Home

Sitemap

Feedback

About...

Print

Custom Search

TS + Citrix Troubleshooting

TS & Citrix FAQ - Server configuration

1. When starting TS Configuration on a W2008 TS, I get an error message: "The settings for this terminal server cannot be retrieved", or "Unable to complete operation: Not found"
2. How do I clear the user name from the logon dialog box?
3. How do I enforce the domain name in the logon dialog box?
4. How can I prevent my users from shutting down the Terminal Server?
5. How can I prevent my users from disconnecting from their session?
6. How can I configure the server to automatically kill disconnected sessions immediately?
7. How can I prevent my users from connecting to the full desktop of the server while deploying my applications through RemoteApp?
8. How can I configure different sets of RemoteApps, based on user group membership?
9. How can I configure different TS desktops, based on user group membership?
10. Can I limit most users to a single session, while allowing other users multiple sessions?
11. How can I enable the clock in the Taskbar for all remote sessions?
12. How can I configure a default wallpaper for my remote users?
13. How can I disable the notification beeps in a TS session?
14. How can I remove icons for Internet Explorer and Outlook Express from all user profiles?
15. How can I lock down my standalone TS with a local policy without locking down the Administrator account?

Other FAQ sections: Installation | Server configuration | Client resources | User issues | Licensing | Printing | Connectivity | Profiles | Performance | Applications | Administration & Monitoring | More FAQS

Q: When starting TS Configuration on a W2008 TS, I get an error message: "The settings for this terminal server cannot be retrieved", or "Unable to complete operation: Not found"
Last modified: December 10, 2008

A: These error messages can be caused by a corrupt WMI repository. Use the winmgmt command to try and solve it:

   winmgmt /salvagerepository
   or
   winmgmt /resetrepository

For more information, check winmgmt on MSDN.

Top of page | FAQ | Home

Q: How do I clear the user name from the logon dialog box?
Last modified: June 17, 2007

A: This can be done with a Group Policy. You will find this setting in:

   Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options    
   "Do not display last user name in logon screen"

Top of page | FAQ | Home

Q: How do I enforce the domain name in the logon dialog box?
Last modified: January 18, 2008

A: By default, the value for Domain/Computer in the logon dialog box is taken from the last logon that was used on the console. You can override this and force the correct domain name in the login box i Terminal Services Configuration:

   Start - Administrative tools - Terminal Services Configuration - right-click RDP-tcp connection - 
   Properties - Logon Settings - select "Always use the following information"

Top of page | FAQ | Home

Q: How can I prevent my users from shutting down the Terminal Server?
Last modified: June 17, 2007

A: If your users can shutdown the Terminal Server, they are members of the Administrator group.
If that's the case, there is no way to prevent them from shutting down the server (and they will be able to do far more serious damage than merely shutting it down!).

You can remove the Shutdown option from the Start Menu with a Group Policy, but this is only a cosmetic change. Normal users will *not* be able to actually shutdown the server, even if they see the option, and Administrators *will* be able to shutdown the server, even if they don't see the option.

Top of page | FAQ | Home

Q: How can I prevent my users from disconnecting from their session?
Last modified: December 11, 2008

A: You cannot completely prevent users from disconnecting their sessions (they can always unplug the network cable or switch off their workstation).
What you can do is this setting a very short time-out limit on disconnected sessions, and configure them to be reset automatically when the time-out limit is exceeded. Note that this will kill the disconnected sessions, and can cause loss of unsaved data in the session. So you should combine this with user education!

Top of page | FAQ | Home

   HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Doubleclick MaxDisconnectionTime value and set it to 1000 decimal. This is the disconnection time-out limit in milliseconds.

Note that such a non-standard value in the registry may be overwritten if you make changes to the connection object properties in the Terminal Services Configuration tool. This would require you to make the registry change again.

Another method is to edit the Group Policy .adm template and create a time-out entry for 1 second. This would enable you to set the 1 second time-out limit in a GPO.

A third method is to use the TS WMI provider, which allows you to set the time limit in miliseconds.
For more info:
How to Configure TS session limit remotely

With all methods, you will have to enable TS Keepalives so that the server will better detect disconnected sessions. This is easiest done with a Group Policy settings:

   Computer Configuration - Administrative templates - Windows Components - Terminal Services
   "Keep-Alive connections"

Top of page | FAQ | Home

Q: How can I prevent my users from connecting to the full desktop of the server while deploying my applications through RemoteApp?
Last modified: October 3, 2008

A: This isn't really possible. If you give users access to RemoteApps, they also have access to the full desktop of the server.
The only work-around would be to set the "Start the following program" setting to logoff.exe. This will affect Remote Desktop connections but not RemoteApps.

Note that even from within a RemoteApp, it's nearly always trivial to get to a full desktop, so you shouldn't regard a "published" application (through RemoteApp) as a safety feature. You will still have to lockdown the server with restrictive policies and NTFS permissions on the file system.

Top of page | FAQ | Home

Q: How can I configure different sets of RemoteApps, based on user group membership?
Last modified: October 12, 2008

A: There is no native way to do this. But there are some freeware extensions to Windows 2008 TS Web Access which let you filter the RemoteApps on your TS Web Access page, based on user's group membership:

• PowerTerm WebConnect - by ERICOM, which is explained in a on-demand TechNet WebCast:
  Extending Windows Server 2008 Terminal Services with Ericom's Free PowerTerm WebConnect Add-On
• RemoteApp Filter - by TSFactory

Top of page | FAQ | Home

Q: How can I configure different TS desktops, based on user group membership?
Last modified: June 17, 2007

A: There are a number of 3rd party add-ons which can do this for you, but it is also possible with native Windows techniques, using Group Policies.

1. Create 3 security groups in your AD and populate them with the user accounts
2. Create 3 different shared folders on a file server and populate the folders with the desktop icons (shortcuts) which you want the user groups to see
3. Create 3 different GPOs, linked to the OU which contains your Terminal Server computer account (but not the user accounts!)
4. In each of the GPOs, configure redirection of the desktop to one of the custom desktop folders which you created in step 2. This is done in User Configuration - Windows Settings - Folder Redirection
5. Configure each of the GPOs with loopback processing of the GPO, with the "Replace" option. You'll find the setting in

      
      Computer Configuration - Administrative Templates - System - Group Policy
      "User Group Policy loopback processing mode"
   

6. Configure the security settings on each of the GPOs so that only the appropriate user group and the TS machine account is allowed to read and apply the GPO

Further reading:

Another way to do this is by using Access Based Enumeration, which is a free add-on to Windows Server 2003.
For a detailed example of using ABE, see:
Build a start menu with ABE

Top of page | FAQ | Home

Q: Can I limit most users to a single session, while allowing other users multiple sessions?
Last modified: September 8, 2007

A: The scope of the "Restrict each user to a single session" setting is server-wide, so you can't configure it differently for different user groups. But there are 2 work arounds:

• allow multiple sessions on the server and use a freeware utility like LockSingleUser to restrict certain users from starting more than one session
• restrict all users to a single session and define a starting application in the AD account properties of the users who should be allowed multiple sessions. Define the starting applications as:

     cmd.exe /c explorer.exe
     

  This will allow the users to start multiple sessions, using the "feature" documented here:
  302883 - "Restrict Each User to One Session" Setting in Tscc.msc Does Not Work

Top of page | FAQ | Home

Q: How can I enable the clock in the Taskbar for all remote sessions?
Last modified: January 26, 2009

A: Before you go ahead and enable the clock, be sure to read this article, which explains why it might not be such a good idea after all:
186505 - Terminal Server Client Taskbar Clock Not Enabled

There's a GPO setting:

   User configuration - Administrative templates - Start Menu and Taskbar
   "Remove Clock from the system notification area"

Windows 2003

Start regedit and go to

   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2

   28 00 00 00 ff ff ff ff 02 00 00 00 03 00 00 00 6d 00 00 00 20 00 00 00 00 00 00 00 e0 03 00 00 00 05 00 00 00 04 00 00

The nineth pair of digits determines the Taskbar properties. Possible values are: Always on top = 0x02 Auto hide = 0x01 Show small icons in Start menu = 0x04 Hide clock = 0x08 Combine the properties you want and set the byte. For example: Always on top + Show small icons + Show clock = 06 Always on top + Show small icons + Hide clock = 0e Note that the changes do not take effect immediately, you have to restart Explorer, or logoff and logon again to see the changes.

If you want to set this for all users, you'll have to export the registry key into a .reg file and import it into the user profile in a logon script. Start the logon script in your GPO to make sure that it runs (and imports the registry file) before Explorer is started.

In stead of importing a .reg file with the above mentioned registry key, you can use Group Policy Preferences:

1. Start the Group Policy Management Console (GPMC) and go to User Configuration - Preferences - Windows Settings - Registry
2. right-click - New - Registry Wizard - select Local Computer - select the registry key
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\StuckRects2
3. select the "Settings" value and enter the proper data, using the above mentioned values for the different properties of the taskbar
4. click "Finish"
5. select the "Settings" value - right-click - properties - Common tab
6. select the option "Run in logged-on user's security context (user policy option)"

Recommended reading:
Group Policy Preferences FAQ

Top of page | FAQ | Home

Q: How can I configure a default wallpaper for my remote users?
Last modified: January 5, 2008

A: On Windows 2003, the default configuration is to enforce removal of wallpaper on remote connections. And you might want to think twice before changing it, because enabling wallpaper can have a strong negative effect on performance and bandwidth requirements.

That said, you'll find the Group Policy setting here:

   Computer Configuration - Administrative templates - Windows Components - Terminal Services 
   "Enforce Removal of Remote Desktop Wallpaper" 

   "Specifies whether desktop wallpaper is displayed to remote clients connecting via Terminal Services.
   You can use this setting to enforce the removal of wallpaper during a remote session. By default, 
   Windows XP Professional displays wallpaper to remote clients connecting through Remote Desktop, 
   depending on the client configuration (see the Experience tab in the Remote Desktop Connection options 
   for more information). Servers running Windows Server 2003 do not display wallpaper by default to 
   remote sessions.   
   If the status is set to Enabled, wallpaper never appears to a Terminal Services client. If the status 
   is set to Disabled, wallpaper might appear to a Terminal Services client, depending on the client 
   configuration. If the status is set to Not Configured, the default behavior applies." 

Top of page | FAQ | Home

Q: How can I disable the notification beeps in a TS session?
Last modified: December 29, 2008

A: You can disable the system beep function in client rdp sessions by creating the following registry key on the Terminal Server:

   HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server
   "DisableBeep"=DWORD:00000001

The above applies to Windows 2003 SP2 and Windows 2008. If you are running Windows 2003 SP1, you will need a hotfix first:
901115 - A Terminal Services client computer may make beep sounds after you connect to a Windows Server 2003 Service Pack 1-based computer

Top of page | FAQ | Home

Q: How can I remove icons for Internet Explorer and Outlook Express from all user profiles?
Last modified: January 24, 2009

A: This KB article:
250380 - How To Remove Internet Connection Wizard and Outlook Express Icons from the Desktop in Windows 2000
describes which registry key to remove for Outlook Express (applies to Windows 2003 as well), but you might want to delete some more.

Internet Explorer:
   HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}
   StubPath=""
   HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{26923b43-4d38-484f-9b9e-de460746276c}
   StubPath=""

Outlook Express:
   HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}
   StubPath=""

Address Book:
   HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}
   StubPath=""

Top of page | FAQ | Home

Q: How can I lock down my standalone TS with a local policy without locking down the Administrator account?
Last modified: September 9, 2007

A: If your TS is not part of an Active Directory domain, you are limited to using the local policy on the server in stead of a domain GPO. One of the disadvantages is that you can't use security filtering on a local policy, as you can with AD-based Group Policies.
But here's a way around this limitation:

1. Logged on as Administrator, create a local group named "GP Editors" and a local user named "gpeditor". Make gpeditor a member of the GP Editors group
2. Add the GP Editors group to the Security - Advanced - Permissions tab of the folder C:\WINDOWS\system32\GroupPolicy. Check "Full Control - Allow" and "Replace permission entries on all child objects with entries shown here that apply to child objects"
3. On the Security - Advanced - Owner tab, change ownership to the GP Editors group, checking "Replace owner on subcontainers and objects"
4. On the Security tab of the Machine and User subfolders and the gpt.ini file in C:\WINDOWS\system32\GroupPolicy, change the permissions for Administrators to "Full Control - Deny"
5. Create a shortcut on the desktop with the command:
   runas /user:gpeditor "%windir%\system32\mmc gpedit.msc" and name it "Edit Local Policy"

Top of page | FAQ | Home