Terminal Services - Frequently Asked Windows Terminal Services Questions!

[12] Frequently Asked Asp Questions!
Updated: Jun 07, 2000
[188] Frequently Asked Citrix Questions!
Updated: Oct 10, 2006
[3] Frequently Asked Sco Tarentella Questions!
Updated: Aug 16, 2002
[260] Frequently Asked Windows Terminal Services Questions!
Updated: Aug 03, 2006
1 2 3 4 5 6 7 8 [9] 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26
How do I Remotely Administer Internet Information Services in the Windows .NET Server Family using Terminal Server? 

PSS ID Number: Q324282

Article Last Modified on 08-6-2002


The information in this article applies to:

  • Microsoft Windows .NET Standard Server Beta
  • Microsoft Windows .NET Enterprise Server Beta
  • Microsoft Windows .NET Enterprise Server 64-bit Edition Beta
  • Microsoft Windows .NET Datacenter Server Beta
  • Microsoft Windows .NET Datacenter Server 64-bit Edition Beta
  • Microsoft Windows .NET Web Server Beta
  • Microsoft Internet Information Services version 6.0

For a Microsoft Windows 2000 version of this article, see Q308169 .

IN THIS TASK


Summary

This article describes the various methods that you can use to remotely manage Microsoft Internet Information Services (IIS) 6.0.

You can remotely administer your IIS-based server on an intranet and on the Internet. You can use the following three tools to remotely administer your IIS-based server:

  • Internet Information Services Manager

  • Terminal Services

  • The Remote Administration (HTML) Tool

back to the top

How to Remotely Administer IIS by Using the Internet Information Services Manager

To remotely administer IIS over an intranet, use the Internet Information Services Manager. IIS 6.0 supports down-level remote administration with this tool. This means that you can use the Internet Information Services Manager on your server running IIS 6.0 to remotely connect to and administer an IIS 5.1-based server, an IIS 5.0-based server, or IIS 4.0-based server.

To use the Internet Information Services Manager, follow these steps:
  1. On the IIS 6.0-based server, click Start, point to Administrative Tools, and then click Internet Information Services Manager.
  2. On the standard toolbar, click the Add a computer to the list button. Or, you can click Connect on the Action menu.

    The Connect To Computer dialog box appears.
  3. In the Computer Name box, type the computer name that you want, and then click OK.

    The computer is displayed under Internet Information Services (IIS) in the tree pane.

    NOTE: If you do not have Transmission Control Protocol/Internet Protocol (TCP/IP) and a name resolution server such as Windows Internet Naming Service (WINS) installed, you may not be able to connect to an IIS computer by using the computer name. Alternatively, you can use the IP address of the IIS computer to which you want to connect.
  4. Expand ComputerName, where ComputerName is the name of the computer that you added in step 3.
  5. Use the Internet Information Services Manager to remotely manage IIS.
back to the top

How to Remotely Administer IIS by Using Terminal Services

If you are an administrator, you can use Microsoft Terminal Services from any remote client computer over a network connection to remotely administer your IIS-based server. You do not have to install the Internet Information Services Manager on the remote client computer.

Terminal Services supports up-level administration. This means that you can remotely administer your server that is running IIS 6.0 by using a Terminal Services client from any computer running Microsoft Windows .NET, Microsoft Windows XP, Microsoft Windows 2000, Microsoft Windows NT 4.0, or Microsoft Windows 98.
  1. On a computer on which the Terminal Services client is installed, start the Terminal Services client, and then connect to the remote IIS-based computer.
  2. From the Terminal Services Client window, administer IIS as if you were logged on to the computer locally. For example, click Start, point to Administrative Tools, and then click Internet Information Services Manager to start the Internet Information Services Manager.
back to the top

How to Remotely Administer IIS by Using the Remote Administration (HTML) Tool

With the Remote Administration (HTML) tool, you can manage IIS from a Web browser. With this tool, you can perform most of the administrative tasks that you can perform with the Internet Information Services Manager.

NOTE: You can only use the Remote Administration (HTML) tool to administer servers that are running IIS 6.0. You cannot use this tool to administer IIS 5.1 or earlier.

back to the top

Turn On the Remote Administration (HTML) Tool

  1. Click Start, point to Control Panel, and then click Add or Remove Programs.
  2. Click Add/Remove Windows Components.
  3. In the Components list, double-click Web Application Server and then double-click Internet Information Services (IIS).
  4. Double-click World Wide Web Service.
  5. Click to select the Remote Administration (HTML) check box, and then click OK.
  6. Click OK, and then click Next.
  7. When you are promoted, insert your Windows .NET Server CD-ROM into the computer`s CD-ROM drive or DVD-ROM drive.
  8. Click Finish.
  9. Click Start, point to Administrative Tools, and then click Internet Information Services Manager.
  10. Expand ServerName, where ServerName is the name of your server, and then expand Web Sites.
  11. Right-click Administration, and then click Properties.
  12. Under Web Site Identification, record the numbers that are displayed in the TCP Port box and SSL Port boxes. For example, 8099 and 8098.
  13. Click the Directory Security tab, and then click the Edit button under IP address and domain name restrictions.
  14. In the IP Address and Domain Name Restriction dialog box that appears, do one of the following:

    • Click Granted Access if you want to allow all computers to administer IIS remotely.

      NOTE: If you want to maintain the highest level of security, Microsoft does not recommend that you allow all computers to administer IIS remotely.

      -or-

    • Click Denied Access (if it is not already selected), and then click Add. The Grant Access On dialog box appears. Under Type, do one of the following:

      • Click Single computer.
        Type the IP address of the computer that you want in the IP Address box, and then click OK.

      • Click Group of computers.
        Type the Network ID and the Subnet Mask of the group into the corresponding boxes, and then click OK.

      • Click Domain name. Type the domain name that you want in the Domain Name box, and then click OK.

  15. When you are finished granting access, click OK.
  16. In the Administration Web Site Properties dialog box, click OK. If an Inheritance Overrides dialog box appears, click Select All to apply the new security settings to the child nodes, and then click OK.
  17. Quit the Internet Information Services Manager.
back to the top

Use the Remote Administration (HTML) Tool

  1. Start Microsoft Internet Explorer, and then type the host name of the Web server, followed by the port number that you recorded earlier in the SSL Port box, and then click Go.

    For example, if you are on an intranet, and the SSL port number is 8098, type the following URL:
    https:// Server Name:8098
    where ServerName is the name of the Web server.

    NOTE: You are prompted for a user name and password that exist on the Web Server.
  2. The Remote Administration Tool is displayed in your browser window. Click the Administer this server link. You are prompted again for credentials if you chose not to save the password in the previous dialog box. There are many links and options to click and connect. Select the appropriate one the task that you want to perform on the Web Server.
back to the top

References

For additional information about IIS remote administration, search for administering IIS remotely in the IIS 6.0 online documentation, and then view the documents returned.

back to the top

How do I Activate a License Server by Using Terminal Services Licensing in Windows 2000? 

PSS ID Number: Q306622

Article Last Modified on 05-8-2002


The information in this article applies to:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Server

IN THIS TASK


Summary

This article describes how to activate a license server by using Terminal Services licensing.

back to the top

Overview

You must activate a license server before it can issue licenses to Terminal Services clients. When you activate a license server, Microsoft provides the server with a digital certificate that validates the server`s ownership and identity. By using this certificate, a license server can make subsequent transactions with Microsoft and receive client licenses for your Terminal Services servers. This article describes how to activate Terminal Services Licensing in a Windows 2000 Server or Windows 2000 Advanced server. The Terminal Services Licensing component must already be installed on the server.

You can activate a license server by using any of four different methods:
  • With the Internet

  • With the World Wide Web

  • With a fax

  • With the telephone

Each of these methods requires starting the console in the Terminal Services Licensing window. To start the console, click Start, point to Programs, point to Administrative Tools, point to Terminal Services Items, and then click Terminal Services Licensing.

If you cannot locate Administrative Tools by using the previous steps, use this procedure to locate Terminal Services Licensing in Control Panel:
  1. Click Start, point to Settings, and then click Control Panel.
  2. Click Administrative Tools.
  3. Click Terminal Service Items.
  4. Double-click Terminal Services Licensing.
back to the top

Activating a License Server with the Internet

  1. Open the Licensing Terminal Services window.
  2. In the console tree, right-click the license server you want to activate, and then click Activate Server to start the Licensing Wizard.
  3. In Connection method, click Internet, and then click Next.
  4. In Licensing Program, click the program under which you purchased licenses, and then click Next.
  5. On the next several pages, provide the required information for Microsoft to send you the server activation PIN, and then click Next. Your license server information is sent to Microsoft. After your request is processed, Microsoft sends an e-mail message that contains your server activation PIN.
  6. In Completing the Process, choose whether you want to complete the process immediately, postpone completion until your PIN arrives, or restart the activation process, and then click Next.
  7. In Activation PIN, type the PIN you received from Microsoft, and then click Next. Your license server is activated by using a digitally signed certificate. Use one of the following steps:

    • To install client license key packs for your license server now, click Next.

    • To install key packs at a later time, clear the Install licenses now check box, and then click Finish.

back to the top

Activating a License Server with the World Wide Web

  1. Start Terminal Services Licensing.
  2. In the console tree, right-click the license server you want to activate, and then click Activate Server to start the Licensing Wizard.
  3. In Connection method, click World Wide Web, and then click Next.
  4. Connect to the Terminal Services Web site that is shown. You can connect to this site from any computer with Internet access. After you provide the required information, you receive your license server ID.
  5. In License Server Activation, type the license server ID in the appropriate location, and then click Next. Your license server is activated. Use one of the following steps:

    • To install client license key packs for your license server now, click Next.

    • To install key packs at a later time, clear the Install licenses now check box, and then click Finish.

back to the top

Activating a License Server with a Fax

  1. Start Terminal Services Licensing.
  2. In the console tree, right-click the license server you want to activate, and then click Activate Server to start the Licensing Wizard.
  3. In Connection method, click Fax, and then click Next.
  4. In Country/Region Selection, click your country or region, and then click Next.
  5. On the next few pages, type the required information to activate your license server. You have the option to install client license key packs for your license server at the same time you activate the server.
  6. Click Print to print the completed activation request form and fax it to Microsoft by using the fax number shown on the form. Microsoft will send you a fax containing the license server ID to complete the process.
  7. Type the license server ID in the space provided in the "License Server Activation" screen, and then click Next. Your license server is activated.
back to the top

Activating a License Server with the Telephone

  1. Start Terminal Services Licensing.
  2. In the console tree, right-click the license server you want to activate, and then click Activate Server to start the Licensing Wizard.
  3. In Connection method, click Telephone, and then click Next.
  4. In Country/Region Selection, click your country or region, and then click Next to display the appropriate telephone number to call.
  5. Call the Customer Support Center (CSC) and give your product ID number as shown in License Server settings to the representative. You will also be required to provide your name, the name of your organization, and the type of licensing program you are using. The CSC processes your request to activate the license server, and creates a unique ID for your license server.
  6. Type the license server ID that is provided by the representative in the space that provided, and then click Next. Your license server is activated. Use one of the following steps:

    • To install client license key packs for your license server now, click Next.

    • To install key packs at a later time, clear the Install licenses now check box, and then click Finish.

back to the top

Troubleshooting

  • After a license server is activated, it becomes the registrar for Terminal Services client licenses. While you are waiting to complete the activation process, your license server can issue temporary licenses for clients that allow the use of Terminal Services servers for up to 90 days.

  • Verify that the e-mail address you provide is valid.

  • You can change Licensing Wizard properties, such as the connection method and company information that you set during the activation process, at a later time.

back to the top


References

For additional information about how to connect client computers to a Terminal Services server, click the article numbers below to view the articles in the Microsoft Knowledge Base:

Q306566 How to Connect Clients to Terminal Services Using Terminal Services Client
For additional information about how to activate a license server and install clients over the Internet, click the article number below to view the article in the Microsoft Knowledge Base:
Q237811 How to Activate a Terminal Services License Server and Install CALs Over the Internet
back to the top
How can I rollback or change the MDAC version on my Terminal Server to accomodate Citrix Metaframe XP? 

INFO: Component Checker: Diagnose Problems and Reconfigure MDAC Installations

The information in this article applies to:
  • Microsoft Data Access Components 1.5, 2.0, 2.1, 2.1 (GA), 2.1 SP1, 2.1 SP2, 2.5, 2.5 SP1, 2.5 SP2, 2.6, 2.6 SP1, 2.7

Summary

This article describes the functionality of the Microsoft Component Checker (ComCheck). The ComCheck tool can help you to diagnose installation issues with Microsoft Data Access Components (MDAC). Depending on the operating system and version of MDAC that is installed, ComCheck can also remove and re-install different versions of MDAC. See the "Special Considerations" section for specific instructions about how to re-install Microsoft Windows 2000, Windows Millennium Edition (Me), and MDAC 2.6 or later.

MDAC ships with Microsoft SQL Server, Microsoft Visual Studio, Microsoft Office, Microsoft Back Office, and numerous other Microsoft products. In addition, you can redistribute the MDAC stack through the MDAC_TYP.exe file. You can download MDAC_TYP.exe from the following Microsoft Web site: With so many recent MDAC releases, applications have experienced version incompatibility issues in certain circumstances. This is purely dependent upon the environment in which MDAC was installed. In most scenarios, applications that experience problems with MDAC are a result of mismatched components.

NOTE: Completely removing MDAC from the operating system can have catastrophic and unpredictable results. MDAC components are system components; they are installed as part of the operating system on Windows Me, Windows 2000, and later versions of Windows. Thus, you cannot remove MDAC from these operating systems.

MDAC is not initially installed with Microsoft Windows 95, Windows 98, and Windows NT. As a result, it is possible to remove MDAC from these systems; however, this is not recommended because removing MDAC affects every application that uses Data Access that is installed on the computer. Component Checker provides a safe method to remove and reapply another version of MDAC for these operating systems. Removing MDAC by any other means is not supported.

More Information

You can download Component Checker from the following Microsoft Web site: Component Checker comes as a self-extracting executable file (CC.exe), which extracts to a ComCheck folder and includes its own help file. After you extract the files into a directory, click the ComCheck.exe icon to run Component Checker. The application prompts you with a dialog box that reads:
  • Perform an analysis to determine installation
  • Perform an analysis based on a selected version
  • Scan the machine, but don`t perform an analysis
The first selection is the most common selection. The analysis helps you to determine which version of MDAC is installed on the computer. Keep in mind that Component Checker may not be able to determine an exact version because the computer may be in a state that has multiple overlapping versions.

The ComCheck.chm help file in the \ComCheck folder provides more detailed information about the user interface and other functions.

Removing the Current Version of MDAC

Component Checker refers to removing MDAC as "reconfiguring" because you must identify a valid MDAC_TYP.exe file to reinstall after Component Checker removes the current installation. To enable reconfiguration, you must start Component Checker from the command prompt with a /d parameter.

NOTE: The reconfiguration option is not available under Windows 2000 or Windows Me because MDAC 2.5 is integrated into these operating systems and should not be removed. Reconfiguration is not available for MDAC 2.7 under Microsoft Windows XP because it is integrated into the Windows XP operating system. Component Checker can only be used for reconfiguration on operating systems such as Windows NT and Window 9x. For more specific information about how to roll back MDAC 2.6, see the "Special Considerations" section later in this article or the MDAC 2.6 Setup FAQ at the following Microsoft Web site: The following steps outline the typical instructions for removing and reapplying MDAC:
  1. Download the version of MDAC that you want to install from the following Microsoft Web site:
  2. Download Component Checker (CC.exe) from the same location.
  3. Double-click CC.exe to extract the Component Checker files and install Component Checker to the default location (C:\ComCheck).
  4. From the Windows Start menu, click Run, and type the following command:
    C:\ComCheck\ComCheck.exe /d
    The /d switch is required to enable the "Reconfigure MDAC" functionality. If you receive the following error message:
    Cannot enable the reconfigure functionality
    you have not provided the correct switch to Component Checker.
  5. Accept the default analysis type, and then click OK. Component Checker scans all of the MDAC files and registry settings on your computer, which normally takes several minutes. When the scan is complete, a message box indicates that "The version which closely matches your computer is 2. xxx." Click OK.
  6. You receive a summary of the Component Checker scan. You may see some errors or warnings in the List View pane. These may or may not be actual problems with the installation of MDAC. You can safely ignore "Dir," "FileDescription," and "FileSize" errors.
  7. From the File menu, click Reconfigure MDAC Components.

    NOTE: If this option is not available, either you have not started Component Checker with the /d option, or you are running Component Checker on a version of Windows that does not support this functionality.
  8. At this point, you may receive the following error message:
    Unable to reconfigure MDAC components because of files in use or insufficient privileges
    This error message indicates that some ODBC, OLE DB, ActiveX Data Objects (ADO), or Remote Data Services (RDS) files are in use on the computer by some process. Component Checker cannot reconfigure MDAC until all processes that use MDAC are shut down. If you click OK, Component Checker lists all of the files that are in use on the computer. You must shut down all processes on the computer that are using these files before you can reconfigure MDAC. Primary candidates include Microsoft Internet Information Server (IIS) and Microsoft SQL Server, which you shut down through the Services dialog box in Control Panel on the Windows NT platform.
  9. When you are prompted to continue with reconfiguration, click Yes.
  10. When you receive the "Before you reconfigure MDAC you must specify the location of your redist software install executable" message box, click OK.
  11. In the File dialog box, select the Mdac_typ.exe file that you downloaded in step 1. Locate Mdac_typ.exe, and then click OK.
  12. When you receive the message box that indicates that the removal of MDAC is complete, click OK.
  13. Component Checker starts the MDAC setup file that you selected in step 10. Proceed with installation as normal, and accept all of the defaults.
  14. After the MDAC installer is complete, control returns to the Component Checker program. When you receive the "The program has successfully reconfigured all Microsoft Data Access Components" message box, click OK. This shuts down Component Checker. You may be prompted to restart your computer.
  15. If you still cannot correctly reconfigure MDAC, please contact Microsoft Product Support Services. For a complete list of Microsoft Product Support Services phone numbers and information about support costs, see the following Microsoft Web site:

Special Considerations for Windows 2000, Windows Me, and Later Versions of Windows

You can use Component Checker on Windows 2000, Windows Me, and later versions of Windows to identify the version of MDAC and identify problems with the installation. However, the Reconfigure MDAC components menu option does not appear when you run Component Checker on these versions of Windows, even if you use the /d switch. Because MDAC is installed as part of the core functionality in Windows 2000, Windows Me, and later versions of Windows, it is impossible to remove MDAC from the operating system. It is also impossible to reinstall the current version of MDAC without reinstalling the entire operating system.

In addition, you cannot manually replace MDAC components because of the System File Protection (SFP) feature in these versions of Windows. Even though a dynamic-link library (DLL) is replaced, the next time you restart the computer, SFP compares file versions from a known, good cache and replaces any updated file.

Special Considerations for MDAC 2.6 and Later

MDAC 2.6 uses a new mechanism for uninstalling. During MDAC 2.6 installation, any previous version of MDAC is noted and copied to a backup directory. You can use the DaSetup.exe utility with the /u switch to roll back to the previous version of MDAC that was installed on the computer. Again, in MDAC 2.6 and later, you cannot use Component Checker to reconfigure MDAC; you should use the DaSetup utility instead.

References

For additional information about advanced MDAC troubleshooting, click the article number below to view the article in the Microsoft Knowledge Base:
    Q232060 HOWTO: MDAC Setup Troubleshooting Guide
How do I Use the Application Security Tool (Appsec.exe) to Restrict Access to Programs in Windows 2000 Terminal Services? 

PSS ID Number: Q320181

Article Last Modified on 05-15-2002


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

IN THIS TASK


Summary

This article describes how to use the Windows 2000 Terminal Services Application Security tool. If you are an administrator, you can use this tool to limit user access to a specific list of programs. The Application Security tool is included as-is in the Windows 2000 Resource Kit.

Because it may be difficult to configure a server that is running Terminal Services correctly, you must build your Terminal server in a test environment. Also, you may have to implement policy settings that restrict the functionality of Microsoft Windows Explorer and Microsoft Internet Explorer to help you meet design goals.

You can use the appsec command to start Application Security. You can use Application Security to specify exactly which programs the client computers can run. Application Security works in a similar way to system policy settings that allow users to run only specific programs. However, a system policy setting does not prevent users from running a program from the command prompt. If you use Application Security, you can prevent users from running a program from a command prompt.

You can use Application Security to control the executables files that a user can open. Some programs may use dozens of separate executable files; you must specify all of these files if you use Application Security. You may want to use Application Security if you want the clients to run only a few programs. However, if the clients are running more than a few programs, you may find it easier to use policies and profiles or NTFS file system file and folder permissions to restrict users from using certain programs on a Terminal server. You can use Application Security in conjunction with Group Policy restrictions to both turn off and hide restricted programs.

Administrators typically use Application Security to restrict access to users when they use Terminal Services in Application Server mode. Application Security allows important tools to be either available on the computer or accessible on the network for administrators, but it restricts the actual programs that a user can run. If you use Application Security, administrators can always run any executable file, but other users can only run programs that are listed in the Authorized Applications list.

You may also want to use Application Security in Windows 2000 to deploy a Terminal server that is used by Internet users. If Internet Connector licensing is turned on, all Terminal Services client logons are to the same user, TsInternetUser. You can use Application Security to configure the server so that the users who are connecting from the Internet can run only the programs that are listed in the Authorized Applications list.

back to the top

How to Install Application Security

The Application Security tool is included in the Windows 2000 Server Resource Kit.

NOTE: You may experience issues if you run the version of Application Security that is included with the Windows 2000 Server Resource Kit. See the " Troubleshooting" section of this article for more information about this issue.

To download the Application Security tool, visit the following Microsoft Web site:
http://www.microsoft.com/windows2000/techinfo/reskit/tools/hotfixes/appsec-o.asp
The files that Application Security requires are copied to the user-definable installation folder during Windows 2000 Resource Kit Setup. Before you use Application Security, you must perform the following procedure to complete the installation:
  1. Install the Windows 2000 Server Resource Kit.
  2. Click Start, and then click Run.
  3. Type instappsec.exe, and then press ENTER.
NOTE: The version of Application Security that is included with the Windows 2000 Resource Kit is missing three critical files. Without these files, Application Security does not work properly. For more information about this issue, see the Troubleshooting section of this article.

Application Security requires the following files:
  • Appsec.exe
  • Appsec.hlp
  • Appsec.dll
  • Appsec.cnt
  • Instappsec.exe
back to the top

How to Use Application Security

  1. To start Application Security, type appsec at the command prompt, and then press ENTER.
  2. To turn on or turn off Application Security, click either Enabled or Disabled.

    NOTE: When you turn on Application Security, users who are already logged on to the Terminal server before AppSec.dll was loaded will continue to be able to run programs that are not in the Authorized Applications list. To restrict the programs for these users, the users must log off, and then log back on. To force a user to log off if you are an administrator, stop the user`s session.

    By default, the following authorized programs are included in the Authorized Applications list when you turn on Application Security:

    • Program: ACRegL.exe
      Location: WINNT\Application Compatibility Scripts\Acregl.exe

    • Program: ACsr.exe
      Location: WINNT\Application Compatibility Scripts\Acsr.exe

    • Program: Attrib.exe
      Location: WINNT\system32\Attrib.exe

    • Program: Cmd.exe
      Location: WINNT\System32\Cmd.exe

    • Program: Explorer.exe
      Location: WINNT\Explorer.exe

    • Program: Loadwc.exe
      Location: WINNT\System32\Loadwc.exe

    • Program: Net.exe
      Location: WINNT\System32\Net.exe

    • Program: NTSD.exe
      Location: WINNT\System32\Ntsd.exe

    • Program: Regini.exe
      Location: WINNT\System32\Regini.exe

    • Program: Subst.exe
      Location: WINNT\System32\Subst.exe

    • Program: Systray.exe
      Location: WINNT\System32\Systray.exe

    • Program: Xcopy.exe
      Location: WINNT\System32\Xcopy.exe

  3. To add additional programs to this list, click Add, and then either locate the program or type the path to the program that you want to add this list.

    You cannot add a program that does not reside on the local hard disk to the Authorized Applications list.

    NOTE: You can use the Application Security tool to restrict 32-bit programs only. Do not try to restrict 16-bit programs by using Application Security. To allow users to run all 16-bit programs, add Ntvdm.exe to the Authorized Applications list.
  4. To remove a program from this list, click the program, and then click Delete.

    To restrict access to a program, the program must reside on the Terminal server.

    NOTE: If you use Application Security to restrict access to executable files, you must add the following programs to the Authorized Applications list if they are not already listed:

    • Program: Cmd.exe
      Location: WINNT\System32\Cmd.exe

    • Program: Explorer.exe
      Location: WINNT\Explorer.exe

    • Program: Net.exe
      Location: WINNT\System32\Net.exe

    • Program: Regini.exe
      Location: WINNT\System32\Regini.exe

    • Program: Subst.exe
      Location: WINNT\System32\Subst.exe

    • Program: Systray.exe
      Location: WINNT\System32\Systray.exe

    • Program: Xcopy.exe
      Location: WINNT\System32\Xcopy.exe

back to the top

Limitations of Application Security

Before you use Application Security, consider the following issues:
  • The Application Security settings apply to the computer; you cannot configure the tool for each user.

  • Application Security restricts programs that are only invoked by using the CreateProcess method. If a program is started by using the NTCreateProcess method (which is rare), you cannot use Application Security to restrict this program.

  • Application Security restricts the file based on the full path name. Only the named executable file that is in the designated location can be run. This functionality prevents users from running other versions of the same executable file from different locations. However, Application Security does not specifically check the executable file; it restricts the file only by name. If precautions are not taken, a malicious user may replace a valid executable file (for example, WinWord.exe) with a different file that they rename WinWord. You must use the Windows 2000 security functionality to prevent a user from replacing or renaming program files.

  • Application Security restricts executable files only; it does not restrict dynamic link library (DLL) files.

back to the top

How to Test Application Security

To test the Application Security tool:
  1. Start Application Security on the server, and then click Enabled.
  2. On a computer on which Terminal Services client is installed, start a session, and then try to run any program that is not on the Authorized Applications list.

    You receive the following error message:

    Access to the specified device, path, or file is denied.
  3. Close the session on the client computer.
  4. Start Application Security on the server, click Add, locate a program that is not on the Authorized Applications list, click Open, and then click OK.
  5. On the computer on which Terminal Services client is installed, start a new session, and then confirm that you can run the program that you added to the Authorized Applications list.
back to the top

Troubleshooting

The version of the Application Security tool that is included with the Windows 2000 Resource Kit is missing the following three critical files:
  • Appsec.cnt
  • Appsec.dll
  • Instappsec.exe
Application Security does not work properly without these files. To resolve this issue, download the corrected version of Application Security from the following Microsoft File Transfer Protocol (FTP) site:
ftp://ftp.microsoft.com/reskit/win2000
For additional information about this issue, click the article number below to view the article in the Microsoft Knowledge Base:
Q257980 Appsec Tool in Windows 2000 Resource Kit Is Missing Files
If you try to log on using Terminal Services client, you may receive the following error message:
Logon Message: You do not have access to logon to this session.
This behavior occurs because Terminal Services has a default connection security setting that allows only administrators to log on. If the security attributes on a specified connection have not been set, the connection inherits these default security settings.

For additional information about this issue, click the article numbers below to view the articles in the Microsoft Knowledge Base:
Q225038 Default Connection Changes Are No longer Applied
Q224395 Error Message: You Do Not Have Access to Logon to This Session
back to the top

References

For more information about Windows 2000 Terminal Services, see the Terminal Services Online Documentation at the following Microsoft Web site:

http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/sag_termsrv_topnode.htm
back to the top
How Do I Use Terminal Server APIs via Windows Scripting Host? 

PSS ID Number: Q299947

Article Last Modified on 08-8-2001


The information in this article applies to:
  • Microsoft Windows NT Server4.0, Terminal Server Edition
  • Microsoft Windows 2000 Server

Summary

There is no interface for Windows Terminal Services APIs via the Windows Scripting Host or Active Server Pages (ASP). However, the existing APIs can be leveraged if they are implemented in a COM object (as documented in the Platform SDK). This article provides source code (Atlwts_source.exe) for a sample ATL COM object (Atlwts_2.dll) that implements the following Windows Terminal Services APIs:

WTSSendMessage
WTSQuerySessionInformation
WTSQueryUserConfig
WTSOpenServer
WTSEnumerateSessions
WTSFreeMemory
WTSCloseServer
WTSLogoffSession
This sample ATL COM object can be used from the Windows Scripting Host or from ASP, and a sample of each is included as well.

More Information

The following file is available for download from the Microsoft Download Center:

Atlwts_source.exe
Release Date: Jul-18-2001

For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.

The Atlwts_source.exe file contains the following files:

WTSHelper.h 2 KB
ATLWTS_2.cpp 2 KB
ATLWTS_2.def 1 KB
ATLWTS_2.dsp 14 KB
ATLWTS_2.dsw 1 KB
ATLWTS_2.h 12 KB
ATLWTS_2.idl 2 KB
ATLWTS_2.ncb 73 KB
ATLWTS_2.opt 59 KB
ATLWTS_2.plg 1 KB
ATLWTS_2.rc 4 KB
ATLWTS_2.tlb 3 KB
ATLWTS_2_i.c 2 KB
ATLWTS_2_p.c 17 KB
ATLWTS_2ps.def 1 KB
ATLWTS_2ps.mk 1 KB
Dlldata.c 1 KB
Resource.h 1 KB
StdAfx.cpp 1 KB
StdAfx.h 1 KB
Tester_WTSHelper.vbs 2 KB
WTSHelper.cpp 17 KB
ATLWTS_2.APS 4 KB
WTSHelper.rgs 1 KB
Tester_WTSHelper.asp 1 KB
The sample code for the sample object (Atlwts_2.dll) has been tested on Windows 2000 with Terminal Services installed as well as Windows NT 4.0 Terminal Services with Service Pack 4.0 or later, and Microsoft Transaction Server.
How do I Connect to Terminal Services with Color Resolution That Is Greater Than 256 in Windows XP? 

PSS ID Number: Q278502

Article Last Modified on 07-15-2002


The information in this article applies to:

  • Microsoft Windows XP Professional

IN THIS TASK


Summary

This step-by-step article shows you how to connect to Windows XP Terminal Services using a video resolution greater than 256-color.

When you connect to a Microsoft Windows XP computer by using the Windows XP Remote Desktop Connection client, you can select the color resolution at which you would like the client session to run. This functionality allows you to increase the resolution beyond the former limitation of 256 colors. However, by selecting this value, you are not guaranteed to connect at as high a resolution as you select because the client setting is only one of the facets required to generate a particular color resolution in the session.

back to the top

Increase Video Resolution for Windows XP Terminal Services

When you connect to a Windows XP-based computer by using the Remote Desktop Connection client, you can specify for the client to run with more than 256 colors. Before you specify a color-resolution setting, you must first set up Remote Desktop Connections. To do so, follow these steps:
  1. Right-click My Computer, click Properties, and then click the Remote tab.
  2. Click to select the Allow users to connect remotely to this machine check box, and then click OK.
  3. On another computer, start Remote Desktop Connections. To do so, click Start, point to Programs, point to Accessories, point to Communications, and then click Remote Desktop Connection.
  4. Type the name of the computer that you are connecting to.
  5. Click the Options button to expand the connection window.
  6. On the Display tab, select a color resolution other than 256.
  7. Click Connect to begin the session.

back to the top

Set Group Policy for Maximum Color Depth of Terminal Services

In many cases, after you perform these steps, the client still connects with 256 colors rather than whatever value you specified in the Remote Desktop Connection box. This behavior can occur because of a group policy on the Windows XP-based computer that determines the maximum color depth that can be negotiated by the client. In Windows XP, the default policy setting is 256 colors, but this setting can be changed by using the Group Policy Editor.

To use the Group Policy Editor to change the setting, follow these steps:
  1. Click Start, click Run, and then type MMC.
  2. Click the Console menu, click Add/Remove Snap-in, and then click Add. Select Group Policy.
  3. Click Add, make certain that Local Computer is selected in the Group Policy Object box, click Finish, and then click Close.
  4. Select Computer Configuration, click Administrative Templates, and then click Terminal Services.
  5. Select Limit Maximum Color Depth and set it to the color depth that you want.
After you change the setting, you should be able to specify any setting of more than the default 256 colors setting and have the client connect with that resolution, as long as it is not higher than the setting that you specified.

NOTE: You cannot specify and connect at a higher resolution than your video hardware can support. Therefore, if you have a video card in your computer that supports only up to 256 colors, you cannot connect to a session with a higher resolution than that.

back to the top
How do I Remove Additional Permissions Granted to Terminal Services Users? 

This is taken from Microsoft Q238965
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q238965

Summary
To allow older programs to run correctly under Terminal Services in Windows 2000, additional permissions are granted to Terminal Services users. This article describes how to remove these additional permissions.

More Information
You can remove the additional permissions by using the Notssid.inf security
template in the %SystemRoot%\Security\Templates folder. After you apply the
Notssid.inf security template, the system has the same default permissions
as a standard Windows 2000-based server, but with Terminal Services enabled.
To apply this security template:
At a command prompt, type cd /d %systemroot%\security\templates folder, and then press ENTER.
Type secedit /configure /db notssid.sdb /cfg notssid.inf [/log notssid.log]/verbose,
and then press ENTER
You can restore the default permissions for Terminal Service users (including
the default permissions and policies for all users) by using the Defltsv.inf template
in the %SystemRoot%\Inf folder. Use the following steps:

At a command prompt, type cd /d %systemroot%\inf, and then press ENTER.

Type secedit /configure /cfg defltsv.inf /db defltsv.sb /log defltsv.log /verbose,
and then press ENTER.

Microsoft recommends that you test security templates that modify file system
and registry permissions before implementation on production servers.
NOTE: To allow older programs to run correctly under Terminal Services in Windows 2000,
additional permissions are granted to Terminal Services users. This is implemented with
the TERMINAL SERVER USER group, which has access to certain files, directories and registry
keys that normal users do not.

Users logging on to the server interactively will be made a member the TERMINAL SERVER
USER group if the Permission Compatibility setting in the Terminal Services Configuration
snap-in is Permissions compatible with Terminal Server 4.0 users.

The snap-in manipulates the registry value:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\TSUserEnabled (REG_DWORD)
If TSUserEnabled=0x00000001, then all users logging on to a session on
the server will be made a member of the TERMINAL SERVER USER group,
with greater access to some files, directories and registry keys.

If TSUserEnabled=0x00000000, no-one will be a member of the built-in group,
although it will still be visible in the Object Picker.

If you still require the TERMINAL SERVER USER group for administration,
you can remove the additional permissions by using the Notssid.inf security
template in the %SystemRoot%\Security\Templates folder.

HOW TO: Automatically Run Programs When Users Log On to Windows 2000 Terminal Services (Q321707) 
The information in this article applies to:

  • Microsoft Windows 2000 , Server
  • Microsoft Windows 2000 , Advanced Server
  • Microsoft Windows 2000 , Professional

IMPORTANT : This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Q256986 Description of the Microsoft Windows Registry

IN THIS TASK


SUMMARY

This article describes how to use various methods to have programs start automatically when users log on to Terminal Services.

back to the top

By Using Client Connection Manager

You can specify a program to start either when you create a new connection in Client Connection Manager, or after you create a connection.

back to the top

Specify the Program to Start When You Create a New Connection

To create a new connection to the Terminal Services server:
  1. On the client computer, click Start , point to Programs , point to Terminal Services Client , and then click Client Connection Manager .
  2. In the Client Connection Manager Wizard, click Next .
  3. In the Connection name box, type a descriptive name for the connection.
  4. In the Server name or IP address box, type the server`s name or IP address, or click Browse to search for the server. When you finish, click Next .
  5. Leave all of the automatic logon information blank. Using automatic logon information might be a security is if a non-administrator has access to the computer from which you run the client. Click Next .
  6. Click a screen resolution that is appropriate for you.
  7. Leave the Enable data compression and Cache bitmaps check boxes clear unless you are working over a slow dial-up link. Click Next .
  8. Click to select the Start the following program check box, and then type the path and file name of the program that you want to start when a connection is made. In the Start in box, type the working folder, if required.
  9. Click Next , and then click Finish .
back to the top

To Change the Program to Start

  1. On the client computer, click Start , point to Programs , point to Terminal Services Client , and then click Client Connection Manager .
  2. Click the connection to change.
  3. On the File menu, click Properties .
  4. On the Program tab, click Start the following program , and then type the path and file name of the program that you want to start when a connection is made. In the Start in box, type the working folder, if required.
back to the top

By Using the Environment Tab

To specify a program to start when a session connection is made by using the Environment tab:
  1. Use the appropriate step:

    • For a domain user account, start Active Directory Users and Computers. In the console tree, expand the Domain node, and then click the folder in which users are located.

    • For a local user account, start Computer Management (Local). In the console tree, click Users . (Expand Computer Management , expand System Tools , expand Local Users and Groups , and then click Users .)

  2. Double-click the user for whom you want to change the program that starts.
  3. On the Environment tab, under Starting program , click to select the Start the following program at logon check box.
  4. In the Program file name box, type the path and file name of the program to start when the user logs on. You can also specify a working folder by typing the path in the Start in box.
  5. Click Apply .
Notes:
  • To start Active Directory Users and Computers, click Start , point to Programs , point to Administrative Tools , and then click Active Directory Users and Computers .

  • To start Computer Management, click Start , point to Settings , click Control Panel , double-click Administrative Tools , and then double-click Computer Management .

back to the top

By Using a Program Shortcut in the Startup Folder

  1. On the Terminal Services server, start Windows Explorer, and then open the user`s Startup folder. By default, this folder is:

    C:\Documents and Settings Username \Start Menu\Programs\Startup
  2. On the File menu, point to New , and then click Shortcut .
  3. In the Type the location of the item box, type the path and file name of the program to start.
  4. Click Next .
  5. Click the Startup folder, and then click Next .
  6. Type a name for the shortcut or accept the default.
  7. Click Finish , and then click OK .
back to the top

By Using Group Policy

You can specify programs or documents that are started automatically when a user logs on by using the "Run these programs at user logon" policy. NOTE : This policy appears in the Computer Configuration and User Configuration folders. If you configure both policies, Windows starts the programs that you specify in the Computer Configuration policy before it starts the programs that you specify in the User Configuration policy.
  1. On the Terminal Services server, start Microsoft Management Console (MMC), and then add the Group Policy snap-in.
  2. Click Local Computer Policy , click Computer Configuration , and then click Administrative Templates .
  3. Click the System object, double-click Run these programs at user logon in the list of Local System policies in the right pane, and then click Enable .
  4. Click Show , and then click Add .
  5. Type the name of the program (.exe) file or document file. Unless the file is located in the %SystemRoot% folder, you must specify the fully qualified path to the file.
  6. Click OK .
back to the top

By Using the Registry

WARNING : If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can specify a command line in the registry to start a program when users log on to Terminal Services:
  1. On the Terminal Services server, start Registry Editor (Regedt32.exe).
  2. Locate and then click the following key in the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  3. On the Edit menu, point to New , and then click String Value .
  4. Type any name for the value, and then click Modify on the Edit menu.
  5. In the Value Data box, type the command line for the program that you want to start when users log on.
  6. Click OK , and then quit Registry Editor.
back to the top

By Using a Logon Script

You can create a logon script that runs specific programs when users log on. You can assign that script to a user. For more information about creating logon scripts to configure user work environments, visit the following Microsoft Web site:
Using logon scripts to configure user work environments
back to the top

To Assign a User Logon Script to a User

  1. Start Computer Management.
  2. In the console tree, click Users (under System Tools and then Local Users and Groups ).
  3. Double-click the user to whom you want to assign a logon script.
  4. Click the Profile tab.
  5. In the Logon script box, type the path and name of the logon script that you want to assign to the user, and then click OK .
Notes:
  • To start Computer Management , click Start , click Programs , click Administrative Tools , and then click Computer Management .

  • The path to the logon script is relative to the local logon script path on the server.

For additional information about assigning scripts to users, click the article number below to view the article in the Microsoft Knowledge Base:
Q258286 How to Assign a Logon Script to a Profile for a Local User
back to the top
HOW TO: Distribute Terminal Services Client Using Active Directory (Q236573) 
The information in this article applies to:

  • Microsoft Windows 2000 , Advanced Server
  • Microsoft Windows 2000 , Professional
  • Microsoft Windows 2000 , Server

IN THIS TASK


SUMMARY

This article describes how to distribute the Windows Terminal Services client within an enterprise by using a group policy in Active Directory.

NOTE : This article relies on the environment prerequisites and key terms and concepts described in the "Step-by-Step Guide to Creating Windows Installer Packages and Repackaging Software for the Windows Installer Using VERITAS WinINSTALL LE : [Microsoft Windows 2000 Server, VERITAS WinINSTALL LE]" technical walkthrough. You can obtain this technical walkthrough from Microsoft TechNet and on the Internet at the following Microsoft Web site:

http://www.microsoft.com/windows2000/techinfo/planning/management/veritas.asp

back to the top

The Six Basic Tasks for Active Directory Deployment of the Terminal Services Client

  1. Prepare for package creation.
  2. Create the installation package.
  3. Terminal Services client installation.
  4. Post-package creation.
  5. Group policy creation.
  6. Package application.
These steps are described in detail below.
  1. Prepare for package creation:

    1. Create a network share on which the installation files will reside. This share should remain available for as long as the Terminal Services client is installed.
    2. Copy the Terminal Services client installation files from \\<SystemRoot>\System32\Clients\Tsclient\Net\Win32 (or Win32a for Alpha-based computers) to a folder in the share.
  2. Create the installation package:

    1. On the reference workstation, start the Discovery tool (Discoz.exe) by typing the UNC path (or locate it in Network Neighborhood).

      NOTE : As stated in the technical walkthrough, do not map a drive to the folder that contains Discoz.exe.
    2. When the WinINSTALL Discover program starts, specify the application name as "Terminal Services Client." Click the "..." button and locate the installation share point. For the file name, type TSClient , and then click Open . Verify that the operating system type is set to 32-Bit Windows , and then click Next .
    3. Specify a temporary work folder on a hard disk with adequate space, and then click Next .
    4. Select the drive on which the Terminal Services client will reside, and then click Add . It will appear on the "Drives to Scan" list. Click Next .
    5. Accept the default file exclusion list by clicking Next .
    6. The WinINSTALL Discover program displays a completion message when the "Before" snapshot is completed. Click OK , type the UNC path to the network share that contains the installation files for the Terminal Services client, and begin installation by running Setup.exe.
  3. Terminal Services client installation:

    1. When the Setup program starts, Click Continue .
    2. Type the default name and organization information, and then click OK . Confirm that the information is correct, and then click OK .
    3. Click I Agree to accept the License Agreement terms.
    4. Verify that the installation path resides on the drive that you selected in step 2d. Change the installation path to the drive selected in step 2d if necessary. Click the large button to begin installation.
    5. Terminal Services Client Setup prompts you to apply the initial settings to all users of the computer. Click Yes .
    6. When Terminal Services Client Setup notifies you that the installation completed successfully, click OK .
    NOTE : If any errors are encountered, quit the Setup program and run the WinINSTALL Discover program again, repeating step 2.
  4. Post-package creation:

    1. When the installation is completed, start the Discovery program again using the UNC path (or locate it in Network Neighborhood). Click Next to begin the "After" snapshot.
    2. Once the "Conversion Successful" notification appears, the Discover program may display warnings. These may not necessarily be problems with the installation itself. Click OK .
    3. Click OK to acknowledge that the "After" snapshot is complete. The .msi file and associated files are created in the network share that contains the Terminal Services client installation files. Do not delete any of these files or folders.
  5. Group policy creation:

    1. Start the Active Directory Users and Computers administration console on the server.
    2. Create or locate the appropriate Organizational Unit (OU) within which you want to deploy the Terminal Services client. Populate the OU with the appropriate users, groups, and/or computers.
    3. Right-click the container, and then click Properties .
    4. Click the Group Policy tab, and then click New . Name the new policy "Terminal Services Client Distribution," and then click Edit . Group Policy Manager starts.
    5. Click the appropriate policy object depending on your deployment strategy. If you want to distribute the Terminal Services client on a per-computer basis, click the Computer Policy object. If you want to distribute the Terminal Services client on a per-user basis, click the User Policy object.
    6. In the left pane, click the plus sign (+) next to the policy object to expand the view. Under the policy object, expand the Software Settings so that the "Software installation" policy object appears.
    7. Right-click Software installation , point to New , and then click Package . Or, point to New on the Action menu, and then click Package .
    8. When the Software Package Control tool appears, locate the network share using the UNC path that contains the Terminal Services client installation files and click the MSI package that you created. Click Open .
    9. Click the deployment method or click Advanced to configure the package if needed.
    10. The package should appear in the right pane of the Group Policy window. Quit Group Policy Manager and quit the Group Policy Control tool.
    11. Quit the Active Directory Users and Computers administration console.
    12. Refresh the domain policy by typing the appropriate line at a command prompt:
      secedit /refreshpolicy machine_policy /enforce

      -or-

      secedit /refreshpolicy user_policy /enforce
  6. Package application:

    1. Ensure that replication has occurred on all domain controllers before attempting to use the published program.
    2. Log on to a workstation to receive the published Terminal Services client.
    3. Test the policy and make changes if needed.
    4. You can now remove the Terminal Services client installation safely from the reference computer.
The policy should now be available to users. If you need to uninstall the Terminal Services client, removing the package from the policy provides the option to automatically uninstall from it from workstations.

NOTE : A transform or edit to package (.mst file) to modify parts of the installation may need to be applied, depending on your organization`s needs.

back to the top

REFERENCES

For more information about group policies, please refer to the "Group Policy Walkthrough" technical walkthrough. You can obtain this technical walkthrough from TechNet and on the Internet at the following Microsoft Web site:

http://www.microsoft.com/windows/server/Deploy/management/GroupPolicyWT.asp

back to the top
HOW TO: Automatically Run Programs When Users Log On to Windows 2000 Terminal Services 

PSS ID Number: Q321707

Article Last Modified on 08-6-2002


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional

IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
Q256986 Description of the Microsoft Windows Registry

IN THIS TASK


Summary

This article describes how to use various methods to have programs start automatically when users log on to Terminal Services.

back to the top

By Using Client Connection Manager

You can specify a program to start either when you create a new connection in Client Connection Manager, or after you create a connection.

back to the top

Specify the Program to Start When You Create a New Connection

To create a new connection to the Terminal Services server:
  1. On the client computer, click Start, point to Programs, point to Terminal Services Client, and then click Client Connection Manager.
  2. In the Client Connection Manager Wizard, click Next.
  3. In the Connection name box, type a descriptive name for the connection.
  4. In the Server name or IP address box, type the server`s name or IP address, or click Browse to search for the server. When you finish, click Next.
  5. Leave all of the automatic logon information blank. Using automatic logon information might be a security is if a non-administrator has access to the computer from which you run the client. Click Next.
  6. Click a screen resolution that is appropriate for you.
  7. Leave the Enable data compression and Cache bitmaps check boxes clear unless you are working over a slow dial-up link. Click Next.
  8. Click to select the Start the following program check box, and then type the path and file name of the program that you want to start when a connection is made. In the Start in box, type the working folder, if required.
  9. Click Next, and then click Finish.
back to the top

To Change the Program to Start

  1. On the client computer, click Start, point to Programs, point to Terminal Services Client, and then click Client Connection Manager.
  2. Click the connection to change.
  3. On the File menu, click Properties.
  4. On the Program tab, click Start the following program, and then type the path and file name of the program that you want to start when a connection is made. In the Start in box, type the working folder, if required.
back to the top

By Using the Environment Tab

To specify a program to start when a session connection is made by using the Environment tab:
  1. Use the appropriate step:

    • For a domain user account, start Active Directory Users and Computers. In the console tree, expand the Domain node, and then click the folder in which users are located.

    • For a local user account, start Computer Management (Local). In the console tree, click Users. (Expand Computer Management, expand System Tools, expand Local Users and Groups, and then click Users.)

  2. Double-click the user for whom you want to change the program that starts.
  3. On the Environment tab, under Starting program, click to select the Start the following program at logon check box.
  4. In the Program file name box, type the path and file name of the program to start when the user logs on. You can also specify a working folder by typing the path in the Start in box.
  5. Click Apply.
Notes:
  • To start Active Directory Users and Computers, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.

  • To start Computer Management, click Start, point to Settings, click Control Panel, double-click Administrative Tools, and then double-click Computer Management.

back to the top

By Using a Program Shortcut in the Startup Folder

  1. On the Terminal Services server, start Windows Explorer, and then open the user`s Startup folder. By default, this folder is:

    C:\Documents and Settings\ Username\Start Menu\Programs\Startup
  2. On the File menu, point to New, and then click Shortcut.
  3. In the Type the location of the item box, type the path and file name of the program to start.
  4. Click Next.
  5. Click the Startup folder, and then click Next.
  6. Type a name for the shortcut or accept the default.
  7. Click Finish, and then click OK.
back to the top

By Using Group Policy

You can specify programs or documents that are started automatically when a user logs on by using the "Run these programs at user logon" policy. NOTE: This policy appears in the Computer Configuration and User Configuration folders. If you configure both policies, Windows starts the programs that you specify in the Computer Configuration policy before it starts the programs that you specify in the User Configuration policy.
  1. On the Terminal Services server, start Microsoft Management Console (MMC), and then add the Group Policy snap-in.
  2. Click Local Computer Policy, click Computer Configuration, and then click Administrative Templates.
  3. Click the System object, double-click Run these programs at user logon in the list of Local System policies in the right pane, and then click Enable.
  4. Click Show, and then click Add.
  5. Type the name of the program (.exe) file or document file. Unless the file is located in the %SystemRoot% folder, you must specify the fully qualified path to the file.
  6. Click OK.
back to the top

By Using the Registry

WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

You can specify a command line in the registry to start a program when users log on to Terminal Services:
  1. On the Terminal Services server, start Registry Editor (Regedt32.exe).
  2. Locate and then click the following key in the registry:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
  3. On the Edit menu, point to New, and then click String Value.
  4. Type any name for the value, and then click Modify on the Edit menu.
  5. In the Value Data box, type the command line for the program that you want to start when users log on.
  6. Click OK, and then quit Registry Editor.
back to the top

By Using a Logon Script

You can create a logon script that runs specific programs when users log on. You can assign that script to a user. For more information about creating logon scripts to configure user work environments, visit the following Microsoft Web site:
Using logon scripts to configure user work environments
back to the top

To Assign a User Logon Script to a User

  1. Start Computer Management.
  2. In the console tree, click Users (under System Tools and then Local Users and Groups).
  3. Double-click the user to whom you want to assign a logon script.
  4. Click the Profile tab.
  5. In the Logon script box, type the path and name of the logon script that you want to assign to the user, and then click OK.
Notes:
  • To start Computer Management, click Start, click Programs, click Administrative Tools, and then click Computer Management.

  • The path to the logon script is relative to the local logon script path on the server.

For additional information about assigning scripts to users, click the article number below to view the article in the Microsoft Knowledge Base:
Q258286 How to Assign a Logon Script to a Profile for a Local User
back to the top
1 2 3 4 5 6 7 8 [9] 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26

Featured Links