Users can create a shortcut on their desktop to the Remote Desktop Connection Client on their local PC to make it easier to login to their remote server. The shortcut can include customization like enabling printer redirection, enabling clipboard (to copy and paste between the server and local PC), hard drive redirection and more. You can also choose to save your username so you don’t need to enter it each time.
If you are the local IT admin and want to make it easier for your users to login to their remote desktop session on the remote server, you can create the RDP shortcut for each of them on their local PC or create it on your PC and provide it to them to save on their desktop. This assumes that the users are on the same version of Windows/RDP.
Steps to create a shortcut on your desktop to your local Remote Desktop Connection Client:
On your Windows PC, open your local remote desktop connection client by clicking the start button and typing mstsc, or browsing to the program in start, all programs, accessories, remote desktop connection
Click on “Show Options” to view the settings that can be modified/customized.
On the General Tab, you can enter the computer name field as the IP address of the remote server or dns name if setup. You can also enter the username if you want it to be saved. Do not click “save as” yet as you will want to make additional selections first and then come back to the general tab to “save as” the shortcut to the desktop.
On the Display Tab, you probably want to keep it as Full Screen.
On the Local Resources tab, you have several important options particularly in the “local devices and resources” section. Most users will want to make sure the boxes are checked by both Printers and Clipboard which will allow you to print to you local printer and copy and paste files between your local PC and the server. Under the “More” settings, you can select whether to redirect your local c: drive which will then show up in windows explorer on the server to make it easy to move files between your PC and server. We typically don’t recommend that you redirect your hard drives by default in the shortcut because it utilizes additional resources and bandwidth (and you can easily move files using clipboard – copy/paste instead), but rather you can redirect your hard drive only when necessary by changing the setting prior to connecting. If you intend to move files between your PC and server frequently, then you make want to redirect your c: drive by default.
After you have made your selections (usually you can leave the defaults on the remaining tabs), go back to the General Tab and click “Save As”, enter a shortcut name of your liking, and make sure to select your Desktop as the destination for the shortcut. (If you select “Save” instead of “Save As”, your choices will overwrite the default remote desktop connection profile on your local PC.) After saving it to your desktop, you should now see the shortcut on your desktop for easy access!
We also have a video on creating RDP shortcuts that you can review: https://www.youtube.com/watch?v=iLKSMcIrfqE
Adjusting Server Manager settings to it doesn’t automatically start upon login (or turn it back on)
For Windows Server 2012R2: You may want to adjust the settings for Server Manager so that the Server Manager window opens automatically (or doesn’t open automatically) when logging into a Windows Server 2012R2 desktop session via RDP. You may want to turn it off so that it doesn’t consume resources during login or if it isn’t useful to users. You can follow the steps below to turn auto-start on or off.
Open Server Manager by clicking the Server Manager icon on the bottom taskbar right next to the start button
Under the “Manage” drop-down in upper right corner, select Server Properties, then click the box by “Do Not Start Server Manager Automatically…” (or uncheck it is you want it to start automatically upon login)
You can always open Server Manager by clicking on the icon in the task manager next to the start button that looks like a toolbox
Users often ask if there is way to share documents between users on a remote desktop / terminal server running Windows Server 2012 R2. There are multiple methods to accomplish this and below is one method to consider:
All user (administrators and non-administrators) should have permissions to view the documents in the Public User’s “Public Documents” Folder.
You can navigate to this folder by going to This PC -> Local Disk C: -> Users -> Public User
For easy access to this folder, you can right click on the Public User’s “Public Documents” Folder, click on “create shortcut” and copy the shortcut to your desktop (or pin to start or both)
OR when you right click, select “Include in library” and select “Documents” (or create new library) which will include a shortcut to this folder in your library.
For remote desktop (terminal server) application hosting where the user is logging into a full desktop session, MAC users should have a good experience and there are Remote Desktop Connection Clients that can be downloaded for MACs, iphone, and ipad. (The Remote Desktop Connection Client is preloaded on all Windows machines and doesn’t require a download to use it). The Clients for MACs/Apple can be found here: http://www.RiptideHosting.com/blog/remote-desktop-connection-client-for-macs/
RemoteApp is an optional feature of Remote Desktop Services where users are not provided a desktop session but rather can only open a specified application. This feature doesn’t work well with MAC users in Windows 2008R2 due to the limitations below. It should work better in Windows 2012R2 for MAC users but only if using the RDweb login option. We have many MAC users using our Remote Desktop hosting although most are using full desktop sessions instead of RemoteApp. There are other options instead of RemoteApp as described toward the end of this post.
With RemoteApp, you can distribute a RDP file to a user (Windows 2008R2 only – “RDP distributable file” – this option is not available in Windows 2012R2) or you can set it up for users to access the specified program via a URL. The user can open the specified application but does not get a full desktop session to save/share files, etc.
RD Web URL – When enabled, you can access the RD Web Access Web site at https://IPaddress/rdweb . In 2008R2, the website requires that the client browser has ActiveX enabled which basically limits usage to Internet Explorer and therefore excludes MAC users. (as noted here — https://technet.microsoft.com/en-us/library/cc731508.aspx). In 2012R2, the RD Web Access website no longer requires ActiveX and is supposed to work with many more browser options. However, Server 2012R2 does require that the Active Directory Domain Controller role be installed to use RemoteApp whereas it is not required in Windows 2008R2.
Create RDP file via the RemoteApp Wizard to distribute to users. This works easily to create the file and other PC users should be able to open it easily. MAC users generally have issues when they try to open the file where the system doesn’t recognize it. Note: Windows Server 2012R2 no longer has this option to create the RemoteApp distributable file.
If you are going to use RemoteApp in 2008R2, contact us for additional instructions and tips that we can provide.
You can create group policies that affect non-administrators only. This can be useful to keep non administrator users from doing things such as:
Power off the server
See or access certain files
Run or not run certain programs
And much more….
Modifying group policies via gpedit.msc will affect all users including the administrator. If you want to create an individual group policy that can be applied to a specific user or group, such as all non-administrators, you can do that via mmc.exe as follows:
Create a group policy that affects only certain users: (don’t change policies via gpedit.msc)
Run mmc.exe when logged in as the administrator
It will open screen below and then click File -> Add/Remove snap-in
Select Group Policy Object Editor and click Add
Then click BROWSE and can select non-administrators group **** make sure to click browse and change it from just “local computer” to list specific group/users instead. The click finish.
Click OK on the Add/Remove Snap-in window
Then you can expand on the Local Computer Policy header and go to User Configuration to make changes that should then apply only to non-administrators. – See some examples below of group policy you could user – there are a lot of them and this is just a sample.
When finished, go File -> Save As and name it. You can open this group policy from File -> Open in the future if you need to continue making modifications for this group later (open this file in the future instead of creating a new one)
Example of some group policies to consider
Many of these group policies will hide icons or remove access to a program/icon through one method but not necessarily all methods. Enabling some group polices is a good way to limit users’ ability to perform undesired actions but doesn’t result in complete lockdown. You should always test the actions modified via group policy to verify that the desired result has been obtained. If you don’t want to provide a desktop session to users (and don’t need shared folders between users), you could look at having your application automatically start upon login (http://www.RiptideHosting.com/blog/how-to-launch-a-program-automatically-when-logging-into-remote-desktop-server/) or RemoteApp / RDWeb. Group policies vary between Windows Server editions so you may not see all of these. This is just a small sample of the many group policies available. There are usually many methods and policies available that could be enabled to get the result you are trying to get. You should do some research and try various methods.
User Configuration\Administrative Templates\Control Panel\Prohibit access to control panel and PC settings – user can’t open control panel from start button
User Configuration\Administrative Templates\Windows Components\File Explorer\Hide these specified drives in my computer – hides drives in my computer and file explorer. Remember that similar to many other policies, this hides the drives but doesn’t restrict access to them, but see below.
User Configuration\Administrative Templates\Windows Components\File Explorer\Prevent access to drives from my computer – will still show contents of drives but should prevent access if double click on c: drive or other drive(s) specified.
User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\Restrict users to the explicitly permitted list of snap-ins – enable to prohibit snap-ins
User Configuration\Administrative Templates\System\Prevent access to registry editing tools – removes access to regedit.exe (windows registry editor)
User Configuration\Administrative Templates\System\Prevent access to the command prompt – removes access to the command prompt
User Configuration\Administrative Templates\System\Don’t run specified Windows applications – to specify programs that can’t be run – for example, if you don’t want Internet Explorer to run, you can type in iexplore.exe in the field.
User Configuration\Administrative Templates\Windows Components\Windows Installer – prevent users from using Windows Installer to install updates and upgrades
User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the action center icon – will remove the action center icon. There are many other polices listed in this same area to remove various icons, etc. that you can review.
User Configuration\Administrative Templates\Windows Components\Windows Updates\Remove access to use all Windows Update features – removes access to Windows Update. You will want to confirm that the Administrator account still has access to Windows Updates and that automatic settings are still enabled and working.
User Configuration\Administrative Templates\Start Menu and Taskbar\Remove pinned programs from the taskbar – Hides icons for Server Manager, Powershell and File Explorer
Although not a group policy, you may want to modify Task Scheduler to disable the Server Manager pop-up at logon. Open Task Scheduler and navigate to below and disable the task. Library\Microsoft\Windows\ServerManager
Under gpedit.msc, under Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host…there are many policies you can review. These would affect all users including the administrator user. Under Device & Resource Redirection, you can change settings on audio/video playback, clipboard redirection, drive redirection, port redirection, etc.
We have had issues where RDP users haven’t been able to login on a remote desktop terminal server when the “user much change password at next logon” button has been checked in user properties – see screenshot #1 below. Various comments and posts online indicate that changes in the windows authentication process in recent OS versions don’t allow this change if Network Level Authentication or Credential Security Support Provider (CredSSP) is enabled. This is only an issue trying to force users to change their password on a RDP session – it works fine from a console session if you are local to the machine. Here is a workaround as well as alternatives you may consider:
Don’t use this option to force users to change their password. Instead, have them manually change it upon logon by pressing control-alt-end and following the change password prompts. Another option is to create a complex, strong password for them without having them change it upon first logon (may be safest route in certain situations) or have them select their own password but enter it with the Administrator while on the admin session and not select the change at next logon option.
NOT RECOMMENDED IN GENERAL – If you still want to use this option to force password change, you could turn off NLA and change RDP security layer to the RDP native security. See screenshot #2 below on turning off NLA. See screenshot #3 below on enabling a group policy to select the RDP security layer instead of negotiate (typically the default) or SSL/TLS. Using NLA and the higher security layers are usually recommended on your server for security reasons.
Note: if you are having issues logging in to the server from RDP and getting errors about domain validation (when in workgroup mode and there is no domain) and often from the MAC remote desktop client, make sure you are logging in with the full name which is “machinename\username” instead of just username. Machinename is the name given to the server, which you can see under computer properties.
By default, Remote Desktop Services allows users to disconnect from a remote session without logging off the server and ending the session. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected. A disconnected session continues to consume server resources and we recommend that you set policies to end disconnected session after a period of time. Sessions are ended/closed out if the user Logs Off from the server (start -> logoff) but are not ended if the user simply clicks the X in the upper corner to close the RDP window.
You can limit the amount of time that active, disconnected, and idle sessions remain on the server. Two methods are described below:
#1 — User Properties to set session time limits per user:
In each user’s properties window, under sessions tab, you can change the default of “end a disconnected session” from NEVER to X hours/days as well as change the other settings.
#2 — Group Policy to set session time limits for all users:
Cmd prompt, gpedit.msc
Computer Configuration, Admin Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Session Time Limits
Enable appropriate group policies and modify as needed
We recommend setting this one because it will prevent disconnected sessions from consuming server resources — “Set time limit for disconnect sessions”
After modifying group policies, you can force an update without rebooting by typing “gpupdate /force” at cmd prompt
#3 — If Windows Server 2008R2, you can modify these settings in RD Session Host Configuration too
To configure session settings on a windows 2008R2 server with Remote Desktop Services role installed, go to start -> administrative tools -> remote desktop services -> RD Session Host Configuration. Then right click RDP-Tcp properties, Sessions tab, and enter value to end a disconnect session after a specific period of time, end an idle session, etc. (tsconfig.msc also opens the RD Session Host Configuration window). More details can be found here: http://technet.microsoft.com/en-us/library/cc754272.aspx
When you add programs on a Terminal Server, you should follow the directions below by going to Control Panel -> Programs -> “Install Application on Remote Desktop…” You can see the Microsoft article on this here: http://technet.microsoft.com/en-us/library/cc742815.aspx (shown for 2008R2, same process in 2012R2)
If you don’t install your application using special install mode for multi-user environment, some applications will not work properly and you will see permission errors for non-admin users and other error.
Steps on Remote Desktop Server (Terminal Server) Windows Server 2008 R2 and Windows Server 2012 R2
Login to server as Administrator
Download your application (executable file) to the desktop or other location on the server and make a note of that location (alternatively can place media in your local CD/DVD drive if drive re-direction is on). If you are downloading your application file from the internet, you may need to turn off “Internet Explorer Enhanced Security Configuration” (IE ESC) if using Internet Explorer (or add URLs to trusted sites) or use a different browser such as FireFox or Chrome.
Open Control Panel, then Programs, then click on “Install Application on Remote Desktop…”
Click ‘next’ and browse to location to where your application file is located