Best Practice Terminal Server User Setup

Archived from groups: microsoft.public.windowsnt.terminalserver.applications,microsoft.public.windowsnt.terminalserver.setup (More info?)

I have a terminal server hosting a web application accessed by 20 thin
clients. Currently, there is only 1 terminal server user account set up.
Whoever connected to the terminal server will be using the same credential
for authenticating to the TS. Users will then be authenticated to the
application by entering their specific name set up at the application level.

The advantage of this set up is simplicity. I don't have to create new user
name for additional thin clients. No matter there are 20, 30 or even 50
terminals, 1 user account on the server can do the job.

The disadvantage I can see so far is mainly the difficulties in managing the
connected clients. You cannot easily identify them as they are all using
the same user name. Even the IP addresses are dynamically assigned. Also, I
realized that when I logged on to the server console using the shared
account, I found that the performance is much slower than when I logged on
as administrator or another non-generic user. I am worrying about some
specific application data being mixed up as well when having one generic
account with multiplie sessions logged on concurrently.

Now I have to decide should I continue to use one generic account for all
terminal users, or create separate one for each terminal. Can some experts
please shed some light?

Cheers,

Joe
4 answers Last reply
More about best practice terminal server user setup
  1. Archived from groups: microsoft.public.windowsnt.terminalserver.applications,microsoft.public.windowsnt.terminalserver.setup (More info?)

    that throws security and auditing right out the window.

    Rick
  2. Archived from groups: microsoft.public.windowsnt.terminalserver.applications,microsoft.public.windowsnt.terminalserver.setup (More info?)

    > that throws security and auditing right out the window.

    Rick,

    Thanks for your opinion. That's why I said I needed advice from experts.
    But I cannot agree totally that security would be completely neglected. In
    my situation, IE6. would be started automatically when a user connects. I
    have locked down the browser completely and force it to run in kiosk mode.
    The session will be closed when the browser terminates. Second, the
    application will authenticate users when the browser load up the application
    page.

    In the case of Citrix, it generates a lot of anonymous users.
    Administrators still cannot easily determine who is anon001.

    Joe
  3. Archived from groups: microsoft.public.windowsnt.terminalserver.applications,microsoft.public.windowsnt.terminalserver.setup (More info?)

    yours might be a special case

    so you are using TS to serve IE6 to anon users to autheticate via Citrix
    web interface to published apps? When autheticating to the published
    app are they then using a unique username and secure password?

    what are they interfacing to the TS with? I asked b.c. they could run
    their browser locally and attached to the published apps that way and
    save some CPU cycles.

    Rick
  4. Archived from groups: microsoft.public.windowsnt.terminalserver.applications,microsoft.public.windowsnt.terminalserver.setup (More info?)

    Do the applications inherit the Windows Account for authenication?

    If so then any activity logged int hat application will be logged as one
    user - could be problematic if you need to tack user behavoiur metrics in
    that application.

    Security is non-exisitent. Authentication, Access and Auditing are all
    assigned to one user.

    New Moon (Tarantella) Canaveral Allows you to easily set up applications and
    user accounts. Relativiely Cheap compared to Citrix - less complicated to
    manage as administrator. It has built in security model.

    Lindsay


    "JP" <NO_SPAM_PLEASE_pangjo@netzero.com> wrote in message
    news:%23D3EtWqIEHA.3308@tk2msftngp13.phx.gbl...
    > I have a terminal server hosting a web application accessed by 20 thin
    > clients. Currently, there is only 1 terminal server user account set up.
    > Whoever connected to the terminal server will be using the same credential
    > for authenticating to the TS. Users will then be authenticated to the
    > application by entering their specific name set up at the application
    level.
    >
    > The advantage of this set up is simplicity. I don't have to create new
    user
    > name for additional thin clients. No matter there are 20, 30 or even 50
    > terminals, 1 user account on the server can do the job.
    >
    > The disadvantage I can see so far is mainly the difficulties in managing
    the
    > connected clients. You cannot easily identify them as they are all using
    > the same user name. Even the IP addresses are dynamically assigned. Also,
    I
    > realized that when I logged on to the server console using the shared
    > account, I found that the performance is much slower than when I logged on
    > as administrator or another non-generic user. I am worrying about some
    > specific application data being mixed up as well when having one generic
    > account with multiplie sessions logged on concurrently.
    >
    > Now I have to decide should I continue to use one generic account for all
    > terminal users, or create separate one for each terminal. Can some
    experts
    > please shed some light?
    >
    > Cheers,
    >
    > Joe
    >
    >
Ask a new question

Read More

Microsoft Terminal Server Windows