Tuesday, 29 May 2007

SBS 2K3 - All Versions: When setting up Remote Desktop Servers - a couple of important GP settings

We have a number of clients that we have setup remote desktops on dedicated rack mount and pedestal servers.

In some cases, we have just a 1U with XP Pro installed on. In others, we have a dedicated Microsoft Virtual Server 2005 R2 box serving three or more XP Pro or Vista Business desktops.

Whenever we need to setup the remote desktop environment at the client site, a couple of very important GP settings need to be implemented.

The first, is to remove the Disconnect button from the Start Menu:

This policy setting is implemented in the SBS Client Computer GPO.

In a multi-user scenario, if one user disconnects it leaves the remote desktop machine in a Locked state. If another user tries to log into the machine, they get a message warning them that someone is already logged on even though the previous user already disconnected.

As part of the user training, we let them know that they cannot log on to the remote desktop machine if they get that warning. We also train them to log off the system the same way they would at the end of the day on their laptops.

The second is to only allow the domain admin, and a test account if you use one, to have the ability to remotely shutdown the system.

This policy is implemented in a GPO we create and link at the domain level called, "Default Domain Security Policy" since the settings fall under the Security Options section in the GPO.

It would be very awkward if users who were used to shutting their system down when done did so with the remote desktop server system. Even with the warning that the system would not be available for other users, it would still be turned off accidentally by someone.

This would mean either a trip down to the client's location to fire the remote desktop machine up again, or having someone go into the server closet/room to hit the power button on the unit. Remote power cycling PDUs are not necessarily an option.

This also presents a bit of a predicament because all of our clients with the Remote Desktop setup are locked down with limited access to certain individuals within the company.

Our clients that use this solution are quite happy with it. For those with close to 100% laptop saturation, it presents a viable way to securely access their corporate data, as well as their proprietary network applications simply and conveniently from virtually anywhere.

If you need to provide close to 100% anywhere Internet access to the laptop user, EVDO PCMCIA modems work excellently with this particular setup in North America. EVDO provides great speed and coverage versus the alternatives.

Philip Elder
Microsoft Small Business Specialists

No comments: