Category: At least Windows Server 2003

This policy setting allows you to restrict users to a single Remote Desktop Services session. If you enable this policy setting users who log on remotely by using Remote Desktop Services will be restricted to a single session (either active or disconnected) on that server. If the user leaves the session in a disconnected state the user automatically reconnects to that session at the next logon. If you disable this policy setting users are allowed to make unlimited simultaneous remote connections by using Remote Desktop Services. If you do not configure this policy setting this policy setting is not specified at the Group Policy level.

Configures Remote Desktop Services to run a specified program automatically upon connection. You can use this setting to specify a program to run automatically when a user logs on to a remote computer. By default Remote Desktop Services sessions provide access to the full Windows desktop unless otherwise specified with this setting by the server administrator or by the user in configuring the client connection. Enabling this setting overrides the “Start Program” settings set by the server administrator or user. The Start menu and Windows Desktop are not displayed and when the user exits the program the session is automatically logged off. To use this setting in Program path and file name type the fully qualified path and file name of the executable file to be run when the user logs on. If necessary in Working Directory type the fully qualified path to the starting directory for the program. If you leave Working Directory blank the program runs with its default working directory. If the specified program path file name or working directory is not the name of a valid directory the RD Session Host server connection fails with an error message. If the status is set to Enabled Remote Desktop Services sessions automatically run the specified program and use the specified Working Directory (or the program default directory if Working Directory is not specified) as the working directory for the program. If the status is set to Disabled or Not Configured Remote Desktop Services sessions start with the full desktop unless the server administrator or user specify otherwise. (See “Computer Configuration -> Administrative Templates -> System -> Logon -> Run these programs at user logon” setting. )Note: This setting appears in both Computer Configuration and User Configuration. If both settings are configured the Computer Configuration setting overrides.

This policy setting specifies whether to disable the administrator rights to customize security permissions for the Remote Desktop Session Host server. You can use this setting to prevent administrators from making changes to the user groups allowed to connect remotely to the RD Session Host server. By default administrators are able to make such changes. If you enable this policy setting the default security descriptors for existing groups on the RD Session Host server cannot be changed. All the security descriptors are read-only. If you disable or do not configure this policy setting server administrators have full read/write permissions to the user security descriptors by using the Remote Desktop Session WMI Provider. Note: The preferred method of managing user access is by adding a user to the Remote Desktop Users group.

Specifies whether Remote Desktop Services uses the specified network share or local directory path as the root of the user’s home directory for a Remote Desktop Services session. To use this setting select the location for the home directory (network or local) from the Location drop-down list. If you choose to place the directory on a network share type the Home Dir Root Path in the form -> -> Computername -> Sharename and then select the drive letter to which you want the network share to be mapped. If you choose to keep the home directory on the local computer type the Home Dir Root Path in the form “Drive: -> Path” (without quotes) without environment variables or ellipses. Do not specify a placeholder for user alias because Remote Desktop Services automatically appends this at logon. Note: The Drive Letter field is ignored if you choose to specify a local path. If you choose to specify a local path but then type the name of a network share in Home Dir Root Path Remote Desktop Services places user home directories in the network location. If the status is set to Enabled Remote Desktop Services creates the user’s home directory in the specified location on the local computer or the network. The home directory path for each user is the specified Home Dir Root Path and the user’s alias. If the status is set to Disabled or Not Configured the user’s home directory is as specified at the server.

This policy setting allows you to enter a keep-alive interval to ensure that the session state on the RD Session Host server is consistent with the client state. After an RD Session Host server client loses the connection to an RD Session Host server the session on the RD Session Host server might remain active instead of changing to a disconnected state even if the client is physically disconnected from the RD Session Host server. If the client logs on to the same RD Session Host server again a new session might be established (if the RD Session Host server is configured to allow multiple sessions) and the original session might still be active. If you enable this policy setting you must enter a keep-alive interval. The keep-alive interval determines how often in minutes the server checks the session state. The range of values you can enter is 1 to 999999. If you disable or do not configure this policy setting a keep-alive interval is not set and the server will not check the session state.

This policy setting allows you to turn off the automatic display of the Manage Your Server page. If you enable this policy setting the Manage Your Server page is not displayed each time an administrator logs on to the server. If you disable or do not configure this policy setting the Manage Your Server page is displayed each time an administrator logs on to the server. However if the administrator has selected the “Don’t display this page at logon” option at the bottom of the Manage Your Server page the page is not displayed.

This policy setting controls whether the RPC Runtime ignores delegation failures when delegation is requested. The constrained delegation model introduced in Windows Server 2003 does not report that delegation was enabled on a security context when a client connects to a server. Callers of RPC and COM are encouraged to use the RPC_C_QOS_CAPABILITIES_IGNORE_DELEGATE_FAILURE flag but some applications written for the traditional delegation model prior to Windows Server 2003 may not use this flag and will encounter RPC_S_SEC_PKG_ERROR when connecting to a server that uses constrained delegation. If you disable this policy setting the RPC Runtime will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. If you do not configure this policy setting it remains disabled and will generate RPC_S_SEC_PKG_ERROR errors to applications that ask for delegation and connect to servers using constrained delegation. If you enable this policy setting then:– “Off” directs the RPC Runtime to generate RPC_S_SEC_PKG_ERROR if the client asks for delegation but the created security context does not support delegation. — “On” directs the RPC Runtime to accept security contexts that do not support delegation even if delegation was asked for. Note: This policy setting will not be applied until the system is rebooted.

This policy setting allows the system to detect the time of unexpected shutdowns by writing the current time to disk on a schedule controlled by the Timestamp Interval. If you enable this policy setting you are able to specify how often the Persistent System Timestamp is refreshed and subsequently written to the disk. You can specify the Timestamp Interval in seconds. If you disable this policy setting the Persistent System Timestamp is turned off and the timing of unexpected shutdowns is not recorded. If you do not configure this policy setting the Persistent System Timestamp is refreshed according the default which is every 60 seconds beginning with Windows Server 2003. Note: This feature might interfere with power configuration settings that turn off hard disks after a period of inactivity. These power settings may be accessed in the Power Options Control Panel.

This policy controls whether the print spooler will accept client connections. When the policy is unconfigured or enabled the spooler will always accept client connections. When the policy is disabled the spooler will not accept client connections nor allow users to share printers. All printers currently shared will continue to be shared. The spooler must be restarted for changes to this policy to take effect.