any objects in it and our security officer doesn't want me to use the accounts we have in the production network. How can I quickly populate my test network with objects such as user and computer accounts?

—Tom, Cleveland, Ohio

A:
Danielle & Nelson: There are a lot of ways to do this Tom, but Stephan Asselin, the technical reviewer for our second book, just gave us this great tip the other day. It's based on the new directory service command-line tools in Windows Server 2003. To generate users, he creates a Windows command file (for example, adduser.cmd) with the following contents:

for /L %%i in (1,1,%1) do DSADD
 user "cn=Billy
Bob%%i,OU=People,dc=intranet,dc=T
andT,dc=Net" -upn
 billy_bob%%i@TandT.net -fn
 Billy%%i -ln Bob -pwd
 "P#Hello#123" -mustchpwd yes -
memberof
cn=dummy,OU=People,dc=intranet,dc
=TandT,dc=net

This creates users within the People OU of the Intranet.TandT.net domain. All users will be members of the Dummy global group and must change their passwords at initial logon. Both the People OU and the Dummy group must exist prior to running this command. Also note that the User Distinguished Name (UserDN) is in quotes because there's a space in the username.

To create users, call this CMD file from any command prompt with a number at the end, for example:

C:\adduser 150

This creates 150 new user accounts called Billy Bobnnn, where nnn is the number of the user you create.

To create computer accounts, use the same command, but with slight variations. Save it as addcomputers.cmd:

for /L %%i in (1,1,%1) do DSADD
 computer
"cn=TandT_PC%%i,OU=PCs,dc=intrane
t,dc=TandT,dc=Net" -samid
 TandT_PC%%i -desc "Computers for the
 Test Environment" -memberof 
 cn=Managed_PC,OU=PCs,dc=intranet,
dc=TandT,dc=net

Then call the command file with a number at the end:

C:\addcomputers 150

This creates 150 computer accounts in the PC's OU of the Intranet.TandT.net domain and places them within the Managed_PC group. Both the PC's OU and the Managed_PC group must exist before running the command. Save both command files and use them whenever you need to populate your test environments.

Got More Questions?
Contact Nelson and Danielle by e-mail at .

About the Authors
Danielle Ruest and Nelson Ruest (MCSE) recently released their third book: Windows Server 2003 Pocket Administrator (Osborne McGraw-Hill, 2003), an everyday administration reference. Their second book, Windows Server 2003, Best Practices for Enterprise Deployments (Osborne McGraw-Hill, 2003) is a step-by-step guide for designing enterprise networks with this new operating system. They are also the authors of Preparing for .NET Enterprise Technologies (Addison-Wesley, 2001), a book on mastering change in the enterprise. Both work for Resolutions Enterprises, a small Canadian consulting firm that provides services in the information architecture and change management fields. Both can be reached through .