Configuring User Group Policy Settings

Updated: March 28, 2003

Under User Configuration in the Group Policy Object Editor, you can set several Group Policy settings
that are particularly useful for Terminal Server. Use these settings to control the user experience
and prevent access to areas of the terminal server. For more information about each of the settings
listed here, see the Group Policy Explain text associated with each setting. For a job aid to assist
you in recording your Terminal Server Group Policy configuration decisions, see "Group Policy
Configuration Worksheet" (SDCTS_2.xls) on the Windows Server 2003 Deployment Kit companion
CD (or see "Group Policy Configuration Worksheet

" on the Web at

http://www.microsoft.com/reskit).
See the following resources for more specific information about using Group Policy:
For general information about Group Policy, see the Management Services link on the Web Resources page

at

http://www.microsoft.com/windows/reskits/webresources.
For more information about designing a Group Policy infrastructure, see "Designing a Group Policy Infrastructure

" in

Designing a Managed Environment of this kit.

For information about using Group Policy to lock down a Terminal Server session, see article 278295, "How to Lock
Down a Windows 2000 Terminal Server Session" in the Microsoft Knowledge Base. To find this article, see the Microsoft
Knowledge Base link on the Web Resources page
at http://www.microsoft.com/windows/reskits/webresources.
For more information about applying Group Policy to Terminal Server, see article 260370, "How to Apply Group Policy
Objects to Terminal Services Servers." To find this article, see the Microsoft Knowledge Base link on the Web Resources
page
Note

at http://www.microsoft.com/windows/reskits/webresources.

Because these settings apply to the user, and not the computer, they affect the user environment regardless of which
computer the user accesses. When applying settings that you want to apply only when users have a session on the terminal
server (as opposed to their own desktop computer), use computer settings that apply to the terminal server. For more
information, see "Designing Terminal Server Installation and Configuration

Configuring the User Display

" later in this chapter.

A graphic-intensive display can affect performance for users of Terminal Server. To ensure the best
possible performance, you can control what users can put on their desktops by configuring the
Group Policy settings located under User Configuration/Administrative Templates/Control
Panel/Display.

Configuring desktop items

Many organizations permit users to choose their own desktop wallpaper or screen savers. However,
in a Terminal Server environment, these graphics can have an effect on performance. Use the
following Group Policy settings to control users ability to change wallpaper and screen savers.
Screen savers

You can use several Group Policy settings to affect the users screen saver. You can

disable screen savers altogether by disabling the Screen Saver policy. You can also specify the
screen saver by enabling this policy and also by enabling and specifying the screen saver executable
name in the Screen Saver executable name policy. For more information about these Group
Policy settings, see the Explain tab located on the property sheet for each policy.
Wallpaper

By enabling the Prevent changing wallpaper setting you can disable all the options

in the Desktop tab of Display in Control Panel. This includes changing the wallpaper and changing
the appearance of the desktop icons. By not allowing these changes, you can ensure that users do
not choose desktop display items that might affect the performance of the server.

Configuring the desktop theme

If you are hosting the full desktop with Terminal Server, by default the desktop environment
resembles a Windows Classic desktop. By default Windows Server 2003 does not have themes
enabled. You can enable themes by starting the Themes service and configuring it to start
automatically. For more information about starting the Themes service, see "Configure how a
service is started

" in Help and Support Center for Windows Server 2003.

After you have configured the Themes service to start automatically, you can enforce a specific
desktop theme or the Windows XP theme for your Terminal Server users by using the following
procedure. For more information about choosing to use desktop themes with Terminal Server, see
"Hosting Full Desktops with Terminal Server

" earlier in this chapter.

To load a specific theme for the desktop

1.

In the Group Policy Object Editor, navigate to User Configuration/Administrative Templates/Control

2.
3.

Panel/Display/Desktop Themes.
Open the Load a specific visual style file or force Windows Classic setting.
Take one of the following actions, depending on what you are trying to achieve:
To force Windows Classic, enable this setting.
To load the Windows XP theme, enable the setting and type %windir%\resources\Themes\Luna\Luna.msstyles
in the Path to Visual Style dialog box. For information about using the Windows XP theme with Terminal Server,
see "Choosing Applications to Host
" earlier in this chapter.
To load another theme or a custom theme, type the path to that theme in the dialog box.

Restricting Access to Drives on a Terminal Server

You can use Group Policy settings to hide and restrict access to drives on the terminal server. By
enabling these settings you can ensure that users do not inadvertently access data stored on other
drives, or delete or damage program or other critical system files on the C drive. The following
settings are located in the Group Policy Object Editor under User Configuration/Administrative
Templates/Windows Components/Windows Explorer:
Hide these specified drives in My Computer. You can remove the icons for specified drives from a users My Computer
folder by enabling this setting and using the drop-down list to select the drives you would like to hide. However, this
setting does not restrict access to these drives.
Prevent access to drives from My Computer. Enable this setting to prevent users from accessing the chosen combination
of drives. Use this setting to lock down the terminal server for users accessing it for their primary desktop.

Configuring Start Menu and Taskbar Items

You can use Group Policy settings to remove and to restrict access to items from the Start menu for
Terminal Server users. The following settings are located in User Configuration/Administrative
Templates/Start Menu and Taskbar:
Enabling the Remove Run menu from Start Menu setting removes this menu from the Start menu. It also removes the
New Task command from Task Manager and blocks the user from accessing Universal Naming Convention (UNC) paths,
local drives, and local folders from the Internet Explorer address bar. While these are not the only methods for running
applications, enabling this setting makes it difficult for users to access resources on the server or network.
Enabling the Remove Logoff on the Start Menu setting prevents users from logging off the server from the Start menu.
Enabling this setting does not prevent users from logging off using CTRL+ALT+DEL.
Enabling the Remove and Prevent access to the Shut Down command prevents administrators from accidently shutting
down the terminal server.
Enabling the Remove links and access to Windows Update setting prevents users from attempting to download updates
to Windows on to the server.
Enabling the Remove Favorites menu from Start Menu setting reduces confusion for users who do not have access to the
Internet.