Remote Desktop Services troubleshooting

Group Policies - GPOs

When configuring a Remote Desktop Services environment, Group Policies should be your first choice, rather than using the Terminal Services Configuration tool. The main advantage is that the settings will be applied to all servers in your farm, ensuring identical settings on all servers.

A crucial option in any TS-related GPO is loopback processing. This setting allows you to define a set of user settings, which will only be applied to users when they log on to the Terminal Server, without affecting them when they log on to their workstation.
 

The basic steps to use a GPO to configure a Terminal Server:

1. place the Terminal Server (not the users!) in a separate OU
2. create a TS-specific GPO
3. configure the GPO to use "loopback processing" with the "Replace" option (see KB 231287)
4. link the GPO to the OU which contains the Terminal Server machine account
5. add the Terminal Server machine account to the security list of the GPO
6. add a User group to the security list of the GPO (or keep the default entry for "Authenticated Users" if you want the settings in the GPO to apply to all users)
7. modify the rights for Administrators on the GPO: select "Deny" for the right to "Apply this policy" (see KB 816100)

How-To's, White papers

Windows Server 2008 / Vista

• Windows Server 2008 TechCenter: Group Policy
• Advanced Group Policy Management 3.0
• 973072 - Advanced Group Policy Management (AGPM) takes more than 60 seconds to load Group Policy object (GPO)
• AGPM (Advanced Group Policy Management) 3.0 Screencast Series - by Kurt Roggen
• Download the Planning and Deploying Group Policy guide
• Download the Managing Group Policy ADMX Files Step-by-Step Guide
• Download the ADMX Migrator - utility to convert your existing Group Policy ADM Templates to the new ADMX format
• 929841 - How to create a Central Store for Group Policy Administrative Templates in Window Vista
• 321476 - How to change the default permissions on GPOs in Windows Server 2008 R2, Windows Server 2008, Windows Server 2003, and Windows 2000 Server
• Download the Group Policy Settings Reference for Windows Server 2008
• Group Policy Settings for Terminal Services in Windows Server 2008
• User Profile Policies in Windows Server 2008 and Windows Vista

• Group Policy Preferences FAQ
• 943729 - Information about new Group Policy preferences in Windows Server 2008
• 959963 - Description of Group Policy Preference Migration Tool (GPPMIG)
• 954372 - After you download the Group Policy preference client-side extensions on a Windows Vista-based or a Windows XP-based computer, nothing is present under Computer Configuration\Policies\Administrative Templates\System\Group Policy
• 2414013 - Group Policy preferences client-side extension hotfix rollup for Windows Server 2008
• Download the Group Policy Preferences overview
• Download the Group Policy ADMX and Group Policy preferences ADML files for 2008

Windows Server 2008 R2 / Windows 7

• Windows 7 and Windows Server 2008 R2 Group Policy – New features - by Michael Pietroforte

Citrix XenApp 6 for Windows Server 2008 R2

• Group Policy integration in XenApp for 2008 R2
• CTX126864 - How to Integrate XenApp 6 Policies into Active Directory
• XenApp for 2008 R2 Policies Deep-dive
• CTX125141 - Citrix Policies in XenApp version 6.0 or later Cannot be Configured Using ADM Templates
• CTX134961 - XenApp Policies Are Not Applying Correctly On XenApp 6.0 Or 6.5

Windows Server 2003

• Step-by-Step Guide for Configuring Group Policy for Terminal Services
• Download the Windows Server 2003 Group Policy Infrastructure White Paper
• Download the Group Policy Settings Reference for Windows 2003
• Download the Group Policy Management Console
• Download the Group Policy ADM Files for each OS / SP combination of W2K, XP and 2003
• 260370 - How to Apply Group Policy Objects to Terminal Services Servers
• 231287 - Loopback Processing of Group Policy
• 816100 - How To Prevent Domain Group Policies from Applying to Administrator Accounts and Selected Users in Windows Server 2003
• How can I lock down my standalone TS with a local policy without locking down the Administrator account?
• Download the Using Administrative Template Files with Registry-Based Group Policy White Paper
• 910203 - How to implement system policies for Windows XP-based, Windows 2000-based, and Windows Server 2003-based client computers in non-Active Directory environments
• 816662 - Recommendations for managing Group Policy administrative template (.adm) files

Known problems and troubleshooting tools

• 250842 - Troubleshooting Group Policy Application Problems
• Download Group Policy Log View - a utility you use to export Group Policy event data from the system and operational log into a text, HTML, or XML file
• 940122 - How to use the Microsoft Group Policy Diagnostic Best Practice Analyzer (GPDBPA) tool to collect and to analyze data
• Troubleshooting Group Policy Using Event Logs
• 910206 - How to troubleshoot Group Policy object processing failures that occur across multiple forests

Windows 2008 / Vista specific

• 2672601 - Terminal Services service crashes when Group Policy settings are refreshed in Windows Server 2008
• 2384558 - Inheritance of ownership in Group Policy Management Console does not work as expected
• 950876 - Group Policy settings are not applied on member computers that are running Windows Server 2008 or Windows Vista SP1 when certain SMB signing policies are enabled
• 953768 - A Windows Vista-based or Windows Server 2008-based computer needs at least the Read permission for Group Policy Objects in Active Directory Domain Services if the computer is configured for loopback processing
• 949528 - On a computer that is running Windows Vista or Windows Server 2008, a mandatory user profile is not deleted when the "Delete cached copies of roaming profiles" Group Policy setting is enabled
• 957802 - The "Slow network connection time-out for user profiles" Group Policy setting does not work for a Windows Vista Service Pack 1-based or a Windows Server 2008-based client computer
• 977755 - Error message when a Group Policy client-side extension cannot log RSOP Data:"0x80041002"

Windows 2003 / XP specific

• 887303 - Applying Group Policy causes Userenv errors and events to occur on your computers that are running Windows Server 2003, Windows XP, or Windows 2000
• 971243 - Gpresult.exe terminates unexpectedly displaying security options when using the "/v" flag on Windows Sever 2003 x64
• 932460 - Error message when a domain administrator or a local administrator uses the GPResult.exe tool or runs an RSoP query in Windows Server 2003: “Access denied”
• 896669 - When use the Group Policy Object Editor on a computer that is running Windows Server 2003 or Windows XP to change GPOs on a remote domain controller, the changes do not take affect for a long time
• 951059 - On a Windows Server 2003-based computer, registry-based policy settings are unexpectedly removed after a user logs on to the computer
• 555218 - Some Group Policy areas are missing from the Group Policy Editor unregistered MMC snapin dll's
• 950085 - The Group Policy Object Editor MMC snap-in displays a Group Policy setting as "Not configured" in Windows Server 2003 when the value of the setting is longer than 1,024 characters
• 977629 - Terminal Services Group Policies may not take effect in Windows Server 2003 after a terminal server restart replaces KB 970870

RDS related GPO issues

Folder Redirection

• 274443 - How to dynamically create security-enhanced redirected folders by using folder redirection in Windows 2000 and in Windows Server 2003
• 888203 - How to stop Folder Redirection in Windows Server 2003 and in Windows 2000 Server
• 938380 - After you apply a GPO to redirect a folder to a network share on Windows XP-based or on Windows Server 2003-based client computers, the redirected folder is empty
• 949143 - Windows Vista-specific folder redirection policies are removed from a GPO when you connect to an AGPM server component that is installed on a Windows Server 2003-based member server
• 978098 - Errors when you have a large "Folder Redirection" policy settings file in Windows Vista, in Windows 7, in Windows Server 2008, or in Windows Server 2008 R2
• CTX124389 - How to Configure Client to Server Content Redirection with Folder Redirection

Misc. policy settings

• 231289 - Using Group Policy Objects to hide specified drives
• 818465 - HOW TO: Use Group Policy to Permit Users to Redirect and Play Audio in a Remote Desktop Session to Terminal Services in Windows Server 2003
• 324807 - How To Use Group Policy to Configure Automatic Logon in Windows Server 2003 Terminal Services
• 890864 - Some idle session Group Policy settings do not work if you try to use them on a Microsoft Windows XP Professional-based computer that is in a domain environment
• 839918 - Hotfix that lets you control whether a user can save a password for Remote Desktop Connection sessions to a terminal server in Windows XP or in Windows 2000