Microsoft's Windows NT Server 4.0 Terminal Server Edition platform has created quite a stir. Terminal Server is a combination of thin-client-based technology and NT. This technology isn't new. An earlier application of thin-client-based technology is Tektronix' WinDD Server. WinDD—based on Citrix' WinFrame 1.7, a hybrid of NT 3.51—lets UNIX workstation, PC, Macintosh, and other users run NT programs installed on a centralized WinDD server. The thin-client approach offers several advantages, including reduced hardware costs, office infrastructure requirements, and support. In addition, it provides excellent service for low-bandwidth connections and can extend the life of legacy PCs. (For more information about thin-client technology, see "Related Articles in Windows NT Magazine.")
To control the corporate desktop, many WinDD administrators are using mandatory user profiles. (For more information about profiles, see see "Related Articles in Windows NT Magazine.") Mandatory user profiles let you tightly control the look and feel of the desktop over the NT environment and limit what users can access and do. For example, you can restrict the use of screen savers; animated cursors; File, Run commands; and the Office Assistant, because their performance overhead becomes unacceptable in a multiuser system. Mandatory user profiles help reduce troubleshooting and administration costs because users can't easily make undesirable configuration changes, such as inefficient software installs. Surprisingly, users don't usually resist mandatory profiles. Many users appreciate the performance benefits of having servers protected from unauthorized activity.
Although mandatory user profiles can be advantageous, they can also cause problems, especially in a WinDD environment. For example, our large organization recently began migrating to Microsoft Outlook and Microsoft Exchange. When we tested the Outlook client in the WinDD environment, problems started to occur. Outlook stores individual messaging profile information (e.g., mailbox and Exchange server names) in users' individual user profile. This storage method is fine for regular NT users but presents a problem if you want to use WinDD with mandatory user profiles. Mandatory user profiles are read-only; therefore, when users log out of WinDD, they lose any dynamic changes they've made to the Outlook messaging protocol. The only solution to this problem is to develop a way to separate the Outlook user profiles from the mandatory profiles while retaining mandatory user profiles over the WinDD environment.
At first, we thought we would have to remove mandatory user profiles and go back to using roaming personal user profiles. However, we found that with some changes to the current WinDD environment, we could configure a solution: We can keep the current shared mandatory user profiles but create Outlook profiles on the fly each time a user logs on. This scheme lets us separate the Outlook features, including individual views and print settings, from the mandatory profile features.
The following explanation assumes that you have a working knowledge of distributed Windows administration and NT Server 3.51. The principles we describe apply to Terminal Server with the NT 4.0 interface, but we haven't tested this configuration.
Before you install Outlook on a WinDD 3.5 server, load the standard Workstation versions of Microsoft Office 97 and Microsoft Internet Explorer (IE) 3.02. (We haven't tested IE 4 and Outlook 98.) Before you install Outlook 8.03 from the Exchange CD-ROM, use File Manager (in Terminal Server, use NT Explorer) and be sure that the local administrator has at least Change access permission on Microsoft Office\Templates on your WinDD server, as you see in Screen 1. In a multiuser environment, making the Microsoft Office\Templates folder read-only prevents the spread of macro viruses. However, the Outlook installation needs to create Microsoft Office\Templates files, so the administrator needs permission to access the templates.
Configure Outlook to make file and Registry changes. To create separate Outlook files for users, you need to modify the Registry. However, first you need to set up Outlook to make these changes.
- Log on to the WinDD server console as the local administrator.
- At a command prompt, enter install mode:
change user /install
This command ensures that any changes to the local Registry cascade to the users.
- From the Exchange CD-ROM, run the following command:
- Enter your organization's appropriate user and company details, the CD-ROM key provided in the software pack, and the Outlook install destination folder path on the WinDD server.
- Continue with the installation, and at the prompt, choose Custom setup. (We prefer not to run the Office Assistant on multiuser platforms because of the performance overhead.)
- At the prompt for the program group (equivalent to the Start, Programs group in the NT interface), select an appropriate common group so that Outlook appears in the Program Manager for all users.
- At the command prompt, revert to execute mode by entering
change user /execute
- Log off.
- At the WinDD server console, log on as a domain user (who has been set up as an Outlook user) with local administrator rights. Log on to Outlook, then choose File, Exit and Log Off, then log off WinDD. By virtue of this user's local administrator rights, this step lets Outlook make several file and Registry changes before you continue with the setup.
Enter Registry changes. You must change the Outlook section of the Registry to set up Outlook log files and preferences files for Favorites, Views, and Print Settings and to prevent the default Welcome to Microsoft Outlook message from appearing every time a user logs on to WinDD and runs Outlook.
- Log on as the local administrator at the WinDD server console.
- Go into install mode by entering
change user /install
- Add or edit the Registry keys. First, the key values at
HKEY_LOCAL_MACHINE\SOFTWARE\Citrix \Install\Software\MicrosoftOffice\ 8.0\Outlook\Journal
move the locations of the offitems.log and outitems.log files into the user's domain home directory, as Screen 2 shows. These files contain Outlook logging information. In this case, the home directory is drive H, and it contains the WinDD system files. This entry separates the Outlook logging files for each user. Next, at
HKEY_CURRENT_USER\Software\ Microsoft\Office\8.0\Outlook\ Office Explorer
modify the Favorites and Views settings to define local preferences for such things as the Outlook forms, which you see at View, Current View in Outlook. This change, which Screen 3 shows, doesn't change the user's preferred Outlook Bar or Folder List. At
HKEY_CURRENT_USER\Software\ Microsoft\Office\8.0\Outlook\ Printing
add the outlprnt file, as you see in Screen 4, so Outlook will retain users' styles in File, Print, Define Styles.
Now, as Screen 5 shows, set First-Run to False to prevent the default Welcome to Microsoft Outlook message from appearing. Make the entry at
In a single-user environment, this setting toggles from True to False the first time a user runs Outlook. In our NT mandatory user profile, Outlook can't save the toggle change, so we need to force it to False from the start. You can find more information about the Outlook log files and preference files for Favorites, Views, and Print Settings in the Microsoft Knowledge Base article "OL97: Set Up Outlook for Multiple or Roaming Users" (http://support.microsoft.com/support/ kb/articles/q167/3/97.asp).
- Revert back to execute mode by entering
change user /execute
- Confirm that the First-Run Registry change is holding by revisiting the Registry subtree
If the setting isn't holding, reenter this key.
Clean Up Files
To complete the Outlook installation with the modified profiles, you need to clean up several files. On the WinDD server, delete
<install folder>\office\ welcome.msg
to avoid the welcome messages and sample tasks each time a user logs on to Outlook. Delete
because you are providing users with their own .prf profile. Change the permissions on
to give Change access to Everyone. Otherwise, you'll have problems opening attachments. Edit the Outlook program item to make the working directory blank. This action will point Outlook to the user's WinDD folder <domain home>\windows if it wants a working directory.
To put the profile changes into effect, you need to make three changes to the user setup. First, you need to edit the Registry to make the First-Run change for each mandatory profile. Run regedt32 against each of the mandatory profiles at the subtree
as you did during the Outlook installation. Second, all users must have a default.prf file in their <domain home>\windows folder. This file is the standard .prf file that the Outlook installation creates, with the changes that Listing 1 shows. The commands change the profile name, home server, mailbox name, and path to the Personal Address Book (PAB). Finally, call a batch file (e.g., startup.bat) from the Startup group in all the mandatory profiles to execute the following commands at logon. (This post-logon batch file is the most convenient method because this method doesn't use Domain Admin access. Domain Admin access would let you use the logon batch file—domain logon script—directly.) Run the Microsoft NEWPROF utility (available on the Exchange CD-ROM) to create a profile on the fly from the default.prf you created. As Screen 6 shows, make a direct patch to this new profile in the Registry at
HKEY_CURRENT_USER\Software\MicrosoftWindows NT\CurrentVersion\Windows Messaging Subsystem\Profiles<userid>\0a0d 020000000000c000000000000046
to locate the link browser program. This program lets messages containing URLs find IE. Your path to iexplore.exe might be different, and you must substitute the appropriate user ID in each case. We need the script to perform these actions every time a user logs on because NT can't save these changes to the mandatory profile.
Outlook users on WinDD need to be aware of some quirks. Outlook 98 has resolved a few of them, however
- Separation of signature files might not be reliable. Outlook 8.03 doesn't let signature files travel with roaming users. The article "OL97: Set Up Outlook for Multiple or Roaming Users" explains the problem, which Outlook 98 resolves.
- To avoid crashing a session, you need to import Schedule+ data on a PC instead of using WinDD. This problem appears to be an unstable 16-bit application.
- Address lookups refer to the Global Address List (GAL) instead of the PAB, and they might return a large number of matches (e.g., 50 Smiths instead of 5). After you've specified your preference, (e.g., Bill Smith), however, Outlook will return it in the future. This problem might not occur, depending on how you have configured address lists at your site.
- URLs within mail messages fail if you have an IE session open.
- Users might get a Profile dialog box (containing only their messaging profile) when they enter Outlook. They can click OK and disregard the dialog box.
- The Microsoft three-pane extension, which adds a message-preview pane to the Outlook interface, fails in the install script, so do not attempt to load it.
For our large organization, WinDD has an ever-increasing role, and the migration to Outlook, while retaining the original principles of a controlled desktop environment, has been a great success. We have maintained most settings (e.g., views, print views) for each individual. We have locked only the workspace options (e.g., Outlook Bar, Folder List). This article illustrates one technique that can help you satisfactorily run applications in the thin-client Windows environment.