The following is a collection of expert responses to reader questions by Christa Anderson.
How can a Windows 2000 service access the mapped drive? I need to read a file located there.
Christa Anderson: You've got two problems here: making the drive accessible to the service and granting that service permission to use it. I'll assume that you're running Win2K3 terminal services since you have drive redirection. You'll need to get that mapped drive a drive letter. The simplest way to do this is to share the drive from the client PC, grant that service's account permission to read it, and use net use to connect to it.
In our current network configuration, we have a Windows 2000 Server that was our PDC. We have demoted this box to a member server but are still using it as a terminal server. Since we demoted it, the TS licensing was removed. Now users are having issues connecting to it. We have a new domain controller running 2003 and we are hoping to use this new server as our TS license server for the 2000 box only.
Are there any issues that will arise with using our new Windows 2003 Server as our only license server? Are these Terminal Services Client Access Licenses (TS Cals) transferable to a different license server if we no longer use the old server as a license server?
C.A.: From your description you have taken down the license server but not yet reinstated it fully with the license packs installed.
As for particular issues with locating a Win2K3 license server, there aren't any that should be impacting you while the license server is located on a domain controller, so as long as the terminal server and license server are in the same site. A Windows Server 2003 license server can issue Windows 2000 TSCALs.
I need to change one user's display setting. I know it is buried in there profile but I can not find a way to change this. Please explain how I go about doing this.
C.A.: I'm not sure which display setting you're talking about so I'm going to answer with two possibilities.
One set of display settings is within the user profile; since you've only got to do this for one user, the simplest way is to log on as that user, change the setting and log out. That will save the setting to their user profile.
The other possibility is that you're talking about their terminal services display settings, which aren't in their profile. You change this from the RDP file they use to log on. For example, if you're using Remote Desktop Connection then change the display settings by opening Remote Desktop Connection, clicking on the "Options" button, and changing settings on the "Display Tab'. Save these settings and distribute the resulting RDP file to the user.
After bringing 2003 DC into a Windows 2000 network, we noticed that our network admins were not able to connect to the 2003 boxes using Terminal Services in Remote Admin mode. They are able to connect to 2000 boxes but not 2003.
As a domain admin I don't have a problem "TS'ing" to the Windows 2003 boxes but those of lower permissions cannot. I want to say that it has to do with the Group Policy difference between Windows 2000 and 2003 but I can't say for sure.
Any suggestions on what to try or look at?
C.A.: Remote Administration connections are by default restricted to domain administrator accounts. To let Joe User (JoeU) log on, you'll need to follow these steps:
1. Add JoeU to the Remote Desktop Users group by opening his user account and moving to the Member Of.
2. Grant JoeU (or the Remote Desktop Users group) the right to log onto the server in question. This policy is located in Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Allow Log On Through Terminal Services.
Notice that this will not work unless you complete both steps. By default, the RDU group does not have permission to log onto a domain controller. You do not have to configure the "Allow users to connect remotely using Terminal Services" group policy to allow JoeU to log on.
A user can run MS Word in an RDC session on a Windows 2003 Server (set up in Remote administrator mode) only as an administrator, and not as a user. How can he run it as a user?
C.A.: Remote Administration mode is an administrative convenience, not a way of supporting remote applications. So, by default, ordinary users can't log onto a server in Remote Administration mode -- just like they can't log onto the console. Therefore, to allow this person to run Word, you'll need to edit the permissions to allow him or her to run the session. I've documented the procedure here.
That said, I don't recommend letting users log onto production servers not dedicated to serving applications. This goes double if the server is a domain controller. It leaves a big security hole and also exposes the server to faulty applications that could crash the server or require reboots.
Christa Anderson, a columnist for Windows and .NET Magazine, is an internationally-known speaker and writer about server-based computing. Her books include Windows Terminal Services (Sybex, 2002), The Definitive Guide To MetaFrame XP (available from www.realtimepublishers.com) and co-authorship of the best-selling Mastering Windows Server 2003 (Sybex, 2003). You can sign up for her free e-mail newsletter at her server-based computing site: www.termservhub.com.
This was first published in October 2005