TS User access to Legacy App?? Permissions??

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I have been using TS for remote admin for several years. Recently I decided
to try TS to improve performance for a Legacy Application (the users have old
PC's and the app runs on a member server w/ lots of power). I purchased the
licenses, and configured the server with TS and License manager. Now I have
a permissions problem?? When I log in as a User from my remote workstation
the app runs fine. When I log into TS from this same remote workstation as
an Administrator, the app runs fine. When I log into TS from this same
remote workstation as User, the login goes just fine and I see the same
Desktop. However now when I try to execute the app shortcut, I get an
immediate Permissions problem. Who do I give What permissions , and Where do
I give them? I have a fair understanding of GPO, but I can find no doc on
Permissions?
 
How did you install this application? Was the TS in "install mode"
during installation? If it wasn't, I would uninstall the
application and re-install it while the server is in "install
mode".
If you *did* install in install mode but still get the permission
problem, then I would download FileMon and RegMon from
http://www.sysinternals.com/. Run them as administrator (when no
user is connected), start a TS session as a normal user and try to
run the application.

FileMon and RegMon will show you all "access denied" errors that
occur, so that you can give your users the necessary permissions on
a file-to file or Registry subkey basis.
 
Vera, Thanks for your prompt reply! I am obviously ignorant on TS because I
was not really aware of "install mode". Since reading your note, I've done
some more study and was able to successfully enter the command "change user
/install" on the Test TS Server. Then I logged into TS from a workstation,
and attempted to install the application. The logon was successful, and has
been working all along. However when I went into the install I received the
message: "Add or Remove Programs has been restricted. Please check with
your administrator." I had previously made this user a member of the Power
Users Group, which I assumed would get around this problem, but alas I still
received this error message. I did discover that when I made this user a
member of the Administrator group, they could perform this operation and run
successfully, but I had hoped that I would not have to make all the remote
users administrators on this server??? This application does allow remote
users to install on their workstations.
 
I do not understand what you are trying to accomplish.
Why would every user need to install the application?
The whole idea with a Terminal Server is that you (as
Administrator) install the application *once*, and the Terminal
Server provides multi-user access.
Or have I misunderstood your post completely? If so, please explain
a bit more about the application and what exactly you are trying to
install where and why.

Note that some applications cannot be installed remotely (from
inside a TS session). I always walk over to the physical console
when I have to put the server into install mode to perform an
installation.
Your post also seems to indicate that you entered the "change user
/install" command at the console, and then installed from within a
TS session. That will not work, even if the application can be
installed from within a TS session.

Here's some useful reading about install mode and what it does:

186498 - Terminal Server Application Integration Information
http://support.microsoft.com/?kbid=186498

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
 
Vera, Let me backup. I have a Legacy App (16 bit) running on SQL2000
installed on a Win2003 Member Server in my NT4 domain. I also have 7 users
who correspond with that app thru clients running on their Win2000
workstations. Because the Server is way over powered, and the client
workstations are way underpowered. I wanted to offer my 2 power users the
option to logon to the server with TS. I need to know how to set up these 2
users to have the option to login using TS. I've tried several techniques
that have allowed them to login, but they cannot get the client to execute
w/o running into a problem. Is there anything that I might read on the
basics of setting up an app.? I thought perhaps that was what Install Mode
was about? Thanks, EPGeek
 
OK, these are the basic steps:

1) log on to the console of the Terminal Server as Administrator
2) put the TS into install mode with "change user /install"
3) install the client application
4) put the TS back into execute mode with "change user /execute
5) log on to the users workstation as Administrator
6) install the Remote Desktop Client
7) start the RDC and configure it to connect to your TS
8) save the configuration in an .rdp file
9) put this rdp file on the users Desktop or Start Menu for easy
access

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
 
Vera, Thanks again for your prompt reply. This is the information I was
looking for! However I have two more "quick" questions. First, this
application uses SQL2000 for its db, which is also installed on this same
server. Does this mean that I must also uninstall/reinstall SQL2000 on the
server in addition to the uninstall/reinstall of the application itself?
Second question, do other minor applications on the server, that will never
be accessed by TS, need to be uninstalled/reinstalled? Thanks, EPGeek
 
Now you open a different can of worms :-)
No, you do not have to uninstall / reinstall SQL server or any
other applications.
BUT: I previously got the impression that only the client
application was installed on the Terminal Server, I didn't
understand that SQL server also runs on the same machine. This is
*not* recommended, for both performance and security reasons.

Remember that a Terminal Server is nothing more or less than a
multi-user workstation. So you will have users logged on to your
SQL server, treating it as their personal workstation. Even if you
try to apply every security trick under the sun, this is still a
big risk to your SQL server. Moreover, many applications need to
have elevated user rights when run on a TS, which makes it still
more dangerous. Ask yourself the question if you would feel
comfortable with those users working on the console of your SQL
server, surfing the internet, playing games, downloading and
installing software, etc. Because that's what they will be doing,
sooner or later. Now you *can* avoid most of this behaviour by
hardening your server with NTFS file system permissions and Group
Policies, but it will never be as secure as a dedicated SQL server
and a dedicated TS.
Also: when you install Terminal Services (implying "Application
Server mode"), the whole server is internally tuned differently, to
provide for the multi-user access. That means that you might see a
drop in performance of your SQL server. These two server roles
simply don't go together.
If you only have 7 users, and the SQL server is only used by this
specific application, you might get away without too much impact on
your SQL server.
But if the SQL server is also used for something else, this could
affect all other users / applications. I would advice against this
configuration.

--
Vera Noest
MCSE, CCEA, Microsoft MVP - Terminal Server
http://hem.fyristorg.com/vera/IT
--- please respond in newsgroup, NOT by private email ---
 
Back
Top