Best Practices - General |
Each user should use a unique login to identify each users session. When the user resumes a session they will connect to their session and not another user's session.
Microsoft Policies are tied to the login. The security policy is based on the user profile and is independent of the hardware.
ThinManager configuration is hardware-based, with each user receiving the same configuration independent of the login.
This allows an administrator to choose whether to apply a function like Initial Program to the user through Microsoft User Policies, or to the device through ThinManager.
ThinManager Security Groups control access to ThinManager functions like terminal shadowing, rebooting, and configuration change. Members of the Administrator Group or the ThinManager Administrators group have full access, while members of ThinManager Power Users and ThinManager Users are granted less access.
Because ThinManager provides the ability of a terminal to connect to many different terminal servers, it is best to set up the Microsoft user profiles to store the user's data on a mapped network drive on a file server to have access from any terminal server. The applications run on a terminal server, the data is stored on a file server.
Because the terminal's session is on the terminal server, the shut down command and restart command will not reboot the terminal hardware, but will shut down or restart the entire terminal server. Removing these commands from the Start Menu and Windows Security window will prevent accidental reboots.
Each terminal session needs to receive a regular graphic update from the terminal server to help maintain the session status. If the terminal is turned off, the terminal server sends the graphic update, fails to get a response, and marks the session as disconnected.
Adding the network card icon to the taskbar by selecting the Show icon in taskbar when connected checkbox on the Local Area Connection Properties window is an simple method of keeping the flow of data between the terminal server and terminal active.
Note: Administrators will be able to launch the Local Area Connection Status window from the icon, but non-administrators will not.
Without a dynamic graphic like the network card icon or clock, a terminal can be shut off and the terminal server doesn't detect the shut down because there is not flow of information from the terminal server to the terminal, leaving the session active. When the terminal is turned back on it will open a new duplicate session because the original session is marked active, not disconnected.
Killing disconnected sessions after two hours clears old disconnected sessions off the terminal server, but allows enough time for terminal replacement without loss in case of hardware failure. This can be configured in the RDP-tcp Properties of the Terminal Services Configuration program.
Using a plain desktop uses less bandwidth than desktops with wallpaper or pictures.
The Microsoft screen saver within the session uses the resources on the terminal server. The ThinManager Screen Saver module uses the resources of the terminal, freeing resources on the terminal server for other sessions.
To simplify the organization of terminals in the ThinManager tree, it is common to place the terminals into groups with departmental or geographic names.
Using a name that identifies a terminal by location or user will simplify management.
Microsoft Internet Explorer displays better on thin clients if the Use smooth scrolling option is unselected on the Internet Options…Advanced tab of Internet Explorer
tsshutdn Command to Shut Down Terminal Servers Microsoft recommends that terminal servers are shut down using the tsshutdn command. This gives a warning to users and helps to shut down applications politely.
Leaving the Login Information blank in the Terminal Configuration wizard will require that each user log in to the terminal session with their personal login. This allows each user to receive their specific level of Microsoft security.
When an terminal server fails, the terminal can switch to a backup swiftly, but input entered since the last save to the file server may be lost and need to be re-created. If the Enforce Primary is used, the session switch re-occurs once the original terminal server is restored. It is better to leave the Enforce Primary off and leave the session on the backup until the next terminal reboot.
In an industrial setting, it is normal for operator screens to be logged in and running. Using the auto-login and Initial Program will keep the program loaded and running instead of showing a login screen or desktop.
Instant Failover logs the terminal into two terminal servers at once and the Initial Program will have the control program loaded in both sessions. If the primary terminal server fails, the terminal switches to the already loaded backup session, eliminating any downtime or wait.
The Initial Program field will launch a single program instead of a desktop. If this program is closed, the terminal will reconnect to the terminal server and re-launch the program. A batch file will allow several programs to be launched instead of the desktop. Closing any of them won't affect anything, but closing the last program will reconnect to the terminal server and re-launch the programs. MultiSession is even better. Each desired program can have its own session to run in. The operator can toggle between sessions to access all of them.
Graphics displayed on a thin client are sent by the terminal server over the Ethernet and drawn by the thin client. Like the web, different graphics have different degrees of display ease. Bitmaps are the most CPU intensive to display and moving bitmaps require even more resources to display, using CPU and bandwidth. Other formats or vector-based drawings are smaller and are drawn quicker.
The easiest way to use a terminal serial port is to use the RDP Serial Redirection module and connect to a Windows 2003 terminal server. This module maps the serial ports so that if you referece COM 1 in the session it will access COM 1 on the client.
The Key Block module will trap keystrokes like CTRL+ALT+DEL and CTL+ESC, preventing operators from accessing undesired programs.
(Updated 9/20/2006)