Terminal Services - Frequently Asked Windows Terminal Services Questions!

[12] Frequently Asked Asp Questions!
Updated: Jun 07, 2000
[188] Frequently Asked Citrix Questions!
Updated: Oct 10, 2006
[3] Frequently Asked Sco Tarentella Questions!
Updated: Aug 16, 2002
[260] Frequently Asked Windows Terminal Services Questions!
Updated: Aug 03, 2006
1 2 3 4 5 [6] 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
HOWTO: Log On to a Terminal Server Session Programmatically from Visual Basic 

PSS ID Number: Q281417

Article Last Modified on 11-12-2001


The information in this article applies to:

  • Microsoft Visual Basic Enterprise Edition for Windows 6.0
  • Microsoft Visual Basic Professional Edition for Windows 6.0
  • Microsoft Terminal Services Advanced Client 1.0


Summary

The Terminal Services ActiveX client control does not expose the ImsTscNonScriptable interface. However, this interface can be used to configure automatic log on for a Terminal Services Session programmatically, which enables the programmer to log a user on to a Terminal Services Session without receiving the Windows Logon prompt. This is demonstrated in the sample in the "More Information" section.


More Information

To run this program, configure your Terminal Server computer as follows:

  1. Log on to the Terminal Server locally as an administrator.
  2. On the Start button, click Programs, click Administrative Tools, and then click Terminal Services Configuration.
  3. Click on Connections.
  4. In the right pane, right-click RDP-Tcp, and then choose Properties.
  5. Click on the Logon Settings tab.
  6. Deselect Always prompt for password, and then click OK.
NOTE: For security reasons, Microsoft recommends that you do not implement this scenario without extreme care and a clear understanding of Microsoft Windows security.

Sample Code

  1. Start a new Standard EXE project. Form1 is created by default.
  2. On the Project menu, click to select Components, select Microsoft Terminal Services Control(redist), and then click OK. If this control is not available, see the "References" section of this article for information on how to download and install it.
  3. Add one Terminal Services Control to Form1, making sure it is big enough to handle the display of the session.
  4. Add three Label controls, three TextBox controls, and one CommandButton control to Form1. Make sure that Lable1 and Text1 are on the same line, and that Label2, Text2, Label3, and Text3 are on the same line.
  5. Paste the following code into the General Declarations of Form1:

    ` This code only works when you set the configuration on the Server-side.
    ` Log on to the Terminal Server as an administrator
    ` Start\Programs\Administrative Tools\Terminal Services Configuration
    ` Click on Connections
    ` On the Right Pane, right-click on RDP-Tcp and choose Properties
    ` Click on the "Logon Settings" Tab
    ` Uncheck "Always prompt for password" and click OK
    
    Option Explicit
    
    Private Obj As IMsTscNonScriptable
    
    Private Sub Form_Load()
      Text1.Text = ""
      Text2.Text = ""
      Text3.Text = ""
      Label1.Caption = "Server"
      Label2.Caption = "UserName"
      Label3.Caption = "Password"
      Command1.Caption = "Connect"
      Text3.PasswordChar = "*"
    End Sub
    
    Private Sub Command1_Click()
      Set Obj = MsTscAx1.Object
      MsTscAx1.Server = Text1.Text
      MsTscAx1.UserName = Text2.Text
      Obj.ClearTextPassword = Text3.Text
      MsTscAx1.Connect
    End Sub 
  6. Save the project, press the F5 key to run it, and note that after you supply your username, password, and server name, you are not prompted for a logon screen at the server. Microsoft recommends that you enlarge the Terminal Server .ocx file so that you are able to manipulate the Shut Down dialog box.

References

For more information about downloading and installing the Terminal Server Advanced Client, see the following Microsoft Web site at:

http://www.microsoft.com/WINDOWS2000/downloads/recommended/TSAC/tsac.asp
For Frequently Asked Questions (FAQ) about the Terminal Server Advanced Client, see the following Microsoft Web site at:
http://www.microsoft.com/windows2000/techinfo/administration/terminal/tsacfaq.asp
For additional information, see the following Microsoft Web site at:
http://www.microsoft.com/windows2000/techinfo/administration/default.asp
How do I restore functionality and stop the attachment blocking in Outlook 2002? 

OL2002: Cannot Access Attachments (Q290497)
The information in this article applies to:
Microsoft Outlook 2002
IMPORTANT : This article contains information about editing the registry.
Before you edit the registry, make sure you understand how to restore it if
a problem occurs. For information about how to do this, view the "Restoring
the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key"
Help topic in Regedt32.exe.


SUMMARY
Outlook 2002 includes a new security feature that blocks attachments
considered unsafe. If you receive an e-mail message that contains one of the
blocked file types, you may see the following warning message:

Outlook blocked access to the following potentially unsafe attachments:
[...]
Although access to the attachment has been blocked, the attachment still
exists in the message. This article summarizes what to do if you need to
access the attachment.

MORE INFORMATION
This security feature provides an additional level of protection against
malicious e-mail messages. Updates were available for earlier versions of
Microsoft Outlook, but in Outlook 2002 this security feature is implemented
by default.

Use one of the following recommended methods to obtain access to the
attached file:

Request that the sender post or save the attachment to a file share and send
you the link to it.

Request that the sender use a file compression utility that changes the file
extension. For a list of third-party compression products, please see the
following Microsoft Knowledge Base article:


Q291637 OL2002: Attachments Are Not Compressed by Outlook
Request that the sender rename the file extension and send it to you. Once
you receive the renamed attachment, you can rename the file with the
original extension.


If the previously recommended methods do not meet your needs, you may use
one of the following alternate methods:
If you are in a Microsoft Exchange Server environment and your administrator
has configured the Outlook Security settings, ask the administrator to
modify the security settings for your mailbox.


If you are not in an Exchange Server environment, modify the registry to
customize the attachment security settings (see the How to "Customize
Attachment Security Behavior" section of this article for details).
How to Customize Attachment Security Behavior
WARNING : Using Registry Editor incorrectly can cause serious problems that
may require you to reinstall your operating system. Microsoft cannot
guarantee that problems resulting from the incorrect use of Registry Editor
can be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys and
Values" Help topic in Registry Editor (Regedit.exe) or the "Add and Delete
Information in the Registry" and "Edit Registry Data" Help topics in
Regedt32.exe. Note that you should back up the registry before you edit it.
If you are running Windows NT or Windows 2000, you should also update your
Emergency Repair Disk (ERD).

You can modify the attachment security behavior in Outlook 2002 if you are
using Outlook in one of the following scenarios:
Outlook is run outside of an Exchange Server environment.


In an Exchange Server environment, the administrator has not configured the
Outlook Security settings to disallow changes to the attachment security
behavior.

In these scenarios, modify the attachment security behavior by making a
modification to the registry. Use the following steps to modify the
registry.
Exit Outlook 2002, if running.

Click the Windows Start button, and then click Run .

In the Open box, type regedit , and then click OK .
Check to see if the following key exists. If it does, skip to step 5.
HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Outlook\Security
If the key path does not exist, create the key path. To create the key path,
navigate to and select the key:
HKEY_CURRENT_USER\Software\Microsoft
Click the Edit menu, click New , and then click Key .

Type Office and press ENTER.

Click the Edit menu, click New , and then click Key .

Type 10.0 and press ENTER.

Click the Edit menu, click New , and then click Key .


Type Outlook and press ENTER.

Click the Edit menu, click New , and then click Key .

Type Security and press ENTER.

Click the Edit menu, click New , and then click String Value .

Type the following name for the new value:

Level1Remove

Press ENTER.


Right-click the new string value name, and then click Modify .


Type the extension of the file type that you would like to access with
Outlook 2002 as follows:

.exe

To specify multiple file types, use the following format:

.exe;.com


When finished, click OK .


Exit the Registry Editor program.


Restart the computer.


When you start Outlook 2002, the file types specified in the Windows
Registry are accessible.

NOTE : Microsoft recommends that only the necessary file types be enabled
for access. If a particular file type is received rarely, it is recommended
that Outlook 2002 be given temporary access to the file type in question and
then reconfigured to the blocked state by undoing the changes made to the
Windows Registry.
Microsoft Exchange Server Environment
If you run Outlook in an Exchange Server environment, your administrator can
change the default attachment security behavior. For more information about
how to configure Outlook 2002 in this environment, please see the Knowledge
Base article:
Q290499 OL2002: Administrator Info About E-Mail Security Features
Attachment Behavior
Attachments are divided into three groups based on their file extension, or
type. Outlook handles each group in a specific way.
Level 1 ("Unsafe")
The "unsafe" category represents any extension that may have script or code
associated with it. Any attachment with an "unsafe" file extension is
inaccessible if you use a version of Outlook that has the security patch
applied to it. The following list contains attachments that are considered
unsafe:

File extension  File type
---------------------------------------------------
.ade            Microsoft Access project extension
.adp            Microsoft Access project
.asx            Windows Media Audio / Video
.bas            Microsoft Visual Basic class module
.bat            Batch file
.chm            Compiled HTML Help file
.cmd            Microsoft Windows NT Command script
.com            Microsoft MS-DOS program
.cpl            Control Panel extension
.crt            Security certificate
.exe            Program
.hlp            Help file
.hta            HTML program
.inf            Setup Information
.ins            Internet Naming Service
.isp            Internet Communication settings
.js             JScript file
.jse            Jscript Encoded Script file
.lnk            Shortcut
.mdb            Microsoft Access program
.mde            Microsoft Access MDE database
.msc            Microsoft Common Console document
.msi            Microsoft Windows Installer package
.msp            Microsoft Windows Installer patch
.mst            Microsoft Windows Installer transform; Microsoft Visual Test source file
.pcd            Photo CD image; Microsoft Visual compiled script
.pif            Shortcut to MS-DOS program
.prf            Microsoft Outlook profile settings
.reg            Registration entries
.scf            Windows Explorer command
.scr            Screen saver
.sct            Windows Script Component
.shb            Shell Scrap object
.shs            Shell Scrap object
.url            Internet shortcut
.vb             VBScript file
.vbe            VBScript Encoded script file
.vbs            VBScript file
.wsc            Windows Script Component
.wsf            Windows Script file
.wsh            Windows Script Host Settings file

The following list describes how Outlook functions when you receive an
"unsafe" file attachment:
Any "unsafe" attachment is not accessible. You cannot save, delete, open,
print, or otherwise manipulate "unsafe" files. The top of the e-mail message
indicates that Outlook has blocked access to the "unsafe" attachment; the
attachment is not accessible from Outlook, however, the attachment is not
actually removed from the e-mail message.

If you forward an e-mail message with an "unsafe" attachment, the attachment
is not included in the forwarded e-mail message.

If you send an e-mail message that contains an "unsafe" attachment, you
receive a warning message that says other Outlook recipients may not be able
to access the attachment that you are trying to send. You can either
disregard the warning message and send the e-mail message, or you can choose
to not send the e-mail message.

If you save or close an e-mail message that contains an "unsafe" attachment,
you receive a warning message that says you will not be able to access the
attachment from Outlook. You can override the warning message and save the
e-mail message.

You cannot open objects that are inserted into Microsoft Outlook Rich Text
messages by using the Insert Object command. You do see a visual
representation of the object, but you cannot open or activate the object in
the e-mail message.

You cannot open "unsafe" files that have been directly stored in an Outlook
or Exchange Server folder. Although these files are not attached to an
Outlook item, they are still considered "unsafe." The following error
message occurs in this situation:

Can`t open the item. Outlook blocked access to this potentially unsafe item.
Level 2
Level 2 files are not "unsafe" but they do require more security than other
attachments. When you receive a Level 2 attachment, you are prompted to save
the attachment to a disk; you cannot open the attachment from within the
e-mail message. By default, file extensions are not associated with this
group, however, you can add file extensions to the Level 2 list.

NOTE : The list of files that are included in the Level 2 category can only
be changed if you are using Outlook in a Microsoft Exchange Server
environment and your mail is being delivered to an Exchange Server mailbox.
An administrator must make these changes.
Other Attachments
When you try to open an attachment other than those in the "unsafe" or Level
2 lists, you are prompted to either open the file directly or to save it to
a disk. You can turn off future prompts for that extension if you click to
clear the Always ask before opening this type of file check box.

NOTE : If a program associates itself with a new file extension, that file
extension is treated as an "other" attachment until you add the file
extension to the "unsafe" list. For example, if you install a program on
your computer that uses files with an .xyz file extension, whenever you open
an attachment that has an .xyz file extension, the new program opens and
runs the attachment. By default, the .xyz file extension is not on the
"unsafe" or Level 2 list, so it is treated as an "other" file extension. If
you want attachments with the .xyz file extension to be treated as "unsafe,"
you must add the .xyz file extension to the list of "unsafe" file
extensions.

HOW TO: Use the SHADOW Command to Remotely Monitor an Active Session of Another User in Windows 2000 Terminal Services 

PSS ID Number: Q320191

Article Last Modified on 08-6-2002


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

IN THIS TASK


Summary

This step-by-step article describes how to use the shadow command to remotely monitor and control another user`s Terminal Services session. You can use the shadow command to view or actively control an active session of another user. If you actively control a user`s session, you can input keyboard and mouse actions for that session.

back to the top

SHADOW Command Syntax

{ session_name | session_id} [/server: server_name] [/v]
The following list describes the parameters that you can use with the shadow command:
  • session_name: Use this parameter to specify the name of the session that you want to remotely control.

  • session_id: Use this parameter to specify the identification number (ID) of the session that you want to remotely control.

  • /server: server_name: Use this parameter to specify the Terminal server that contains the session that you want to remotely control. By default, the current Terminal server is used.

  • /v : Use this parameter to display information about the actions that are being performed.

back to the top

Example

  1. To display a list of sessions and their session IDs, type query user at the command line on the server, and then press ENTER. The following output is displayed:

     USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
     tester                console             0  Active          .  3/26/2002 11:17 AM
    >tester                rdp-tcp#3           1  Active          .  3/26/2002 4:02 PM
     tester                rdp-tcp#6           2  Active         12  3/27/2002 8:44 AM 
  2. To shadow session 2, type shadow 2. To shadow the session rdp-tcp#3, type shadow rdp-tcp#3.

    Before you can monitor another session, the user of the other session receives the following message (unless you disable this warning):
    \\ server\ tester is requesting to control your session remotely.

    Do you accept the request?
    Your session may stop responding (hang) for a few seconds while the server waits for a response from the user.
  3. Press CTRL+* to end the remotely controlled session (use the asterisk [*] from the numeric keypad only).

    You can also define a hot key in Terminal Services Manager to end the remotely controlled session.
NOTES:
  • You can always remotely control your own sessions (except for the current session); however, you must have Full Control access permissions to remotely control another session.

  • Your session must be able to support the video resolution that is used for the session that you are remotely controlling. If your session cannot support the video resolution of this session, you cannot remotely control the session.

  • While you are in this console session, you cannot remotely control another session and your session cannot be remotely controlled by another session.

  • You can also use the remote control functionality to observe or actively control another session.

back to the top

How to Configure Remote Control Settings

To configure remote control for users and sessions, use either Terminal Services Configuration or the Terminal Services extensions to Local Users and Groups and the Terminal Services extensions to Active Directory for Users and Computers.

To configure remote control settings:
  1. Click Start, point to Programs, point to Administrative Tools, and then click Terminal Services Configuration.
  2. In the console tree, click Connections.
  3. Right-click the connection for which you want to configure remote control in the details pane, and then click Properties.
  4. Click the Remote Control tab, and then click Use remote control with the following settings to configure remote control for the connection.
  5. To configure remote control so that a message is displayed on the client computer that prompts the user for permission to view or take part in the session, click to select the Require user`s permission check box.
  6. Under Level of control, click either of the following options:

    • View the session: Click this option to specify that the user`s session can be viewed only.

      -or-

    • Interact with the session: Click this option to specify that the user`s session can be actively controlled with your keyboard and mouse.

back to the top

Troubleshooting

  • If you try to run the shadow command, you may receive the following error message:
    Remote control failed. Error code 7044
    Error [7044]:The request to control another session remotely was denied.
    This message occurs if either there is no response from the computer that is to be monitored or if the request is refused. Before monitoring begins, the server prompts the user that the session is about to be remotely controlled, (unless you turned off this warning). The user of the computer that is to be monitored receives the following message:
    \\ server\ tester is requesting to control your session remotely.

    Do you accept the request?
    Click Yes on the computer that is to be monitored to allow the session to be monitored.

    For more information about how to configure remote control settings, see the Configure Remote Control Settings section of this article.

  • If you try to run the shadow command from the console session, you may receive the following error message:
    Remote control failed. Error code 7050
    Error [7050]:The requested session cannot be controlled remotely.
    This may be because the session is disconnected or does not currently have a user logged on.
    This error message occurs because you cannot remotely control another session while you are in this console session and your session cannot be remotely controlled by another session.

back to the top

References

For more information about the Shadow command, visit the following Microsoft Web site:

http://www.microsoft.com/windows2000/en/server/help/ts_cmd_n_001.htm
For more information about Windows 2000 Terminal Services, see the Terminal Services Online Documentation at the following Microsoft Web site:
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_termsrv_topnode.htm
back to the top
How do I Securely Copy and Paste Files Between the Terminal Services Client and the Terminal Server in Windows 2000? 

PSS ID Number: Q309825

Article Last Modified on 06-11-2002


The information in this article applies to:

  • Microsoft Windows 2000 Server

IN THIS TASK


IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Q256986 Description of the Microsoft Windows Registry

Summary

When you use Windows 2000 Terminal Services, you can run your own dedicated sessions on a Terminal server. You can run the Terminal Services client software to connect to Terminal servers and to run line-of-business programs. If you are an administrator, you can use Terminal Services to manage remote computers more easily. This article describes how to securely copy and paste files between the Terminal Services client computer and Terminal server.

back to the top

Terminal Services Configuration

You can configure Terminal Services network security to use one of the following settings:
  • Low: When you use this setting, data that is sent from the client to the server is protected. The main purpose for this setting is to encrypt sensitive data that moves from the client to the server, such as the user password.

  • Medium: When you use this setting, data that is sent from the client to the server is encrypted, and display information that is sent from the server to the client is encrypted. Both the Low setting and the Medium setting use the Microsoft-RC4 56-bit encryption algorithm.

  • High: When you use this setting, 128-bit encryption is supported after you install the Windows 2000 High Encryption Pack on the Terminal Services client and the Terminal server. You can download the Windows 2000 High Encryption Pack from the following Microsoft Web site:

    http://www.microsoft.com/windows2000/downloads/recommended/encryption/default.asp
When you use the default Terminal Services configuration, you cannot copy and paste files between the Terminal Services client and the Terminal server. However, when you use the Rdpclip (Rdpclip.exe) utility that is included in the Windows 2000 Server Resource Kit, you can copy and paste files between the Terminal Services client and the Terminal server.

back to the top

Install the Rdpclip Utility

To use the Rdpclip utility, complete the following two procedures:
  1. Install the Rdpclip utility on the Terminal server.
  2. Configure the Terminal Services client.
NOTE: These procedures do not work with Terminal Services Advanced Client (TSAC).

back to the top

Install the Rdpclip Utility on the Terminal Server

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

On the Terminal server, follow these steps:
  1. Install the Windows 2000 Server Resource Kit.
  2. Download the Rdpclip hotfix from the following Microsoft Web site, and then install it:

    http://www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/rdpclip-o.asp
  3. Start Microsoft Windows Explorer, and then locate the Resource Kit folder.
  4. Right-click each of the following files, click Properties, and then click the Version tab to confirm the file version:

    File Version
    C:\Program Files\Resource Kit\Rdpclip.exe 5.0.2205.1
    C:\Program Files\Resource Kit\Fxfr.dll 5.0.2064.1
    C:\Program Files\Resource Kit\Rdpdr.dll 5.0.2205.1
  5. Start Registry Editor (Regedt32.exe).
  6. Locate and click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Clip Redirector
  7. Double-click the Name value, and then type fxrdpclp in the Value data box to replace "rdpclip."
  8. Locate and click the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd
  9. Double-click the Startup Programs value, and then type fxrdpclp in the Value data box to replace "rdpclip."
  10. Rename the Rdpclip.exe file in the Resource Kit folder to "Fxrdpclp.exe".
  11. Copy both the Fxrdpclp.exe file and the Fxfr.dll file that are located in the Resource Kit folder to the Windows_folder\System32 folder.
  12. Restart the Terminal server.
back to the top

Configure the Terminal Services Client

On Microsoft Windows 95, Microsoft Windows 98, Microsoft Windows NT, and Windows 2000 Terminal Services clients, follow these steps:
  1. Copy the Fxfr.dll file from the Resource Kit folder to the Program Files\Terminal Services Client folder.
  2. Rename the Rdpdr.dll file in the Program Files\Terminal Services Client folder to "Rdpdr.pss".
  3. Copy the Rdpdr.dll file in the Resource Kit folder to the Program Files\Terminal Services Client folder.
  4. Start a Terminal Services client session with the updated Terminal server.
  5. Right-click a file in the Terminal Services dialog box and click Copy.
  6. Right-click a location on the desktop of the Terminal Services client and click Paste.
back to the top



References

For additional information about Rdpclip and TSAC, click the article number below to view the article in the Microsoft Knowledge Base:

Q278139 Rdpclip and Drmapsrv Are Unsupported with Terminal Services Advanced Client
back to the top
HOW TO: Use the TSKILL Command to End Processes in Windows 2000 Terminal Services 

PSS ID Number: Q320052

Article Last Modified on 08-6-2002


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server

IN THIS TASK


Summary

This step-by-step article describes how to end active processes that are running on a Terminal Services server by using the tskill command.

You can end active processes that are running on a Terminal Services server by right-clicking the processes on the Processes tab in Terminal Services Manager, and then clicking End Process, or by using the tskill command. Note that if you end a process, no notification is sent to the user. The process is immediately ended.

Only administrators can use the tskill command to end processes that run in other user sessions. Unless you are logged on as Administrator or as a member of the Administrators group, you can use tskill to end only those processes that belong to you.

back to the top

Description of the TSKILL Command

The tskill command has the following syntax:
tskill ProcessID | ProcessName [/server: ServerName] [/id: SessionID | /a] [/v]
The parameters for the tskill command are:
  • ProcessID: Use this parameter to specify the ID of the process that you want to end. To determine the ID of the process that you want to end, use the query process command.

  • ProcessName: Use this parameter to specify the name of the process that you want to end. To determine the name of the process that you want to end, use the query process command.

  • /server: ServerName: Use this parameter to specify the Terminal Services server that contains the process that you want to end. If you omit this parameter, the current Terminal Services server is specified.

    NOTE: If you use this parameter, you must also use either the /id: SessionID or the /a parameter.

  • /id: SessionID: Use this parameter to specify the ID of the session that contains the process that you want to end.

  • /a: Use this parameter to end all instances of the process that is running on the server.

  • /v: Use this parameter to display information about the actions that are performed when you run the command.

NOTE: When all processes that are running in a session end, the session also ends.

back to the top

How to End Processes

To use the tskill command to end processes on a Terminal Services server:
  1. Click Start, and then click Run.
  2. Type cmd, and then click OK.
  3. Determine the name or ID of the process that you want to end. To do so, use the query process command.

    For example, to display a list of all users who are running the Myapp.exe process on the current Terminal Services server, type query process myapp.exe at the command prompt, and then press ENTER. You receive a list of all users who are running the Myapp.exe process. The list may be similar to this:

       USERNAME        SESSIONNAME     ID PID     IMAGE
       >administrator  console         0  1248    myapp.exe
        user1          rdp-tcp#1       1  1592    myapp.exe
        user2          rdp-tcp#2       2  1588    myapp.exe 
  4. To end the Myapp.exe process for User1 by using the process ID, type the following line at the command prompt, and then press ENTER:

    tskill 1592
    To end all instances of the Myapp.exe process that are running on the current Terminal Services server and to display information about the actions that are performed when you run the command, type the following line at the command prompt, and then press ENTER:
    tskill myapp /a /v
    To end the Myapp.exe process from a remote Terminal Services server for User2 by using the process name, type the following line at the command prompt, where Server8 is the name of the Terminal Services server that contains the Myapp.exe process that you want to end, and then press ENTER:
    tskill myapp /server:server8 /id:2
back to the top

References

For more information about the query process and tskill commands, visit the following Microsoft Web site:

Microsoft Windows 2000 Server Documentation
For more information about Windows 2000 Terminal Services, visit the following Microsoft Web site:
Terminal Services Online Documentation
back to the top
How do I Use the resource kit utility Drive Share with Terminal Services? 

PSS ID Number: Q244725

Article Last Modified on 06-11-2002


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server
    IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Q256986 Description of the Microsoft Windows Registry

Summary

You can use the Drive Share tool that is included with the Microsoft Windows 2000 Server Resource Kit to automatically make client disks available in a Terminal Services client session. This tool is only supported on Microsoft Windows NT and Windows 2000 clients. This article describes how to install this tool.

NOTE: This utility will only work with Windows 2000 and Windows NT clients. Windows 95, Windows 98, and Windows Millennium Edition clients cannot use this utility.

IMPORTANT: The files and instructions for installing Drive Share in this article only apply to the original Windows 2000 Terminal Services client. Terminal Services clients that are included as part of Windows 2000 Service Pack 1 (also known as the Terminal Services Advanced client) or downloaded from the Web do not work by using these instructions. Please contact Microsoft Product Support Services for further help.


More Information

To use Drive Share, you must make changes on the Windows 2000-based server, as well as each client.

For a Windows 2000-Based Server

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
  1. Start Registry Editor (Regedt32).
  2. Create a key named Drive Map Service under the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns
  3. Add the following values under the Drive Map Service key:

    Value: NAME
    Type: REG_SZ
    Data value: DRMAPSRV

    Value: TYPE
    Type: REG_DWORD
    Data value: 00000003
  4. Locate the Startup Programs value under the following registry key:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd
  5. Add the Drmapsrv value.

    NOTE: If you have installed the File Copy tool, the value of the Startup Programs value should read:
    fxrdpclp,drmapsrv
    For additional information about File Copy, click the article number below to view the article in the Microsoft Knowledge Base:
    Q244732 How to Install the File Copy Tool Included with the Windows 2000 Resource Kit
  6. Copy the Drmapsrv.exe file to your Winnt\System32 folder.

For a Windows NT/Windows 2000 Client

  1. Copy the Drmapclt.dll file to your Winnt\System32 folder.
  2. Start Registry Editor (Regedt32).
  3. Create a key named Drmapclt under the following registry key:

    HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default\Addins
  4. Create a key named Drmapclt under the following registry key:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Terminal Server Client\Default\AddIns
  5. Add the following value under the Drmapclt key:

    Value: NAME
    Type: REG_SZ
    Data value: Drmapclt.dll
NOTE: The Drive Share tool relies on NetBIOS name resolution to work. This tool is not guaranteed to work properly over the Internet because of router configurations. If the tool does not work, try to perform a net use command from inside a Terminal Services session back to your client computer. If this does not work, Drive Share also does not work.
HOW TO: Connect to Another Session by Using the TSCON Command in Windows 2000 Terminal Services 

PSS ID Number: Q321703

Article Last Modified on 08-6-2002


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

IN THIS TASK


Summary

This article describes how to connect to another existing Terminal Services session by using the tscon command in Windows 2000 Terminal Services.

You can use the tscon command to connect to another Terminal Services user session. You can connect to sessions that are in an active or disconnected state. When you connect to another session, you are disconnected from your previous session. If you create more than one session on a server, you can use this option to switch between the sessions.

back to the top

Description of the TSCON Command

The tscon command uses the following syntax:
tscon SessionID | SessionName [ /server: ServerName] [/dest: SessionName] [/password: Password] /v
The parameters for the tscon command are:
  • SessionID: Use this parameter to specify the ID of the session to which you want to connect. To determine the ID of the session to which you want to connect, use the query session command.

  • SessionName: Use this parameter to specify the name of the session to which you want to connect. To determine the name of the session to which you want to connect, use the query process command.

  • /server: ServerName: Use this parameter to specify the Terminal Services server that hosts the session to which you want to connect. If you omit this parameter, the current Terminal Services server is specified.

  • /dest: SessionName: Use this parameter to specify the name of the session. When you connect to another session, this session is disconnected. You can use this parameter to connect the session of another user to a different session.

  • /password: Password: Use this parameter to specify the password of the user who owns the session to which you want to connect. You must use this parameter to specify the password if you are not the owner of the session.

  • /v: Use this parameter to display information about the actions that are being performed.

NOTE: You can connect to your own sessions, but if you want to connect to another user`s session, you must use that user`s password and you must have either Full Control or User Access permission. You cannot use the tscon command to connect to the console session.

back to the top

How to Connect to Another Terminal Services Session

This is an example of how to use the tscon command to connect to another session on the current Terminal Services server:
  1. In a Terminal Services session, click Start, and then click Run.
  2. Type cmd, and then click OK.
  3. Determine the name or ID of the session to which you want to connect. To do so, type query session, and then press ENTER. You see a list of information about the sessions on the current Terminal Services server. The list may be similar to this:

    SESSIONNAME   USERNAME        ID      STATE    TYPE    DEVICE
     console      administrator       0   active   wdcon   
     rdp-tcp                      65536   listen   rdpwd
    >rdp-tcp#1    user1               1   active   rdpwd
     rdp-tcp#2    user1               2   active   rdpwd
     rdp-tcp#3    user2               3   active   rdpwd
     rdp-tcp#4    user3               4   disc     rdpwd  
     rdp-tcp#5    user1               5   disc     rdpwd
                                      6   idle
                                      7   idle 
    Note that in this example, the name of the current session is rdp-tcp#1, the session ID is 1, and the session is owned by user1.
  4. To connect to session 2, type the following line at the command prompt, and then press ENTER:

    tscon 2 /v
    You see the following line:
    Connecting sessionID2 to sessionname rdp-tcp#1
    The current session (session 1) is disconnected, and you are connected to Session 2.
  5. To connect to session 1 (from session 2), type the following line at the command prompt, and then press ENTER:
    tscon 1
    The current session (session 2) is disconnected, and you are connected to session 1.
  6. To connect session 5 to session 2 from another session, type the following line at the command prompt, and then press ENTER:

    tscon 2 /v /dest:rdp-tcp#5
    You see the following line:
    Connecting sessionID2 to sessionname rdp-tcp#5
    Session 2 is connected to session 5, and session 5 is disconnected.
  7. To connect to session 4 (which is owned by User3), type the following line at the command prompt, where User3Pass is the password for User3, and then press ENTER:

    tscon 4 /password: User3pass
    The current session disconnects, and you are connected to session 4.
back to the top

References

For more information about the tscon and query session commands, visit the following Microsoft Web site:

Terminal Services Command Reference
For additional information about how to disconnect a Terminal Services session by using the TSDISCON command, click the article number below to view the article in the Microsoft Knowledge Base:
Q321705 HOW TO: Disconnect a Session by Using the TSDISCON Command in Windows 2000 Terminal Services
For more information about Windows 2000 Terminal Services, visit the following Microsoft Web site:
Windows 2000 Server Documentation
back to the top
HOW TO: Use the Terminal Services Licensing Reporter Tool Lsreport.exe 

PSS ID Number: Q317592

Article Last Modified on 08-6-2002


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server


Summary

This step-by-step article describes how to use the Terminal Services Licensing Reporter tool (Lsreport.exe) to display and analyze the license information that is contained in the database of Terminal Services license servers.

Lsreport.exe is available in the Microsoft Windows 2000 Server Resource Kit. Lsreport.exe is a command-line utility that you can use to display information about the licenses that are issued by Terminal Services license servers. Lsreport.exe connects to Terminal Services license servers and logs information about the license key packs that are installed on the servers.

Lsreport.exe exports the contents of the license server database to a text file. By default, the file name is Lsreport.txt, and it is created in the current working folder. The resulting output is tab-delimited, and contains the following columns:

Server
License ID
Keypack ID
Client
User
Start
End
Issue Type
License Type
back to the top

Overview of the Lsreport.exe Tool

Lsreport.exe uses the following syntax:
lsreport /f [ path] filename /d start[ end] /t serverlist
The parameters that you can use with Lsreport.exe are:
  • /f [ path] filename: Use this parameter to specify a file name (and optional path) for the log file. If an output file with the same name already exists, it is overwritten. If you omit this parameter, Lsreport.exe uses the default log file name, Lsreport.txt, and creates it in the current working folder.

  • /d start[ end ]: Use this parameter to write only licenses that are in effect between the start and end dates to the output file. If you do not specify an end date, the current date is used by default. An in-effect license is a license that is valid at any point over the specified period of time. Active licenses are valid at all points after issue, and temporary licenses are valid for 90 days after issue.

  • /t: Use this parameter to only write information about temporary licenses to the output file. By default, Lsreport.exe writes information about all licenses to the output file.

  • serverlist: Use this parameter to list all Terminal Services license servers that you want to query. Use a space to separate each item. If you omit this parameter, Lsreport.exe obtains a list from the domain controller, and then queries all discoverable domain and enterprise Terminal Services license servers.

back to the top

Examples

  • To write information about all licenses to the Lsreport.txt file in the current working folder, type the following line at the command prompt, and then press ENTER:

    lsreport
  • To write information about all licenses to the Output.txt file in the Reports folder on drive E, type the following line at the command prompt, and then press ENTER:

    lsreport /f e:\reports\output.txt
  • To list all temporary licenses on Terminal Services license servers that are named TS1 and TS2 in the Licenses.txt file in the root folder of drive C, type the following line at the command prompt, and then press ENTER:

    lsreport /f c:\licenses.txt /t ts1 ts2
back to the top

REFERENCES

For more information about Lsreport.exe, type lsreport /? at the command prompt, and then press ENTER.

For additional information about Lsreport.exe and other Terminal Services Resource Kit tools, click the article number below to view the article in the Microsoft Knowledge Base:
Q240444 Useful Terminal Services Resource Kit Utilities
For additional information about Terminal Services Licensing Technology, click the article number below to view the article in the Microsoft Knowledge Base:
Q275052 Terminal Services Licensing Technology for Application Service Providers
For more information about Terminal Services Licensing technology and deployment requirements, see the Microsoft Windows 2000 Terminal Services Licensing Technology White Paper (Tslicensing.doc) that is available at the following Microsoft Web site:
http://www.microsoft.com/windows2000/techinfo/howitworks/terminal/tslicensing.asp
You may also want to view chapter 16 of the Windows 2000 Server Deployment Planning Guide that is available at the following Microsoft Web site:
http://www.microsoft.com/windows2000/techinfo/reskit/dpg/default.asp
back to the top
HOW TO: Use the Application Security Tool Appsec.exe to Restrict Access to Programs in Windows 2000 Terminal Services 

PSS ID Number: Q320181

Article Last Modified on 05-15-2002


The information in this article applies to:
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

IN THIS TASK


Summary

This article describes how to use the Windows 2000 Terminal Services Application Security tool. If you are an administrator, you can use this tool to limit user access to a specific list of programs. The Application Security tool is included as-is in the Windows 2000 Resource Kit.

Because it may be difficult to configure a server that is running Terminal Services correctly, you must build your Terminal server in a test environment. Also, you may have to implement policy settings that restrict the functionality of Microsoft Windows Explorer and Microsoft Internet Explorer to help you meet design goals.

You can use the appsec command to start Application Security. You can use Application Security to specify exactly which programs the client computers can run. Application Security works in a similar way to system policy settings that allow users to run only specific programs. However, a system policy setting does not prevent users from running a program from the command prompt. If you use Application Security, you can prevent users from running a program from a command prompt.

You can use Application Security to control the executables files that a user can open. Some programs may use dozens of separate executable files; you must specify all of these files if you use Application Security. You may want to use Application Security if you want the clients to run only a few programs. However, if the clients are running more than a few programs, you may find it easier to use policies and profiles or NTFS file system file and folder permissions to restrict users from using certain programs on a Terminal server. You can use Application Security in conjunction with Group Policy restrictions to both turn off and hide restricted programs.

Administrators typically use Application Security to restrict access to users when they use Terminal Services in Application Server mode. Application Security allows important tools to be either available on the computer or accessible on the network for administrators, but it restricts the actual programs that a user can run. If you use Application Security, administrators can always run any executable file, but other users can only run programs that are listed in the Authorized Applications list.

You may also want to use Application Security in Windows 2000 to deploy a Terminal server that is used by Internet users. If Internet Connector licensing is turned on, all Terminal Services client logons are to the same user, TsInternetUser. You can use Application Security to configure the server so that the users who are connecting from the Internet can run only the programs that are listed in the Authorized Applications list.

back to the top

How to Install Application Security

The Application Security tool is included in the Windows 2000 Server Resource Kit.

NOTE: You may experience issues if you run the version of Application Security that is included with the Windows 2000 Server Resource Kit. See the " Troubleshooting" section of this article for more information about this issue.

To download the Application Security tool, visit the following Microsoft Web site:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/appsec-o.asp
The files that Application Security requires are copied to the user-definable installation folder during Windows 2000 Resource Kit Setup. Before you use Application Security, you must perform the following procedure to complete the installation:
  1. Install the Windows 2000 Server Resource Kit.

  2. Click Start, and then click Run.

  3. Type instappsec.exe, and then press ENTER.

NOTE: The version of Application Security that is included with the Windows 2000 Resource Kit is missing three critical files. Without these files, Application Security does not work properly. For more information about this issue, see the Troubleshooting section of this article.

Application Security requires the following files:
  • Appsec.exe
  • Appsec.hlp
  • Appsec.dll
  • Appsec.cnt
  • Instappsec.exe
back to the top

How to Use Application Security

  1. To start Application Security, type appsec at the command prompt, and then press ENTER.

  2. To turn on or turn off Application Security, click either Enabled or Disabled.

    NOTE: When you turn on Application Security, users who are already logged on to the Terminal server before AppSec.dll was loaded will continue to be able to run programs that are not in the Authorized Applications list. To restrict the programs for these users, the users must log off, and then log back on. To force a user to log off if you are an administrator, stop the user`s session.

    By default, the following authorized programs are included in the Authorized Applications list when you turn on Application Security:

    • Program: ACRegL.exe
      Location: WINNT\Application Compatibility Scripts\Acregl.exe

    • Program: ACsr.exe
      Location: WINNT\Application Compatibility Scripts\Acsr.exe

    • Program: Attrib.exe
      Location: WINNT\system32\Attrib.exe

    • Program: Cmd.exe
      Location: WINNT\System32\Cmd.exe

    • Program: Explorer.exe
      Location: WINNT\Explorer.exe

    • Program: Loadwc.exe
      Location: WINNT\System32\Loadwc.exe

    • Program: Net.exe
      Location: WINNT\System32\Net.exe

    • Program: NTSD.exe
      Location: WINNT\System32\Ntsd.exe

    • Program: Regini.exe
      Location: WINNT\System32\Regini.exe

    • Program: Subst.exe
      Location: WINNT\System32\Subst.exe

    • Program: Systray.exe
      Location: WINNT\System32\Systray.exe

    • Program: Xcopy.exe
      Location: WINNT\System32\Xcopy.exe

  3. To add additional programs to this list, click Add, and then either locate the program or type the path to the program that you want to add this list.

    You cannot add a program that does not reside on the local hard disk to the Authorized Applications list.

    NOTE: You can use the Application Security tool to restrict 32-bit programs only. Do not try to restrict 16-bit programs by using Application Security. To allow users to run all 16-bit programs, add Ntvdm.exe to the Authorized Applications list.

  4. To remove a program from this list, click the program, and then click Delete.

    To restrict access to a program, the program must reside on the Terminal server.

    NOTE: If you use Application Security to restrict access to executable files, you must add the following programs to the Authorized Applications list if they are not already listed:

    • Program: Cmd.exe
      Location: WINNT\System32\Cmd.exe

    • Program: Explorer.exe
      Location: WINNT\Explorer.exe

    • Program: Net.exe
      Location: WINNT\System32\Net.exe

    • Program: Regini.exe
      Location: WINNT\System32\Regini.exe

    • Program: Subst.exe
      Location: WINNT\System32\Subst.exe

    • Program: Systray.exe
      Location: WINNT\System32\Systray.exe

    • Program: Xcopy.exe
      Location: WINNT\System32\Xcopy.exe

back to the top

Limitations of Application Security

Before you use Application Security, consider the following issues:
  • The Application Security settings apply to the computer; you cannot configure the tool for each user.

  • Application Security restricts programs that are only invoked by using the CreateProcess method. If a program is started by using the NTCreateProcess method (which is rare), you cannot use Application Security to restrict this program.

  • Application Security restricts the file based on the full path name. Only the named executable file that is in the designated location can be run. This functionality prevents users from running other versions of the same executable file from different locations. However, Application Security does not specifically check the executable file; it restricts the file only by name. If precautions are not taken, a malicious user may replace a valid executable file (for example, WinWord.exe) with a different file that they rename WinWord. You must use the Windows 2000 security functionality to prevent a user from replacing or renaming program files.

  • Application Security restricts executable files only; it does not restrict dynamic link library (DLL) files.

back to the top

How to Test Application Security

To test the Application Security tool:
  1. Start Application Security on the server, and then click Enabled.

  2. On a computer on which Terminal Services client is installed, start a session, and then try to run any program that is not on the Authorized Applications list.

    You receive the following error message:

    Access to the specified device, path, or file is denied.
  3. Close the session on the client computer.

  4. Start Application Security on the server, click Add, locate a program that is not on the Authorized Applications list, click Open, and then click OK.

  5. On the computer on which Terminal Services client is installed, start a new session, and then confirm that you can run the program that you added to the Authorized Applications list.

back to the top

Troubleshooting

The version of the Application Security tool that is included with the Windows 2000 Resource Kit is missing the following three critical files:
  • Appsec.cnt
  • Appsec.dll
  • Instappsec.exe
Application Security does not work properly without these files. To resolve this issue, download the corrected version of Application Security from the following Microsoft File Transfer Protocol (FTP) site:
ftp://ftp.microsoft.com/reskit/win2000
For additional information about this issue, click the article number below to view the article in the Microsoft Knowledge Base:
Q257980 Appsec Tool in Windows 2000 Resource Kit Is Missing Files
If you try to log on using Terminal Services client, you may receive the following error message:
Logon Message: You do not have access to logon to this session.
This behavior occurs because Terminal Services has a default connection security setting that allows only administrators to log on. If the security attributes on a specified connection have not been set, the connection inherits these default security settings.

For additional information about this issue, click the article numbers below to view the articles in the Microsoft Knowledge Base:
Q225038 Default Connection Changes Are No longer Applied
Q224395 Error Message: You Do Not Have Access to Logon to This Session
back to the top

References

For more information about Windows 2000 Terminal Services, see the Terminal Services Online Documentation at the following Microsoft Web site:

http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_termsrv_topnode.htm
back to the top
How do I apply Group Policy Object to Windows 2000 Terminal Services Users? 

PSS ID Number: Q260370

Article Last Modified on 08-6-2002


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Server

Summary

Microsoft Windows 2000 Terminal Services servers are installed for users in Application Server mode. When the Windows 2000 Terminal Services servers are in a Windows 2000 Active Directory domain, the domain administrator implements Group Policy Objects (GPOs) to the Terminal Services server to control the user environment. This article describes the recommended process of applying GPOs to Terminal Services without adversely affecting other Windows 2000 servers on the network.


More Information

There are 2 methods for applying GPOs to Terminal Services without adversely affecting other Windows 2000 Server computers on the network.

Method 1

The first option is to create an organizational unit (OU) specifically for the Terminal Services servers in Application Server mode. This OU allows specific GPOs to be applied to only those Terminal Services computers, creating a tightly controlled Terminal Services experience for the users without affecting the other servers in the Active Directory domain. This OU should not contain users or other computers; therefore domain administrators can fine-tune the Terminal Services experience. The OU can also be delegated for control to subordinate groups such as server operators or individual users.

To create a new OU for the Terminal Services servers, follow these steps:
  1. On the taskbar, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
  2. Expand the left pane.
  3. Click domainname.xxx.
  4. On the Action menu, click New, and then click Organizational Unit.
  5. In the Name box, type a name for the Terminal Services server.
  6. Click OK.

    The new Terminal Services OU now appears in the list in the left pane and contains no default objects. The Terminal Services servers reside in either the Computers OU or the Domain Controllers OU.
  7. Locate and click the Terminal Services server or servers, click Action, and then click Move.
  8. In the Move dialog box, click the new Terminal Services server or servers, and then click OK.
  9. Click the new Terminal Services OU to verify that the move has successfully taken place.

To create a Terminal Services Group Policy object, follow these steps:
  1. Click the new Terminal Services OU.
  2. On the Action menu, click Properties.
  3. Click the Group Policy tab.
  4. Click New to create the New Group Policy object.
  5. Click Edit to modify the group policy.

    NOTE: Most of the relevant settings are under Computer Configuration, Security Settings, or Local Policies. For example, under User Rights Assignment in the list on the right, you find Log on Locally, which is required for logging on to a session on Terminal Services; and you also find Access this computer from the network, which is required to connect to the server outside of a Terminal Services session. This is also where you can prevent users from being able to shut down the system. The Security Options folder is where many of the restrictions should be made and where there are similar settings to the NTConfig.pol file in Windows NT 4.0 Server and Terminal Server Edition. Settings for the user part of the policy should not be applied here because the users have not been placed into this OU with the Terminal Services server. This article is written for machine policy implementation.
  6. When modifications are completed, close the Group Policy editor, and then click Close to close OU Properties.

Method 2

The second option is to apply GPOs to Terminal Services servers exclusively with the use of a GPO Loopback policy. This policy directs the system to apply the set of Group Policy objects for the computer to any user who logs on to the computer affected by this policy. This policy is intended for special-use computers, such as those in public places, laboratories, and classrooms, where you must modify the user policy based on the computer that is being used. Without Loopback, the user`s Group Policy objects determine which user policies apply. If this policy is enabled, the location of a users`s computer object is the main factor in determining which set of Group Policy objects are to be applied.

This implementation is described in the following Knowledge Base article:
Q231287 Loopback Processing of Group Policy
System Policies in Windows NT 4.0 Terminal Services Edition are also implemented differently than on other Windows NT servers, as described in the following Knowledge Base article:
Q192794 How to Apply System Policies to Terminal Server
When possible, Terminal Services should be installed on Windows 2000 member servers instead of on domain controllers because the users need Log on Locally user rights. When the Log on Locally right is given to domain controllers, it is given to every domain controller in the domain because of the shared Active Directory database. Windows 2000 Member Servers are granted Log on Locally user rights by default in the Local Security Policy when Terminal Services is installed in Application Server mode.

For additional information about Log on Locally rights, click the article numbers below to view the articles in the Microsoft Knowledge Base:
Q247989 Domain Controllers Require the `Log on Locally` Group Policy Object for Terminal Services Client Connections
Q234237 Assign Log On locally Rights to Windows 2000 Domain Controller
Windows NT 4.0 Terminal Services Edition has the same concern with Log on Locally rights to domain controllers because of the common Security Accounts Manager (SAM) database replicated from the primary domain controller (PDC) to all backup domain controllers.

For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
Q186529 Local Policy Does Not Permit You to Log On Interactively


The machine account of the terminal server should be added to the security properties of the GPO being created for loopback. To do this, follow these steps:

  1. Select the Security tab of the GPO created for Loopback.
  2. Click add.
  3. Select the machine account from the domain list.
  4. Select the "Read" and "Apply Group Policy" rights from the permissions field.
  5. Click OK to close and save the policy settings.
1 2 3 4 5 [6] 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Featured Links