Using Remote Desktop CHAPTER 27
1353
When enabling Remote Desktop on a computer, you must also authorize which users will
be allowed to remotely connect to that computer using RDC. By default, only administrators
are authorized to remotely connect to the host computer. Authorize additional users by fol-
lowing these steps:
1.
Click the Select Users button to open the Remote Desktop Users dialog box.
2.
Click Add and then either specify or find user accounts in AD DS (or on the local com-
puter on stand-alone host computers) and add them to the list of Remote Desktop
Users authorized to access the host computer using Remote Desktop. This adds the
selected users to the Remote Desktop Users local group on the host computer.
Enabling Remote Desktop Using Group Policy
You can also use Group Policy to enable Remote Desktop on host computers. To enable
Remote Desktop on all computers in a specified organizational unit (OU), open the Group
Policy object (GPO) linked to the OU using Group Policy Object Editor, enable the following
policy setting and add users to the Remote Desktop Users group:
Computer Configuration\Policies\Administrative Templates\Windows Components
\Remote Desktop Services\Remote Desktop Session Host\Connections\Allow Users To
Connect Remotely Using Remote Desktop Services
Enabling Remote Desktop on computers using Group Policy also enables the Allow Con-
nections From Computers Running Any Version Of Remote Desktop (Less Secure) option on
the computers targeted by the GPO. To enable Remote Desktop using the Allow Connections
Only From Computers Running Remote Desktop With Network Level Authentication (More
Secure) option instead, you must enable the following policy setting in addition to the
preceding one:
Computer Configuration\Policies\Administrative Templates\Windows Components
\Remote Desktop Services\Remote Desktop Session Host\Security\Require User
Authentication For Remote Connections By Using Network Level Authentication
note

den and displayed.
Table 27-9 summarizes the configuration options available on the different tabs of the
Remote Desktop Connection client UI.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Using Remote Desktop CHAPTER 27
1355
TABLE 27-9
Configuration Options for Remote Desktop Connection Client
TAB SETTING NOTES
General Logon Settings: Computer Specifies the FQDN or IP address (can be IPv4
or IPv6) of the host computer.
Logon Settings: User Name Specifies the user account to be used to
establish the Remote Desktop session. This is
displayed only when credentials from previous
Remote Desktop sessions have been saved.
Logon Settings: Always
Ask For Credentials
Select this check box to require the user to
always supply credentials. This is displayed
only when credentials from previous Remote
Desktop sessions have been saved.
Connection Settings Saves the current configuration of RDC client
as an *.rdp file or opens a previously saved
*.rdp file.
Display Display Configuration Changes the size of your remote desktop.
Use All My Monitors For
The Remote Session
Configures the Remote Desktop session
monitor layout to match the current client-side
configuration.

cameras.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1356
TAB SETTING NOTES
Programs Start A Program Specifies a program that should automatically
start when your Remote Desktop session is
established.
Experience Performance: Choose Your
Connection Speed To
Optimize Performance
Specifies the connection speed closest to
actual available network bandwidth to obtain
the optimal mix of functionality and perfor-
mance for your Remote Desktop session.
Desktop Background
Font Smoothing
Desktop Composition
Show Window Contents
While Dragging
Menu And Window
Animation
Visual Styles
Persistent Bitmap Caching
Enables or disables each desktop user
interface feature that is indicated.
Reconnect If Connection Is
Dropped
Specifies that the RDC client should attempt
to re-establish a connection with the remote

your connection, click the Advanced tab, and click Settings. Then select one of the
following three options:
n
Connect And Don’t Warn Me (Least Secure) Lets you connect even if RDC
can’t verify the identity of the remote computer.
n
Warn Me (More Secure) Lets you choose whether to continue with the
connection when RDC can’t verify the identity of the remote computer.
n
Do Not Connect (Most Secure) Prevents you from connecting to the
remote computer when RDC can’t verify the remote computer’s identity.
The default setting for Server Authentication is Warn Me.
Configuring Remote Desktop Connection from the Command Line
To use the RDC client from the command line or custom shortcut, type mstsc followed by the
appropriate command-line switches. For example, to initiate a Remote Desktop session using
a custom display resolution of 1680 × 1050, type mstsc /w:1680 /h:1050 at a command
prompt.
You can use the /span switch to initiate a Remote Desktop session that spans across
multiple monitors. Note that when both the /span and /h: /w: switches are present, the /span
switch takes precedence. In addition, when the /span option is selected, the slider for adjust-
ing remote desktop size is unavailable on the Display tab so that users cannot change their
initial settings, which can cause confusion.
New in Windows 7 is the /multimon switch, which configures the Remote Desktop session
monitor layout to match the current client-side configuration.
Using the /public switch runs Remote Desktop in public mode. When an RDC client is run-
ning in public mode, it does not persist any private user data (such as user name, password,
domain, and so on) either to disk or to the registry on the computer on which the client is
running, nor does the client make use of any saved private data that may exist on the com-
puter (a trusted sites list, the persistent bitmap cache, and so on). This means that the client
essentially functions as if there were no registry or secondary storage present for storing pri-

reconnect to the existing session on the physical console. (The blog post referenced
at the end of this sidebar includes details on console behavior differences.)
Third, in Windows Server 2003, the /console option was used for administering the
Remote Desktop Session Host remotely without consuming a client access license
(CAL). In Windows Server 2008, /admin option serves this purpose.
Thus, you do not need the /console option while connecting to Windows Vista or
Windows Server 2008, and you can now use the /admin switch to connect to the
physical console of Windows Vista or Windows Server 2003.
For more information, see the following post on the Remote Desktop Services
Team Blog:
administration-in-windows-server-2008.aspx.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Using Remote Desktop CHAPTER 27
1359
Configuring Remote Desktop Connection Using Notepad
You can also configure a saved RDC client by opening its *.rdp file in Notepad and editing it.
For example, to configure a saved RDC client to use a custom display resolution of 1680 ×
1050, change the lines specifying screen resolution to read as follows.
desktopwidth:i:1680
desktopheight:i:1050
As a second example, to configure a saved RDC client to span a Remote Desktop session
across multiple monitors, add or change the following line:
span:i:0
to
span:i:1
Configuring Remote Desktop Using Group Policy
You can also use Group Policy to manage some aspects of how Remote Desktop works. You
can find the policy settings for managing Remote Desktop in two locations:
n
Per-computer policy settings can be found under Computer Configuration\Policies

Do Not Allow
Passwords To Be
Saved
Prevents users from saving their credentials
in the RDC client. Windows Vista saves the
password using Credential Manager instead
of saving it within the *.rdp file as in earlier
versions of Windows.
Remote Desktop
Session
Host\Connections
Automatic
Reconnection
Enables RDC clients to attempt to automati-
cally reconnect when underlying network
connectivity is lost.
Allow Users To
Connect Remotely
Using Remote
Desktop Services
Enables Remote Desktop on the targeted
computer.
Deny Logoff Of An
Administrator Logged
In To The Console
Session
Prevents an administrator on the client
computer from bumping an administrator
off of the host computer.
Remote Desktop

Do Not Allow LPT
Port Redirection
Prevents redirection of parallel port devices.
*Do Not Allow
Supported Plug
And Play Device
Redirection
Prevents redirection of supported PnP
media players and digital cameras.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Using Remote Desktop CHAPTER 27
1361
FOLDER POLICY SETTING NOTES
Do Not Allow Smart
Card Device Redirec-
tion
Prevents redirection of smart card readers.
Remote Desktop
Session Host\Printer
Redirection
Do Not Set Default
Client Printer To Be
Default Printer In A
Session
Prevents users from redirecting print jobs
from the remote computer to a printer
attached to their local (client) computer.
Do Not Allow Client
Printer Redirection
Prevents the client default printer from

the Remote Desktop session.
Remove “Disconnect”
Option From Shut
Down Dialog
Removes the Disconnect button from the
Start menu but doesn’t prevent the remote
user from disconnecting the session using
other methods.
Remote Desktop
Session Host\Security
Set Client Connection
Encryption Level
Specifies the level of encryption used to
protect RDP traffic between the client and
host computers. The options available are
High (128-bit), Low (56-bit), and Client
Compatible (highest encryption level
supported by the client). When this policy
setting is Not Configured, the default
encryption level used is Client Compatible.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1362
FOLDER POLICY SETTING NOTES
Always Prompt For
Password Upon
Connection
Requires remote users to always enter a
password to establish a Remote Desktop
session with the targeted computer.

Requires client computers to be running
Windows Vista or Windows XP SP2 with the
downloadable RDC 6.0 client installed. (This
policy was named Require User Authentica-
tion Using RDP 6.0 For Remote Connections
in Windows Vista and earlier versions.)
*Server Authenti-
cation Certificate
Template
Lets you specify a certificate template to be
used for authenticating the host computer.
Remote Desktop
Session Host\Session
Time Limits
Terminate Session
When Time Limits
Are Reached
Forcibly logs the remote user off of the
Remote Desktop session when the session
time limit has been reached.
Set Time Limit
For Disconnected
Sessions
Forcibly logs the remote user off of the
Remote Desktop session when the session
time limit for disconnected sessions has
been reached.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Using Remote Desktop CHAPTER 27
1363

Double-click the desired *.rdp file (or a shortcut to this file) and (if required) click Yes.
Then specify your credentials for connecting to the host computer (if required).
n
Open a command prompt and type mstsc rdp_file, where rdp_file is the name of the
desired *.rdp file (specifying the path may be required) and (if required) click Yes. Then
specify your credentials for connecting to the host computer, if required.
When a Remote Desktop session has been established, the client can end the session in
two ways:
n
By disconnecting This ends the Remote Desktop experience on the client computer
but leaves the session running on the host computer so that the client can reconnect
later if desired. Any applications running in the session on the host continue to run
until this session is terminated, either by the user on the client (who must reconnect
and then log off) or by a user logging on interactively to the host.
n
By logging off This ends the Remote Desktop experience on the client computer
and terminates the session on the host computer as well.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 27 Connecting Remote Users and Networks
1364
note
You can also remotely shut down the host computer to which you are remotely
connected, or you can put it into Sleep mode. To do this from within a Remote Desktop
session, click the taskbar, press Alt+F4, and then choose the option you want to select. You
can also open a command prompt in your Remote Desktop session and type shutdown
-s -t 0 to immediately shut down the host computer or shutdown -r -t 0 to immediately
restart it. (Be sure to save any open files first.)
Improving Remote Desktop Performance
If available network bandwidth between a client computer and the remote host computer is
limited, you can improve a Remote Desktop experience by reducing the color depth on the

late bandwidth allocation based on pre-compression bytes (if the value is 0) or post-
compression bytes (if the value is 1). The default value for this setting is 0.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Using Remote Desktop CHAPTER 27
1365
By default, the ratio of FlowControlDisplayBandwidth to FlowControlChannelBandwidth is
70 to 30 or 70:30. This means that 70 percent of available bandwidth is reserved for display
and input traffic, and the remaining 30 percent will be used for other types of traffic. If
your Remote Desktop experience is being degraded during large file transfers and other
bandwidth-intensive activity, you might change FlowControlDisplayBandwidth to 85 and
FlowControlChannelBandwidth to 15, which allocates 85 percent of available bandwidth for
display and input traffic while reserving only 15 percent for other traffic.
note
You must reboot your host computer for these registry changes to take effect.
Troubleshooting Remote Desktop Sessions
If you have trouble establishing a Remote Desktop session with the host computer, do the
following:
n
Verify that Remote Desktop has been enabled on the host computer.
n
Verify that you are using credentials that have been authorized for remotely connecting
to the host computer.
n
Verify that you have the correct FQDN or IP address of the remote computer.
n
Verify network connectivity with the remote computer by using the ping command.
If you are missing expected functionality during a Remote Desktop session, do the
following:
n
Check whether the host computer is running an older version of Windows such as

Using RemoteApp and Desktop Connection Step-by-Step Guide” found at
You will also need to import the
SSL certificate for the Remote Desktop Web Access server to your client computers before the
users of these computers can use RemoteApp and Desktop Connection. For information on
how to import certificates, see step 3 of the above guide.
After you have configured your servers and have installed certificates on your clients, you
can configure RemoteApp and Desktop Connection on the client side by following these
steps:
1.
Open RemoteApp and Desktop Connection from Control Panel.
2.
Click Set Up A New Connection With RemoteApp And Desktop Connections to launch
the New Connection wizard.
3.
Type the URL to the Remote Desktop Web Access server in the Connection URL box:
4.
Click Next to add connection resources for the RemoteApp And Desktop Connection
(be sure to enter your credentials if prompted to do so). When the connection resources
have been added, the details of the RemoteApp And Desktop Connection will be dis-
played.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Using Remote Desktop CHAPTER 27
1367
5.
Click Finish to complete the wizard.
6.
To view all RemoteApp And Desktop Connections that have been added to the client,
open RemoteApp And Desktop Connections again from Control Panel.
7.
You can now access your RemoteApp programs from the RemoteApp and Desktop

CHAPTER 27 Connecting Remote Users and Networks
1370
For more information on RemoteApp and Desktop Connection, see the Remote
Desktop Services section of Microsoft TechNet at
/cc770412.aspx.
Summary
Windows 7 includes new remote connectivity technologies, such as VPN Reconnect,
DirectAccess, and BranchCache. These technologies and others, such as Remote Desktop,
have been enhanced in Windows 7 to make them more reliable, more secure, and easier to
use and manage.
Additional Resources
These resources contain additional information and tools related to this chapter.
Related Information
n
General information concerning virtual private networks on Microsoft platforms can
be found at />n
General information concerning DirectAccess can be found at
/directaccess/.
n
General information concerning BranchCache can be found at
/>n
General information concerning Remote Desktop Services in Windows Server 2008 R2
and Windows 7 can be found at
/cc770412.aspx.
n
The white paper, “Networking Enhancements for Enterprises,” at
/>b083-3334ddd1ef86&DisplayLang=en.
n
The Routing and Remote Access Blog can be found at
/rrasblog/.

outlines how to migrate the IPv4 network infrastructure of your enterprise to IPv6 using
IPv6 transition technologies, such as Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP). Finally, the chapter describes how to configure and manage IPv6 settings in
Windows 7 and how to troubleshoot IPv6 networking problems.
Understanding IPv6
The need for migrating enterprise networks from IPv4 to IPv6 is driven by a number of
different technological, business, and social factors. The most important of these are:
n
The exponential growth of the Internet is rapidly exhausting the existing IPv4
public address space. A temporary solution to this problem has been found in
Network Address Translation (NAT), a technology that maps multiple private
(intranet) addresses to a (usually) single, public (Internet) address. Unfortunately,
using NAT-enabled routers can introduce additional problems, such as breaking
end-to-end connectivity and security for some network applications. In addition,
the rapid proliferation of mobile IP devices is accelerating the depletion of the
IPv4 public address space.
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
CHAPTER 28 Deploying IPv6
1372
n
The growing use of real-time communications (RTC) on the Internet, such as Voice over
IP (VoIP) telephony, instant messaging (IM), and audio/video conferencing, exposes
the limited support for Quality of Service (QoS) currently provided in IPv4. These new
RTC technologies need improved QoS on IP networks to ensure reliable end-to-end
communications. The design of IPv4 limits possible improvements.
n
The growing threats faced by hosts on IPv4 networks connected to the Internet can be
mitigated considerably by deploying Internet Protocol security (IPsec), both on private
intranets and on tunneled connections across the public Internet. However, IPsec was
designed as an afterthought to IPv4 and is complex and difficult to implement in many

white paper titled “Introduction to IP Version 6” at
/details.aspx?FamilyID=CBC0B8A3-B6A4-4952-BBE6-D976624C257C&displaylang=en.
Another good reference for learning IPv6 is the book, Understanding IPv6, 2nd Edition, by
Joseph Davies (Microsoft Press, 2008).
Understanding IPv6 Terminology
The following terminology is used to define IPv6 concepts and describe IPv6 features:
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.