For all you Terminal Server or Remote Desktop Services or RDP Geeks out there, Let me spend a minute to clarify a call driver that continues to be popular.
The Scenario is deploying Remote Desktop Services in a work group. Call this a corner case, or call it what you will. The reason this is a popular support call is due to the fact that there are two articles needed to complete the setup.
Oh sure Microsoft does tell you to add a policy after your setup, but they specify you use GPEDIT. not much help there… Until Today!
First you need to Deploy the roles correctly. The Specific KB I chose for this article, is the one you would use for the simplest setup. One that keeps you clear of very common mis-steps of walking through the setup in the Server Manager. If you did your deployment correctly, you didn’t even need Server Manager.
So begin by reading this:
Guidelines for installing the Remote Desktop Session Host role service on a computer running Windows Server 2012 without the Remote Desktop Connection Broker role service
To be clear about this deployment:
- No Domain Controller
- No Hyper-V
- Install Remote Desktop Services.
- You won’t get to select more until the end. You may install the following
- Remote Desktop Licensing and
- Remote Desktop Session Host
- RD Gateway
- For a work group you do not have to add the Terminal Server to the Terminal Server License server group. Why? With No DC, you don’t have to report to anyone.
- Activate the Terminal Server using one of the three methods.. This is most common
- Activate your RD Cal Licenses with KB2833839 or cc725890
So Far, so good. Now this is where we start to diverge from some existing Documentation
- If you are in a work-group, go to “edit local users and groups”
- Find the group folder and create a group for your RDP users and add your users to this group.
- Alternatively, you may add your users to the RDP users group already there
- Remember the group you are using. It becomes important
- Now you are going to edit the Local Policy by doing the following:
- Start and Run GPEDIT.MSC
- Navigate to the following:
Local Computer Policy ->Computer Configuration-> Administrative Templates-> Windows Components-> Remote Desktop Services-> Remote Desktop Session Host-> Licensing
You are going to see now, the two LSO (Local Security Object) you will be enabling.
Use the Specified Remote Desktop License Servers –Value- IP address of RD License Server.
Set the Remote Desktop Licensing Mode- Value – 2 or 4. 2 is for Device CAL and 4 is user Cal.
Now there is another Policy to set. For this, you want to just go back to the top. Start out at Local Security policy like before (GPEDIT.MSC).See figure 3.
Expand Computer –>Configuration,–> expand Windows Settings, –> expand Security Settings,–> expand Local Policies and then click User Rights Assignment.
Enable this policy and add the group you used earlier. It is highlighted in this article above. Add this group to this policy. In addition, add the Remote Desktop Users group to this policy if desired. Don’t and your administrator name here. The Admin already has access. If you ad your admin name, it will lock you out. So best to to stick to adding the Remote Desktop users group.
Notice it says administrators (Plural), that is fine, but the single administrator should not be in this list. there is a well known break here if you do that. When you are finished, you just need to add the users you want to give access to, to the group we just added to the Policy (likely the remote desktop users group)
Step 8 comes right out of the KB2833839
- Open an elevated Windows PowerShell prompt
- Type the following command on the PS prompt and press Enter:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
- Run the following command to set the licensing mode:
Note: Value = 2 for Per device, Value = 4 for Per User
- Run the following command to replace the machine name with License Server:
- Run the following command to verify the settings that are configured using above mentioned steps:
You should see the server name in the output.
You have now covered all your bases, and your RDP should be happy!! It will be happy because you paid attention to all the rights things!
Now I did find an interesting article to which I cant really comment on. However, it is an interesting article. IT deals with some issues, you could run across.
Based on a comment to this article, I want to address this KB “Best practices for setting up Remote Desktop Licensing (Terminal Server Licensing) across Active Directory Domains/Forests or Work group”
This is where it tells you not to use a work group server. So Please consider this against this KB_
One article says don’t use a work-group. The other says “This server can be part of a work-group or may be configured as a DC.” Which do you believe? They are both true. Microsoft does not want you to use it in a work-group, but you can because they provided a way for you to do it. The cost? Printer Redirection issues, and a few other small things, but you can do it if you need to. Bottom line is Install your Terminal Server in a Domain. But, If you have no other choice then use a work-group if you have to.
Well That is it. I hope this has been helpful for work groups or non-work groups. this basically can be set up on either.