Lesson 10

Configuring user access and client settings for Remote Desktop Services (RDS) on Windows Server 2022 involves several steps to ensure users can securely connect and use the RDS infrastructure. Here's how to configure both:
1. User Access Configuration
Step 1: Add Users to the Remote Desktop Users Group

1. Open System Properties:
   • Right-click This PC > Select Properties.
   • Click Remote Settings in the left-hand menu.
2. Add Users:
   • Under the Remote Desktop section, click Select Users.
   • Click Add, then type the usernames or groups (e.g., Domain Users) you want to grant access.
   • Click OK to save changes.

Step 2: Configure RDS User Access in Active Directory

1. Access Active Directory Users and Computers:
   • Open the Active Directory Users and Computers management console.
2. Assign RDS Access:
   • Open the user's properties.
   • Go to the Member Of tab and ensure they are part of the Remote Desktop Users group or a custom security group configured for RDS access.

Step 3: Configure RDS Session Host Permissions

1. Log in to the RD Session Host Server.
2. Set Permissions:
   • Use Local Security Policy:
   • Open the Local Security Policy console (secpol.msc).
   • Navigate to Local Policies > User Rights Assignment > Allow log on through Remote Desktop Services.
   • Add the appropriate user groups.

Step 4: Assign Permissions to Published Apps or Desktops

1. In Server Manager:
   • Open the Remote Desktop Services section.
   • Configure collections to define which users can access specific remote apps or desktops.
2. Edit Collection Properties:
   • Select the collection, click Tasks > Edit Properties, and configure user groups.

Step 5: Enable Multi-Factor Authentication (Optional but Recommended) 1. Integrate with an RDS Gateway and configure multi-factor authentication using Azure AD or third-party solutions for enhanced security.
2. Client Settings Configuration
Step 1: Customize RDP Connection Properties

1. Open Group Policy Management:
   • Run gpmc.msc to manage domain-wide policies or gpedit.msc for local policies.
2. Navigate to RDS Client Settings:
   • Go to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host.
   • Adjust client settings, such as:
   • Device and Resource Redirection: Control clipboard, printer, drive, and USB redirection.
   • RemoteFX settings: Enable or disable hardware acceleration for graphical performance.
3. Apply Changes:
   • Set the desired options and enforce the policy.

Step 2: Configure Licensing Mode

1. Open Server Manager:
   • Navigate to Remote Desktop Services > Overview.
2. Set Licensing Mode:
   • Select Per User or Per Device licensing mode.
   • Add a valid license server under RD Licensing Manager.

Step 3: Customize RDP Files

1. Create or Edit RDP Files:
   • Use the built-in Remote Desktop Connection (mstsc.exe) tool to customize settings like resolution, redirection, and saved credentials.
   • Save settings in .rdp files for distribution to users.

Step 4: Enable Client Experience Features

1. Enable Desktop Experience:
   • Ensure the Desktop Experience feature is installed on the RDS Session Host server to provide users with a more familiar interface.
2. Configure Experience Settings:
   • In the Group Policy editor, navigate to:
   • Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment.
   • Enable or disable features like font smoothing, audio redirection, and video playback.

Step 5: Configure Remote Desktop Gateway Settings (Optional)

1. Open the RD Gateway Manager.
2. Set policies for client connection authorization and resource authorization.
3. Configure SSL/TLS settings for secure connections.

Best Practices

1. Use Group Policy to enforce consistent configurations across multiple clients.
2. Secure the RDS environment by enabling SSL/TLS encryption for all client connections.
3. Regularly review and update access permissions to follow the principle of least privilege.
4. Test client configurations in a staging environment before deploying to production users.

In this module, you learned about the Microsoft Terminal Server and Terminal Client. The Terminal Server provides an ideal solution for companies that want to take advantage of the power of Windows 2000 Professional desktop environments, but do not have the resources to upgrade their present hardware. You learned about the hardware and software requirements that must be in place before installing Terminal Server. You also learned how to perform both the Terminal Server and Terminal Client installations. Next, you saw that there are issues that must be considered before installing software for use with the Terminal Clients on the network, and that you may need to use Terminal compatibility scripts to accomplish your goals. Finally, you saw how to optimize security for your Terminal Client/Server solution. Now you should be able to:

1. Install Terminal Services
2. Configure user access and client settings
3. Install Terminal Services Client
4. Establish a Terminal session
5. Choose installation options
6. Describe, run, and configure application compatibility scripts
7. Adjust the performance and security settings for remote administration

Here are some terms from the module that may be new to you:

1. Terminal Server: A machine that runs software services that allow client applications to be run on a server, so that client computers can function as terminals rather than independent systems. The server provides a multisession environment and runs the Windows-based programs being used on the clients.
2. Terminal Client: A machine that runs software that allows it to connect to a terminal server to run applications on the server, rather than locally.
3. Remote Display Protocol: The Remote Display Protocol controls the graphics display on the terminal client.
4. Multiuser Environment: Terminal Services allows a multiuser environment on a terminal server where each user runs their own applications in their own, dedicated computing environment. This is in contrast to Remote Control programs which typically allow a single user access to the remote achine.
5. Compatibility Scripts: For maximum performance on a Terminal server in application server mode, some applications require minor changes after installation. Scripts are available for these applications and must be run after the application installation is complete. The scripts are located in systemroot in \Application Compatibility Scripts\Install.

In the next module, you will learn to configure Remote Access in Windows 2000.