User cannot change an expired user account password in a remote desktop session that connects to a Windows Server 2008 R2-based RD Session Host server in a VDI environment
https://support.microsoft.com/en-us/kb/2648402
- 1. Open the following file: %systemDrive%/windows/web/rdweb/pages/web.config
- Set the following value to TRUE: <!– PasswordChangeEnabled: Provides password change page for users. Value must be “true” or “false” –> <add key=”PasswordChangeEnabled” value=”false” />
Disable IE security in a GPO using reg change
Set Trust sites
http://deployhappiness.com/managing-internet-explorer-trusted-sites-with-group-policy/
Setup SSO & disable remote app prompt
Deploying RD Session Host Servers or Farms
How to Remove the Access Messages and Enable the Single Sign On for RemoteApps
Deploy Certificates by Using Group Policy
Enable RDC Client Single Sign-On for Remote Desktop Services
https://technet.microsoft.com/en-us/library/cc742808.aspx
https://technet.microsoft.com/en-us/library/cc742808.aspx
How to resolve the issue: “A website wants to start a remote connection. The publisher of this remote connection cannot be identified.”
Do you trust the publisher of this RemoteApp Program? prompt even though the Publisher is trusted?
Create a Self-Signed Server Certificate in IIS 7
https://technet.microsoft.com/en-us/library/cc753127(v=ws.10).aspx
IT: How To Create a Self Signed Security (SSL) Certificate and Deploy it to Client Machines
Makecert.exe (Certificate Creation Tool)
https://msdn.microsoft.com/en-us/library/bfsktky3(v=vs.110).aspx
Tested example (sets the start date to 30.6.15 and the end dates is 20yrs+ later.
makecert.exe -r -pe -n “CN=rdscluster.test.world.com” -eku 1.3.6.1.5.5.7.3.1 -b 06/30/2015 -ss my -sr localmachine -sky exchange -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 “E:\Media\Cert\rdscluster.test.world.com.cer”
About Digitally Signing RemoteApp Programs
https://technet.microsoft.com/en-gb/library/cc754499.aspx
Create RDS Farm – Check list
https://technet.microsoft.com/en-us/library/cc753891.aspx
Install the RD Connection Broker Role Service
https://technet.microsoft.com/en-us/library/cc732076.aspx
Add Each RD Session Host Server in the Farm to the Session Broker Computers Local Group
https://technet.microsoft.com/en-us/library/cc753630.aspx
Configure an RD Session Host Server to Join a Farm in RD Connection Broker
https://technet.microsoft.com/en-us/library/cc771383.aspx
Configure DNS for RD Connection Broker Load Balancing
https://technet.microsoft.com/en-us/library/cc772506.aspx
Limit Profile Size
http://www.techrepublic.com/blog/the-enterprise-cloud/limit-profile-size-with-group-policy/
Note Files deleted from a network share do not go to the recycle bin. They are deleted permanently
Empty recycle bin at log off… GPO log off script –
User Configuration – POLICIES. WINDOWS SETTINGS – SCRIPTS – Logon/Logoff
Add Empty recycle bin batch
http://www.cryer.co.uk/brian/windows/batch_files/how_to_empty_recycle_bin.htm
e:
cd \$RECYCLE.BIN
del /s /q .
Types of profiles
User Configuration – Administrative Templates – System – Logon/Logoff
SHOW and HIDE ALL DRIVES
- A Create one policy for admins with show all drives https://support.microsoft.com/en-us/kb/231289
- Create a second policy for all users with hide all drives and a deny apply policy for admins https://support.microsoft.com/en-us/kb/816100
- Third policy has all the terminal server config details
Temporary Profiles Loading
