Using Windows 2000 User Profiles or Roaming User Profiles

A profile describes the Windows 2000 configuration for a specific user, including the user's environment and preference settings. Profiles typically contain such user-specific information as installed applications, desktop icons, and color options. You can configure Terminal Services-specific profiles for a specific user using the profiles found under the Terminal Services Profile tab located in the User Properties dialog box.

In some cases, users might have already been assigned Windows 2000 profiles. It might also be desirable to assign Terminal Services–specific profiles to users in the following instances:

  • Whenever the user gains access to Terminal Services across the WAN.

  • If the administrator wants to present a session to the user that is different from the user's own desktop environment.

Whenever a user logs on to a server running Terminal Services, the server attempts to load profiles in the following order:

  • User's Terminal Services-specific profile

  • User's Windows 2000 roaming profile

  • User's Windows 2000 profile

Roaming User Profiles

Roaming user profiles allow users to move between different computers and maintain the same environment and preference settings. The profile information is cached on the local hard drive of the Terminal server. Under some circumstances it is recommended that this information be deleted after the user logs off, such as the following:

  • Access to Terminal Services is provided by a group of Terminal Services hosts.

  • Access to Terminal Services is infrequent and you want to minimize the amount of disk space that is used.

The most effective way to delete the cached profiles is to put all of the Terminal Services hosts in a Windows 2000 Active Directory container and apply a specific policy to them that deletes all cached profile information upon logging off.

To facilitate the use of roaming user profiles, plan ahead and identify where they will be stored and how they can be managed. ** First, identify the locations on a file server or print server that have enough space to store the profiles and are readily available to Terminal Services users. ** Second, create a Windows 2000 share that users can gain access to with read/write privileges. You need to store profiles in network locations that are different from user home directories.

In order to use roaming profiles on a group of Terminal Services computers, it is imperative that the Terminal Services computers be identical in application and operating system configuration, such as the location of %systemroot% and the installation location of all applications. Otherwise, group different configurations into different OUs and administer them separately.

Group Policy

Group Policy is an effective mechanism to manage and control the behavior of Terminal Services in your environment. You use Group Policy to manage a set of registry values and file permissions that together define the computer resources available to an Active Directory site, a domain, or an organizational unit (OU).

Group Policy builds on the base functionality of registry-based values to include security settings, software installation, logon/logoff and startup/shutdown scripts, file deployment, and redirected special folders. Group Policy is enabled by Active Directory and affects both computers and users in any of these groups: local computer, sites, domains, and OU.

If you have an organization in which the same users use both Terminal Services and Windows 2000 Professional, use policies with care. The same policy applies to the users' sessions on Terminal Services and on Windows 2000 Professional (with the exception of per-user application management which is disabled on a Terminal Services Application Server). In this instance, you need to apply a different set of computer policies to the servers running Terminal Services by placing the computer in a separate OU.

Users on a Terminal server in Application Server mode cannot invoke the Windows Installer to add missing components to an application. Therefore, it is important to install all of the necessary components locally when the program is first installed. To do this, you can use a transform file (.mst). Transform files appear as modifications to .msi packages and tell Windows Installer which components to install locally.

Access to Applications

Administrators can control user access to Terminal Services applications in the following ways:

Mandatory Profiles

Profiles can specify which applications are visible to the user.

System Policies

Policies can prevent users from opening applications through Windows Explorer or the Run command. Policies are domain-based, so they can affect users' own computers as well as their Terminal Services sessions.

Group Policy applies user policies for the domain first, then either merges or replaces them with computer policies. This allows a Terminal server to alter or restrict the capabilities provided to users.

Poorly written policies can prevent users from gaining access to programs on all computers within a domain, rather than just gaining access to Terminal Services. If the administrator implements a policy that is based on a user ID or Windows 2000 group, then whatever is specified in that policy applies to that user or group regardless of what system they use. For example, a policy that prohibits accounting users from running Microsoft® Word affects all accounting users in the domain, whether they are using Terminal Services or just their local computers.