02-05-2021

Terminal Services Configuration Windows 10



This article applies to Windows 2000. Support for Windows 2000 ends on July 13, 2010. The Windows 2000 End-of-Support Solution Center is a starting point for planning your migration strategy from Windows 2000. For more information see the Microsoft Support Lifecycle Policy.

Summary

This article discusses the Terminal Server Administration tool, Connection Configuration.

More Information

When you open this tool, you see that one connection is created by default, the RDP-TCP connection. Typically, this is the only connection that needs to be defined. Nothing needs to be done to enable this connection.
The RDP-TCP connection is a socket connection over TCP port 3389. In this tool, you can specify how long clients can remain connected, if a specific application should run when the client connects, choose the level of encryption, and so on.
You can have one connection defined per transport per type per adapter. So, in a normal Terminal Server with one adapter, you can define exactly one connection since there is only one connection type available. Terminal Server 4.0 by itself with no additional services supports ONLY RDP over TCP connections. If you add a second adapter, you can define a second RDP-TCP connection for that adapter.
Citrix's Metaframe product may be installed on the Terminal Server so Citrix's ICA clients rather than Microsoft's RDP client can be used to connect to Terminal Server. In this tool and in User Manager, you will find options that do not apply unless Metaframe is installed on the Terminal Server.
On a Citrix Winframe Server (based on Windows NT 3.51) or on a Terminal Server with Metaframe installed, customers have the option of creating different connection types for different ICA clients (for example, Macintosh clients, asynch clients, SPX clients).
Right-clicking a defined connection brings up a menu that allows you to edit the connection configuration
Notice that the connection Name, Type, and Transport are unavailable. The name can be changed under Connection/Rename. But the Type and Transport cannot be changed.
The Lan Adapter drop down list shows 'All Lan Adapters...' and any installed adapters. Notice that the connection by default applies to all installed adapters, so just because you have multiple adapters does not mean you must define new connections. You can, but it is not a requirement.
Maximum Connection Count means what it says. Do not confuse this with licensing. This setting governs how many socket connections are allowed. The default is Unlimited.
If you select Client Settings on the Edit Connection screen, you will see a list of options intended primarily for the Citrix ICA client. These settings do not apply to the RDP client. Because the RDP client establishes only a single data channel between the client and the server, mapping to local devices is not possible. Inside an RDP client session, all 'local' resources are the Terminal Server's resources.
However, Citrix's ICA clients have been modified to create multiple data channels between client and server. These settings are included for customers who load Metaframe on Terminal Server and use the ICA clients.
Clicking Advanced on the Edit Configuration screen opens many options, although, again, some apply only to the Citrix ICA client.
Note the selections 'Inherit user config,' 'Inherit client config,' and 'Inherit client/user config.' User config selections are also available in Terminal Server User Manager as options for specific users. Client config options can be set at the client using Client Configuration Manager (installed with the Client software) or in the client's registry (for 32- bit) or .ini file (for 16-bit) settings.
Any values set on this screen apply to all connections at this Terminal Server (and no others, regardless of domain relationship -- these settings are specific to the Terminal Server).
Note also that any values set here will override settings for users in User Manager.
Below is a description of the various advanced options:

Logon

Open the 'Start' menu, click 'Administrative Tools' then click 'Server Manager.' Open the 'Roles' option in the left panel, then press the '+' symbol next to 'Terminal Services.' Click 'Terminal Services Manager' to open the Terminal Services Manager program. 1 Client PC running Windows 10 (CLIENT-10) 01 – open Server Manager Click Add roles and features. 02 – Click Next to proceed. 03 – Choose Remote Desktop Services installation button and click next to proceed. 04 – on the Select deployment type box, click Quick Start (I choose this because I only have One Server for RDS and Remote Apps). It allows remote users to execute apps on Windows Server from multiple devices over a network connection. Remote Desktop Client. It is a separate client software preinstalled on the server and other client OSes to connect and use terminal services. Terminal Server Configuration Setup Guide – Challenges Faced. Aug 20, 2020 Built in text editor comes in handy when dev or admin needs to modify some files. The editor can invoke sudo and prompt for passwords as needed. This could be very helpfull for modifying global configuration files (like /etc/profile, etc.) from editor without using vi or other terminal based editors. Windows Server® 2008 Terminal Services Gateway (TS Gateway) is a role service that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.

If you disable Logon, you are disabling client connections. This does not keep non-client users from connecting to the server (for that you would have to pause or stop the Server or Netlogon services). If you want to keep Clients from connecting and establishing terminal sessions, this is where you do it.
NOTE: If you are used to pausing or stopping the Server or Netlogon services to keep users from connecting to the server, you will be tempted to try to stop the Terminal Server service. This service cannot be stopped. You can change it to manual or disabled, but when you restart the server, this service will return to automatic and will start. This is by design. This service is integral to Terminal Server's operation.
NOTE: Stopping the Server or Netlogon services does not keep Terminal Server clients from connecting. These connections use a completely different connection path. Again, disabling logon here in Connection Configuration is the way to deny client connections. Of course, it is also possible to deny connections based on permissions (more detail below).

Terminal server service windows 10

Timeout Settings (in Minutes)

Here you can choose how long a connection should be maintained, how long a disconnected session should be maintained in memory, and how long a session should be allowed to be idle before disconnecting it.
The Connection Timeout determines how long the client can stay connected, regardless of whether the session is idle or not.
The Disconnected Session Timeout determines how long a disconnected session should be held in memory. If a client disconnects (rather than logging off), the session is not terminated. Rather, it is held in memory so that the client can reconnect and re-establish the session. Applications that were running previously should still be available.
The Idle Session Timeout determines how long a session with no activity should remain connected. Note that turning on the Menu Bar clock will generate enough continuous traffic to keep a session from being idle.
If you uncheck No Timeout, the default for Connection is 120 minutes, for Disconnection is 10 minutes, and for Idle is 30 minutes.
Setting these values here affects every Client that uses this connection. If you want to modify the values for a specific user, you can do so in User Manager. However, keep in mind that Connection Configuration values override values in User Manager. If you need both advanced options set in Connection Configuration AND separate options set for individual users in User Manager, you will need to add multiple network adapters to your Terminal Server and define a different connection for each adapter.

Security

Low encryption = Microsoft 40-bit encryption from client to server only. Medium encryption = Same as low but applies in both directions. High encryption (Non-export) = 128-bit standard RC4 encryption High encryption (Export) = 40-bit standard RC4 encryption
Use Default NT Authentication: This forces any Client on this connection to use Windows NT's MSGINA. Otherwise, a 3rd party GINA might be used.

Autologon

If a correct user name, domain, and password are entered here, clients will automatically log on as this user after connection. There are obvious drawbacks to this approach (for example, profiles, home directories). However, note that, because clients are identified to the system by their unique SessionIDs, not their logon names, it is possible for all client users to use the same logon name.

Initial Program

Here you can specify a program that will run for every Client user after connecting and logging on.
If a program is specified here, it is the ONLY application that runs on this connection. The user will connect, log on, and run this application (provided security is not an issue) but will get no desktop. When the user closes the application, the session is terminated. This can be a very useful feature in a single application environment.

User Profile Overrides: Disable Wallpaper

Disabling wallpaper can significantly decrease screen redraw times. This is especially useful for clients connecting over RAS.

On a Broken or Timed out Connection...

If a connection is lost or times out, you have the options of disconnecting the session, which leaves the session intact so the user can reconnect and keep working, or you can reset the connection, which terminates the session.

Reconnect Sessions Disconnected...

This option is used for Citrix direct-serial-port connecting devices only.
From Any Client: If your session is disconnected at one device, you can reconnect from any Client device.
From This Client Only: If you session is disconnected, you cannot reconnect from another Client device.

Shadowing

This feature is only available with the Citrix ICA client.
Another feature of Connection Configuration is the Security/Permissions menu.
Users or groups can be assigned permissions to the connection. Permissions are cumulative except for No Access, so a user who normally has guest access but who is a member of a group with full access will receive full access.

No Access

As you might expect, this means you have no access to the connection.

Guest Access

This permits logging on and logging off only. Guests cannot disconnect sessions or reconnect to disconnected sessions.

User Access

This allows users to:

  • Log on or log off.

  • Query information through Terminal Server Administrator or at a command prompt with the Query command.

  • Send messages through Terminal Server Administrator.

  • Reconnect to disconnected sessions.

  • Disconnect their own session (leaving it resident on the Terminal Server).

Full Access

This allows all of the above plus permission to:

  • Shadow (ICA Clients only)

  • Reset sessions

  • Delete sessions

Along with Guest, User, and Full permissions, there is a more granular set of permissions called Special Access that is used to grant each of the above individually.

Introduction to Terminal Services Configuration

Terminal Services is Microsoft’s thin client. The remote desktop protocol gives an XP Professional experience to users, who for a variety of reasons, cannot use a real XP desktop. Even if you have no intention of deploying Terminal Services for users, it is well worth checking the Windows Server 2003 settings so that you can take advantage of the two free administrative connections.

Terminal services on windows 10

Terminal Services has its own RDP (Remote Desktop Protocol). Most of the user’s settings are configured at the Terminal Services Configuration snap-in, through the 8 tabs underneath under the RDP settings.

In terms of overall Remote Desktop strategy, there are three places to check, here at the RDP-Tcp properties on the server, at the client Options button, and through Group Policy. (Typical Microsoft to provide 3 ways of Configuring Terminal Services.)

8 Settings for RDP-Tcp

To start with, I assume that you are logged on at the Windows Server 2003 console. From the Administrative Tools, launch the Terminal Services Configuration interface. (Beware, there are 3 Terminal Services Snap-ins.)

Now you should see the 8 tabs, which you see under the Connections folder of the RDP-Tcp icon.

General

Microsoft has not left much to configure on the general tab. The only configuration you need is if you have installed certificates or a third party logon / authentication package for the XP client.

Logon Settings

Again, in most instances, Microsoft’s defaults will suffice. The one exception is testing, when I am testing new Group Policies it is annoying to have to keep entering the password, so under these circumstances, I disable the prompt for a password. A real-life application could be if you only use Terminal Services as a Kiosk / internet cafe.

Sessions

Terminal Services Configuration Windows 10 Download

The sessions tab is useful for setting timeouts. I like to control what happens if a Remote Desktop user is idle for hours on end. There are two potential problems, firstly that idle user could be hogging a Terminal Service license, which someone else could use. Secondly, if you have dozens of idle users then the Windows 2003 server’s performance would degrade slightly because it still has to allocate resources to those sessions.

Environment

Most of the time the defaults will suffice, however, if necessary you could start a special program for each session. I know that one company that created special shells and messages, but equally, I know that many users found them annoying because they were not relevant to how they used Remote Desktop.

Guy Recommends: A Free Trial of the Network Performance Monitor (NPM) v12

SolarWinds’ Network Performance Monitor will help you discover what’s happening on your network. This utility will also guide you through troubleshooting; the dashboard will indicate whether the root cause is a broken link, faulty equipment or resource overload.

Perhaps the NPM’s best feature is the way it suggests solutions to network problems. Its second best feature is the ability to monitor the health of individual VMware virtual machines. If you are interested in troubleshooting, and creating network maps, then I recommend that you give this Network Performance Monitor a try.

Remote Control

Here is where you can have fun. The best configuration is to setup remote control whereby the users allow administrators to interact. In fact, the most fun is where you not only view the session but interact with the desktop whether or not the user invites you. I am duty bound to point out that administrators should act responsibly and not abuse their privileges and rights. Managers reading these notes should ask for a detailed report on remote control, because even in view mode, techies could see what the financial manager or other sensitive staff were doing.

On a more general point, managers should always remember that techies are all powerful and could read their email and see or their files. Even with certificates and encryption, if I was an employee, I would always believe that the network manager could see everything that was happening on the network. That pre-supposes that the network manager had the time and found my email and files worth the effort of looking at!

To drive my point home, most security breaches are internal rogues not external hackers.

Client Settings

Terminal Services Config Manager

Definitely a tab to check. Here is where you control local resources. It is all too easy to forget that with Terminal Services it is as thought the user is logged on at the actual server. To digress, the classic ‘gotcha’ is where the users shutdown the server when they think they are shutting down their own XP machines. Naturally you control shutdown via Group Policies.

Meanwhile, back with the Client Settings tab, these menus move resources like the printer from the server to the true local client machine.

Network Adapter

Incidentally, here is where you can tell whether Terminal Services has been installed, or whether the server is just in the default Remote Administration mode. The key setting is the Maximum number of connections, in Remote Desktop mode Microsoft will only allow 2 connections, whereas the full Terminal Services configuration permits unlimited connections. One reason that you may wish to reduce this number is the performance of the server, the other would be the number of licenses.

Permissions

The main reason for looking at the classic permissions tab is to remind yourself that there is such a built-in group as Remote Desktop Users. Microsoft’s best practice suggests that you use this Remote Desktop Users to decide who has the privilege of using Terminal Services.

The server Settings folder keep a record of choices that you made when you installed Terminal Services, the interface makes it easy to go back and adjust a particular attribute.

The diagram on the right was taken from a session where I changed the ‘ Restrict each user to one session ‘ from No to Yes.

Terminal Services Summary

Terminal Window In Windows 10

Even though configuring Microsoft’s Terminal Services is easy, there are still 8 tabs that you should know inside out. Particularly when troubleshooting, you need to be able to find remote control settings or session timeouts.

If you like this page then please share it with your friends

Terminal Services Manager Windows 10

Related topics

Terminal Services Configuration Windows 2016

  • Terminal Services Concepts