Managing Users in Microsoft Remote Desktop
RDP user management is critical if you want to say clear of the impending threats that are looming in the dark to get you. Most of the RDP related cyber attacks happen on a daily basis and RDP is one of the most tried ways for hackers to access the data you have on your computer. They can then distribute malware and ransomware on the targeted hosts and no one would even bat an eye because they didn’t prepare for them and now they are victims of cyber attacks.
The best way to avoid these types of attacks is to have a user hierarchy when dealing with RDP user management. Proper RDP user management can affect the way that hackers can access different aspects of your network and their user privileges. We will tell you how to create user profiles for windows terminal services in this article.
Configure user profiles for Remote Desktop Services
The terminal services make special demands on the management of the user profiles and at the same time show the limits of the Windows on-board tools. If you do not use additional products, it is advisable to keep your own profiles for the RDS. They can be managed centrally using the established mechanisms.
The specific requirements for RDP user management profiles on RD Session Hosts arise mainly from the following characteristics of Terminal Services:
- A large number of users share a server operating system
- The graphics performance is usually much weaker than on local PCs
- Terminal servers are grouped into collections
Avoid local profiles
You can understand from the aforementioned prerequisites that profiles should not be saved locally on the terminal server, because otherwise users will receive different settings every time they are assigned to different hosts in a farm (collection). In addition, their documents would be distributed over several servers.
In addition, in a multi-user environment, the amount of data on the local server drives increases significantly when the profiles are stored there.
After all, you want to do without separate settings for graphic effects and, for example, screen savers or the display of the window contents when dragging on a terminal server.
Microsoft therefore provides various techniques for RDP user management profiles separately under such conditions and to avoid undesirable side effects.
The latest feature in this context are User Profile Disks, which mount centrally stored VHDX drives on a session host and write the user data to them. Their main advantage lies in their short logon times and their availability for both terminal sessions and virtual desktops.
According to various reports, User Profile Disks still suffer from problems, which manifest themselves in occasional connection problems and users logging in with a temporary profile.
Define paths for remote desktop profiles
If you only need separate profiles for terminal services and not for VDI, you can define your own paths that refer to network drives for the reasons mentioned (see: Setting up authorization for roaming profiles and folder redirection).
In practice, session hosts do not open the user profiles at this specified central location, but rather download the settings and files to the local profiles of the server. Then they play the changed data back to the defined network drive after logging off. This mechanism is therefore a roaming profile for remote desktop.
Define RD profiles via GUI
If you only have a few users to manage, the path for the remote desktop profiles can be entered in the user properties of AD users and computers. Windows automatically appends the user name to this for the respective profile.
Configure directory via GPOs
In larger environments, the profile directory will not be entered for each user individually in AD users and computers, but this task will be done using group policies. The corresponding setting is called Define Path for Roaming Remote Desktop Services User Profile and can be found under:
Computer Configuration => Policies => Administrative Templates => Windows Components => Remote Desktop Services => Remote Desktop Session Host => Profiles.
As a best practice, Microsoft recommends using separate profile directories for each server farm because write conflicts and data loss can occur if users are logged on to two hosts at the same time. However, this case can also occur within a collection, for example if not all applications are installed on all servers.
In this branch of the GPO editor, further settings are represented, among others for the definition of the home directory and for the use of mandatory profiles (setting Use mandatory profiles on the remote desktop session host server).
Remote desktop profiles with folder redirection
If the Roaming Profiles for Remote Desktop also contain the user files in addition to the settings, then they can significantly increase the logon times in RDP user management. For this reason, the profiles remain on the session hosts after logging out. Another GPO setting can be used to control the space used by this caching: Limit the total size of the cache for roaming user profiles.
Since many companies provide the applications not exclusively via the terminal services, but also locally on the workstations, separate profiles for session hosts and PCs would mean that the user files are scattered over both locations.
This can be remedied by folder redirection, with which the users can access the same directories for documents from all profiles. This also reduces the amount of data that has to be copied to the session hosts when logging in, so that the login times are also shortened.
If you use roaming profiles for client PCs, it is generally advisable to define a path for remote desktop profiles at the same time in order to avoid copying the workstation profiles to the session hosts.
These were some ways for effective RDP user management in windows server environment. The terminal services mostly use RDP for connecting to servers that provide the service. The things mentioned here will make your network work easy and efficiently for the future. Sunfirewall specializes in RDP related features. You can see how SunFirewall can help you protect your network from brute force attacks and also ransomware . Be sure to check the other articles that can help you manage your RDP better.