When I started out with Terminal Services on Windows 2000 I used as a guide a book from Todd Mathers called Windows NT/2000 Thin Client Solutions and have been using his recommendations ever since. We are not planning to go to Windows 2008 and I thought it might be a good time to review our methodology and have a second pair of eyes/experience look over. I'm not sure if anybody responding will be familiar with the book but here are the steps recommended in the book that we have implemented:
1) Create a separate Terminal Services OU in the domain
2) Under the TS OU create two OU's - Terminal Servers and Terminal Server User Groups
3) Create 3 GPO's and apply to the Terminal Servers OU
a) TSServers
Enable Block Policy inheritance
Disable User Configuration Settings
Permission: Authenticated Users System TS-Admins
Full Control
Read Allow Allow Allow
Write Allow Allow
Create Child Objects Allow Allow
Delete Child Objects Allow Allow
Apply Group Policy Allow
Loopback Policy - replace mode
Delete Cached Copies of Roaming Profiles
b) AllTSUsers Policy (Includes Admin)
Disable Computer Configuration Settings
Permission: Authenticated Users System TS-Admins
Full Control Allow
Read Allow Allow Allow
Write Allow Allow
Create Child Objects Allow Allow
Delete Child Objects Allow Allow
Apply Group Policy Allow Allow
Enable: Do Not Track Shell Shortcuts During Roaming
Enable: Disable UI to Change Menu Animation Settings
Enable: Add Logoff to the Start Menu
Enable: Disable and REmove the Shut Down Command
Enable: Do Not Use the Search-based Method When Resolving Shell Shortcuts
Enable: No Screen Saver
Enable: Group Policy Refresh Interval - 1440 (24 hours)
c) RegularTSUSERS (not including Admins)
Disable Computer Configuration Settings
Permission: Authenticated Users System TS-Admins
Full Control
Read Allow Allow Allow
Write Allow Allow
Create Child Objects Allow Allow
Delete Child Objects Allow Allow
Apply Group Policy Allow Deny
Wndows Settings\Folder Redirection - I redirect My Documents and Application Data to a network share
Administrative Templates\Windows Components\Windows Explorer
Enable: Removes the Folder Options Menu From the Tools Menu
Enable: Hide Hardware Tab
Administrative Templates\Start Menu & Taskbar
Enable: Disable and Remove Links to Windows Update
Enable: Remove Network & Dial-up
Enable: Disable Changes to Taskbar and Start Menu Settings
Administrative Templates\Desktop
Enable: Prohibit User From Changing My Documents Path
Administrative Templates\Control Panel
Enable: Disable Control Panel
Administrative Templates\Systems
Enable: Disable Registry Editing Options
I would appreciate if somebody could critique the above for our present 2000 environment - how we might do things different and better - we are still going to be running 2000 for another year - and also offer some guidance as to how we should modify the above for 2008 R2.