Although hosting providers are generally required to provide the Windows Server operating system license via the SPLA program on hosted servers, very few offer the Remote Desktop Services (previously Terminal Services) user licenses (aka CALs/SALs) to their customers. If you are using the Remote Desktop Services role, you are required to have RDS user licenses for each unique end user that uses RDS. The RDS CALs/SALs are not part of the Windows Server OS licensing and are applied separately. We provide the Remote Desktop Services licenses at $7.75 per user which can be increased in increments of one on a monthly basis. Contact us for additional information.
For remote desktop (terminal server) application hosting where the user is logging into a full desktop session, MAC users should have a good experience and there are Remote Desktop Connection Clients that can be downloaded for MACs, iphone, and ipad. (The Remote Desktop Connection Client is preloaded on all Windows machines and doesn’t require a download to use it). The Clients for MACs/Apple can be found here: http://www.RiptideHosting.com/blog/remote-desktop-connection-client-for-macs/
RemoteApp is an optional feature of Remote Desktop Services where users are not provided a desktop session but rather can only open a specified application. This feature doesn’t work well with MAC users in Windows 2008R2 due to the limitations below. It should work better in Windows 2012R2 for MAC users but only if using the RDweb login option. We have many MAC users using our Remote Desktop hosting although most are using full desktop sessions instead of RemoteApp. There are other options instead of RemoteApp as described toward the end of this post.
With RemoteApp, you can distribute a RDP file to a user (Windows 2008R2 only – “RDP distributable file” – this option is not available in Windows 2012R2) or you can set it up for users to access the specified program via a URL. The user can open the specified application but does not get a full desktop session to save/share files, etc.
- RD Web URL – When enabled, you can access the RD Web Access Web site at https://IPaddress/rdweb . In 2008R2, the website requires that the client browser has ActiveX enabled which basically limits usage to Internet Explorer and therefore excludes MAC users. (as noted here — https://technet.microsoft.com/en-us/library/cc731508.aspx). In 2012R2, the RD Web Access website no longer requires ActiveX and is supposed to work with many more browser options. However, Server 2012R2 does require that the Active Directory Domain Controller role be installed to use RemoteApp whereas it is not required in Windows 2008R2.
- Create RDP file via the RemoteApp Wizard to distribute to users. This works easily to create the file and other PC users should be able to open it easily. MAC users generally have issues when they try to open the file where the system doesn’t recognize it. Note: Windows Server 2012R2 no longer has this option to create the RemoteApp distributable file.
If you are going to use RemoteApp in 2008R2, contact us for additional instructions and tips that we can provide.
- Launch a program automatically upon login. You can specify a program to run automatically upon login. You can do this by individual user (profile/properties tab), for all users in RD Session Host configuration and in Group Policy. See our post here: http://www.RiptideHosting.com/blog/how-to-launch-a-program-automatically-when-logging-into-remote-desktop-server/
- User full desktop sessions but configure group policies to limit access to certain things, remove icons, prevent access to drives, etc.
You can create local group policies that affect non-administrators only (or even specific users). This can be useful to keep non administrator users from doing things such as:
- Power off the server
- See or access certain files
- Run or not run certain programs
- See icons
- Hide or Disable control panel items
- And much more….
Modifying group policies via gpedit.msc will affect all users including the administrator so don’t apply restrictive policies this way otherwise you can lock out all accounts including the administrator which can’t be reversed (restore from backup is only solution then). To create an individual group policy that can be applied to a specific user or group, such as all non-administrators, you can do that via mmc.exe as follows:
Create a group policy that affects only certain users: (don’t change policies via gpedit.msc which will apply to all users include administrators)
- Run mmc.exe when logged in as the administrator
- It will open screen below and then click File -> “Add/Remove Snap-In”
- Select “Group Policy Object Editor” under the Available Snap-Ins column, and click Add
- Then click BROWSE and can select non-administrators group on the Users tab **** make sure to click browse and change it from just “local computer” to list specific group/users instead. This will create a Group Policy Object called “Local Computer\Non-Administrators”. The click finish.
- Click OK on the “Add or Remove Snap-ins” window
- Then you can expand on the Local Computer\Non-Administrators Policy header and go to User Configuration to make changes that should then apply only to non-administrators. – See some examples below of group policies you could user – there are a lot of them and this is just a sample.
- When finished, go File -> Save As and name it. You can open this group policy from File -> Open in the future (or save it in a location you will remember like desktop where you can just double-click the .MSC file you saved to open it) if you need to continue making modifications for this group later (open this file in the future instead of creating a new one)
Example of some group policies to consider
Many of these group policies will hide icons or remove access to a program/icon through one method but not necessarily all methods. Enabling some group polices is a good way to limit users’ ability to perform undesired actions but doesn’t result in complete lockdown. You should always test the actions modified via group policy to verify that the desired result has been obtained. [If you don’t want to provide a desktop session to users (and don’t need shared folders between users), you could look at having your application automatically start upon login (http://www.RiptideHosting.com/blog/how-to-launch-a-program-automatically-when-logging-into-remote-desktop-server/) (doesn’t work the same way in Server 2016 as in 2012R2) or RemoteApp / RDWeb. – note: RemoteApp requires the server to be joined to a domain] Group policies vary between Windows Server editions so you may not see all of these. This is just a small sample of the many group policies available. There are usually many methods and policies available that could be enabled to get the result you are trying to get. You should do some research and try various methods.
- User Configuration\Administrative Templates\Control Panel\Hide specified control panel items – to hide control panel items in the control panel window. User canonical names such as Microsoft.WindowsFirewall, etc. Here is a list of canonical names for 2008 R2 which should be similar in 2012 R2: https://msdn.microsoft.com/en-us/library/windows/desktop/ee330741(v=vs.85).aspx
- User Configuration\Administrative Templates\Control Panel\Prohibit access to control panel and PC settings – user can’t open control panel from start button
- User Configuration\Administrative Templates\Windows Components\File Explorer\Hide these specified drives in my computer – hides drives in my computer and file explorer. Remember that similar to many other policies, this hides the drives but doesn’t restrict access to them, but see below.
- User Configuration\Administrative Templates\Windows Components\File Explorer\Prevent access to drives from my computer – will still show contents of drives but should prevent access if double click on c: drive or other drive(s) specified.
- User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restrict users to the explicitly permitted list of snap-ins – enable to prohibit snap-ins
- User Configuration\Administrative Templates\System\Prevent access to registry editing tools – removes access to regedit.exe (windows registry editor)
- User Configuration\Administrative Templates\System\Prevent access to the command prompt – removes access to the command prompt
- User Configuration\Administrative Templates\System\Don’t run specified Windows applications – to specify programs that can’t be run – for example, if you don’t want Internet Explorer to run, you can type in iexplore.exe in the field.
- User Configuration\Administrative Templates\Windows Components\Windows Installer – prevent users from using Windows Installer to install updates and upgrades
- User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the action center icon – will remove the action center icon. There are many other polices listed in this same area to remove various icons, etc. that you can review.
- User Configuration\Administrative Templates\Windows Components\Windows Updates\Remove access to use all Windows Update features – removes access to Windows Update. You will want to confirm that the Administrator account still has access to Windows Updates and that automatic settings are still enabled and working.
- User Configuration\Administrative Templates\Start Menu and Taskbar\Remove pinned programs from the taskbar – Hides icons for Server Manager, Powershell and File Explorer
- Although not a group policy, you may want to modify Task Scheduler to disable the Server Manager pop-up at logon. Open Task Scheduler and navigate to below and disable the task. Library\Microsoft\Windows\ServerManager
- There are also items in gpedit.msc under Computer Configuration (unlike User Configuration which were the items listed above) that you may want to enable that would affect all users such as Remote Desktop Session Time Limits, especially those for disconnected sessions – to prevent disconnection sessions from consuming server resources – http://www.RiptideHosting.com/blog/how-to-set-time-limit-for-disconnected-sessions-windows-server-2012r2/
- Under gpedit.msc, under Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host…there are many policies you can review. These would affect all users including the administrator user. Under Device & Resource Redirection, you can change settings on audio/video playback, clipboard redirection, drive redirection, port redirection, etc.
If you want to remove the shortcuts/icons available to a particular user when they right click on the start button, you can remove them by going to c:\users\[username]\appdata\local\microsoft\windows\winx and deleting the shortcuts showing for that particular user. See link here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/a6bfa211-f5fe-461d-8e09-f6ef3adb8b17/remove-right-click-option-in-ts-2012-r2-start-button?forum=winserverTS
Make sure to test your changes to verify that actual results are what you intended!
We have had issues where RDP users haven’t been able to login on a remote desktop terminal server when the “user much change password at next logon” button has been checked in user properties – see screenshot #1 below. Various comments and posts online indicate that changes in the windows authentication process in recent OS versions don’t allow this change if Network Level Authentication or Credential Security Support Provider (CredSSP) is enabled. This is only an issue trying to force users to change their password on a RDP session – it works fine from a console session if you are local to the machine. Here is a workaround as well as alternatives you may consider:
- Don’t use this option to force users to change their password. Instead, have them manually change it upon logon by pressing control-alt-end and following the change password prompts. Another option is to create a complex, strong password for them without having them change it upon first logon (may be safest route in certain situations) or have them select their own password but enter it with the Administrator while on the admin session and not select the change at next logon option.
- NOT RECOMMENDED IN GENERAL – If you still want to use this option to force password change, you could turn off NLA and change RDP security layer to the RDP native security. See screenshot #2 below on turning off NLA. See screenshot #3 below on enabling a group policy to select the RDP security layer instead of negotiate (typically the default) or SSL/TLS. Using NLA and the higher security layers are usually recommended on your server for security reasons.
- Note: if you are having issues logging in to the server from RDP and getting errors about domain validation (when in workgroup mode and there is no domain) and often from the MAC remote desktop client, make sure you are logging in with the full name which is “machinename\username” instead of just username. Machinename is the name given to the server, which you can see under computer properties.
This post is about how to shadow a session if the server is not connected to a domain. If the server is connected to a domain, you can go to server manager, RDS Manager, and right click on current sessions to shadow and connect. When the server is in Workgroup mode (not connected to domain) the Remote Desktop Services Manager page is not accessible in Server Manager. To shadow another user’s sessions in Windows Server 2012 R2 in Workgroup mode, use the following steps:
1) Open command window by clicking start, CMD. You must be using an account with administrative privileges. If you are using an account with administrative privileges that isn’t the named Administrator account, you must run in administrator mode (right click on cmd and click run as administrator)
2) Type quser.exe to determine the session number of the user session you want to shadow.
C:\Users\administrator.computer>quser.exe (note: typing “>qwinsta” without .exe will show similar information)
USERNAME SESSIONNAME ID STATE
administrator rdp-tcp#0 1 Active
user1 rdp-tcp#1 3 Active
3) In this example, the Administrator is going to shadow the user1 session which is session 3. You need to know the session number (“3”) for the next step.
4) Start shadow session by typing “mstsc /shadow:# /control” where # is the session number to shadow and /control allows you to control the session.
C:\Users\administrator.computer>mstsc /shadow:3 /control
5) The other user (user1 in this example) will get a popup called “remote control request” and must press Yes before shadow session will open.
6) The shadow session will open and you’ll be able to view the user1 session desktop screen.
Windows Server 2012 or 2012 R2 reboots after installing Windows Updates during inconvenient times that don’t make sense and you would like to modify settings in a more similar way as with Windows Server 2008 R2. Windows 2012 by default restarts 3 days after the installation of Windows Updates instead of 15 minutes which was used in 2008 R2, BUT the restart counter only begins counting down when a user can see it (see Microsoft Technet link below). In addition, it appears that in some situations the restart counter is temporarily disabled when you logoff/disconnect. According to the MSDN blog post below, if after 3 days it is detected that critical applications are open or running in the background or the PC is locked, etc., Windows Update will wait to automatically restart the next time a user logs on with a warning that the machine will be rebooted within 15 minutes.
Although these changes are meant to minimize data loss by providing additional time and warnings prior to reboots, this change in logic can cause confusing timing of reboots of the server and you may wish to have more control over the timing.
If using Windows 2012, make sure KB2885694 (included in update rollup KB2883201 which is what you will see in installed updates) is installed on your server which should already be there since it was released in year 2013. Windows 2012 R2 already includes these new group policy settings.
Modify the group policy settings located here. Open Local Group Policy Editor by typing Gpedit.msc. Go to: Computer Configuration / Administrative Templates / Windows Components / Windows Update.
1. Enable the “Configure Automatic Updates” group policy. Use value of 4. If you want to select a schedule day & time, do NOT check the automatic maintenance box.
2. Enable the “Always automatically restart at the schedule time” group policy. This will allow reboots/restarts approximately 15 minutes after the updates are installed instead of 3 days later. The restart timer can’t be postponed once started and a restart will occur even if users are signed on.
These changes should make automatic updates act similar to the behavior experienced in Windows Server 2008.
|Force updates and restarts at a specific time. For example:
||Use the Configure Automatic Updates policy:
Use the Always automatically restart at the scheduled time policy:
See links below from Microsoft for information that was used in the above post:
By default, Remote Desktop Services allows users to disconnect from a remote session without logging off the server and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. A disconnected session continues to consume server resources and we recommend that you set policies to end disconnected session after a period of time. Sessions are ended/closed out if the user Logs Off from the server (start -> logoff) but are not ended if the user simply clicks the X in the upper corner to close the RDP window.
You can limit the amount of time that active, disconnected, and idle sessions remain on the server. Two methods are described below:
#1 — User Properties to set session time limits per user:
In each user’s properties window, under sessions tab, you can change the default of “end a disconnected session” from NEVER to X hours/days as well as change the other settings.
#2 — Group Policy to set session time limits for all users:
- Cmd prompt, gpedit.msc
- Computer Configuration, Admin Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Session Time Limits
- Enable appropriate group policies and modify as needed
- We recommend setting this one because it will prevent disconnected sessions from consuming server resources — “Set time limit for disconnect sessions”
- After modifying group policies, you can force an update without rebooting by typing “gpupdate /force” at cmd prompt
#3 — If Windows Server 2008R2, you can modify these settings in RD Session Host Configuration too
To configure session settings on a windows 2008R2 server with Remote Desktop Services role installed, go to start -> administrative tools -> remote desktop services -> RD Session Host Configuration. Then right click RDP-Tcp properties, Sessions tab, and enter value to end a disconnect session after a specific period of time, end an idle session, etc. (tsconfig.msc also opens the RD Session Host Configuration window). More details can be found here: http://technet.microsoft.com/en-us/library/cc754272.aspx
There are Remote Desktop Client apps for a variety of devices. The Remote Desktop Connection client is automatically built in to Windows PCs but you can download the client app for MACs, iphones, ipads android devices, etc.
Below is the link (as of September 4, 2015) for the Microsoft Remote Desktop Client for Android:
Automatically launching a program or application upon login to a Remote Desktop Session. See below for methods to use the “start program at login” policy which can be configured per user. Another method to limit specific programs to a user is via RemoteApp. We have several other posts regarding RemoteApp and how to set it up and its limitations (i.e. RemoteApp setup is easier in 2008R2 (works in Workgroup mode) than 2012R2 but RDweb requires ActiveX (so IE only) and it doesn’t work for MAC users, while use of RemoteApp in 2012R2 requires joining to a Domain).
1) USING ENVIRONMENT TAB OF EACH USER’S PROPERTIES ON SERVER: If you want a program to automatically start when a user logs on to the RDP server instead of showing a full desktop session, you can configure this in the Environment tab of the Properties window for each particular user.
After you have made the changes, you should test that it works properly for your users by logging into the server using the accounts you changed/created including testing it with simultaneous sessions and to verify the sessions close properly when the application is closed.
We highly recommend enabling policy to log off disconnected sessions:
- Enable policy to log off disconnected sessions immediately or within a few minutes so you don’t have a blank screen if users don’t properly exist a program. Existing the program (instead of clicking X in upper right corner of program) will properly log off the session but enabling this policy will ensure that an improper disconnected session is automatically logged off. See block post here for instructions on how to enable this policy on both 2012R2 and 2008R2 http://www.riptidehosting.com/blog/how-to-set-time-limit-for-disconnected-sessions-windows-server-2012r2/
2) USING PROGRAMS TAB ON REMOTE DESKTOP CLIENT – Another method is to use the programs tab on your local remote desktop client prior to logging in to the server. On the programs tab, you can enter the path for program to start upon login. You can also create a RDP shortcut with this information saved on to your desktop. We have a video on our website on creating RDP shortcuts – https://youtu.be/iLKSMcIrfqE . A disadvantage to this method versus the first method above is that each user can edit the shortcut and change the settings. Your IT person can create these shortcuts and provide them to each user.
If you use this method on Windows 2008R2, you may have to change settings in RemoteApp under RDP Settings Change and allow access to unlisted programs.
3) USING GROUP POLICY – Another method to configure this is to configure programs to automatically start in the RD Session Host Configuration settings and in Group Policy, although then the logon settings could be applied universally to all users, including the Administrator (which means Administrator may not be able to access the desktop, start button, etc.) whereas the method above allows configuration by User. You could also create a separate group policy that would be applicable for a specific group, such as non-administrators, so the group policy change wouldn’t affect all users.
4) REMOTEAPP – Another method is to configure the RemoteApp feature in Remote Desktop Services (RDS). In 2008R2, this feature works great (either the RemoteApp distributable file or RD Web) for PC users but not for MAC users. In 2012R2, the RemoteApp features requires the Active Directory / Domain Controller service to be install on the server before RemoteApp can be used.
Many people want to use a domain name instead of the IP address of their remote desktop terminal server to login via the Remote Desktop Connection Client (RDC) on their local machine. A domain name is more professional and easier to remember. For example, if you already own the domain www.Denver-Colocation.com and it points to your website then you can create an Alias/Sub-Domain such as RDP.Denver-Colocation.com that points to the IP address of the remote desktop terminal server and use RDP.Denver-Colocation.com to login via the RDC client instead of the IP address.
You create this record and point it to the IP of your RDP server in the DNS Manager settings where your domain is registered. For example, at Go Daddy, you would do the following:
- Login to GoDaddy and click on the domain name you wish to create the record for
- Then go to the second tab which is labeled “DNS Zone File”
- Under the Zone File section, click on “add record”.
- Select record type “A (Host)”
- In the popup window, enter Host Field as “RDP” or whatever you are using but not the full subdomain which would be in this example “RDP.Denver-Colocation.com”
- In the popup window, enter the Points To field as the IP address of your server XXX.XXX.XXX.XXXX and TTL as 1 hour or whatever is default
- Click OK
- Make sure to SAVE RECORD. In our experience, it only takes 5 or 10 minutes to take effect. Once you can ping RDP.Denver-Colocation.com then you can login with the domain name instead of the IP address.
- Test it by logging into your server using RDP.Denver-Colocation.com instead of IP address
A client of ours running a Windows 2012 R2 remote desktop, terminal server was having issues where when they typed on their local keyboard it will show up on the server as alternating capital and lowercase letters like this “RiPtIdE hOsTiNg”.
SOLUTION is to change the RDP settings on the client
The solution in his case was to modify the following setting on the remote desktop connection client prior to logging in. Open Remote Desktop Connection on your local machine. Click more and go to the Local Resources tab. Under Keyboard, Apply Windows key combinations, select in the dropdown “on local machine / on this machine”. You can save this setting to be permanent by going back to the General tab and doing “save” or “save as”.
When a user with a Windows 8.1 computer would login to a Windows 2012 R2 Remote Desktop Server any text they typed would show up as a capital letter followed by a lower case letter. Example “CaMeL cAsE tExT”. This every other character being a capital letter occurred when using multiple keyboards including local and USB keyboards. It happened whether they were typing in an application or a browser and was occurring without pressing the shift key. It also occurred on two different Windows 2012 R2 RDP virtual servers running on VMware.
We tried many solutions such as turning off Sticky Key and disabling redirection of various devices.
REDIRECTION OF PRINTERS / HARD DRIVES / CLIPBOARD FROM YOUR LAPTOP OR DESKTOP
On client laptop/desktop prior to connecting to server:
Local Printing (and redirection of DVD drive, local hard drive, enable copy and paste between client an server, etc.)— When you open the Remote Desktop Connection program on your local laptop/desktop, before pressing “Connect”, click on “Show Options” in the lower left bottom corner. Then go to the local resources tab and make sure that printers is selected (this is also where you can click “more” and share your hard drive so you can easily move files between your PC and sever). Then once you connect and open a document, go file->print, you will see your printer with a label like this:redirected printer #.
You can check “clipboard” and “drives” (under more) which will allow you to cut and paste from you local desktop to the server (clipboard) or see the redirected drives in windows explorer (drives) to move files on to the server.
Use the steps below to schedule a task which can automatically reboot your Windows 2008 R2 server on a recurring basis. Please beware that users that are logged on will be kicked off when the server reboots.
- Go to administrative tools, task scheduler.
- Then right click on Task Scheduler and select Create Task
- Name the task, possibly something like “Reboot Weekly Saturday midnight”
- Change settings to run whether user is logged in or not. Change User/Group and type in SYSTEM.
- On the Triggers tab, select New and fill in your schedule and make sure to check Enabled at bottom of screen
- On the Actions tab, select New, Start a program, and browse to “c:windowssystem32shutdown.exe” and add “/r” in the arguments box
If users are logged on when the server is about to reboot, it will show a message “you are about to be logged off, windows will shut down in less than a minute”. It reboots in about 30 seconds from our experience. If you do this, you’ll want to schedule this when users are not in the server so unsaved data is not lost.
We had a user who was having issues sending email in an older version of outlook on their remote desktop terminal server hosted with Riptide Hosting. The error message upon pressing the send button in Outlook was errors have been detected in the user’s outlook.pst file. This issue was only affecting one user on the terminal server. We ran the Inbox repair tool (scanpst.exe) which took almost 30 minutes to run the scan, after which we pressed repair (which also took a long time and sometimes said “not responding” but eventually completed with the message “Repair Complete”). This repair tool fixed the issue but also erased the smtp account settings in outlook which then needed to be re-entered prior to being able to send/receive email.
Generally we don’t recommend installing FTP on a server unless it is necessary. In some cases, it can be easier to transfer files through RDP. If installing FTP on a remote desktop terminal server and after installation it seems like it is still blocked even though the ports were open on the Windows firewall, try restarting the FTP service. Restarting the FTP service solved this issue. If you are having a similar situation, checks to see that the FTP service is started/running and try restarting it. Also, you should check that the required ports are open on any firewalls used which may be internal and external to the server.
If you are using a remote desktop terminal server, you can transfer files through RDP, by redirecting your local hard drive or via clipboard (cut & paste from local machine to server) without having to install FTP, etc.