Configuring different settings for Remote Desktop and RemoteApp users
By installing the Remote Desktop Services role, both Remote Desktop and RemoteApp are enabled. Furthermore, the various configurations (access control, inactivity timeout behaviour, etc) seem to be global to both Remote Desktop and RemoteApp.
Is it possible to configure different settings for Remote Desktop and RemoteApp users? For example, I want members of the domain AppAdmins group to be able to login to the desktop with a Remote Desktop connection with no inactivity timeout; but I want members of the domain AppUsers group to be able to start RemoteApp programs with an inactivity timeout of 5 minutes.
Answers
Hello Matthew,
Thanks for posting in our forum.
It is not possible to assign different session timeout between RemoteApp and Remote Desktop, for the same group of computers or the same group of users. However, the example, that you want to apply different session timeout configurations based on different user groups, is possible. From my test, I think it can be met by using per user group policy settings via the following steps:
In my test environment, the domain controller (DC) is based on Windows Server 2008 R2, please note that the locations of the policy settings are some different among versions of Windows Server.
1. On the Domain Controller, run “gpmc.msc” to start Group Policy Management console.
2. Make the users that you want to apply different configurations into different OUs. For example, AdminUsers and NormalUsers.
3. Create and link corresponding Group Policy Object to the OU. For example, if you want to apply timeout setting to normal users, create a GPO to the NormalUsers.
4. Edit the GPO settings in the following location: User Configuration \ Policies \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Session Time Limits. For example, set the limit for active Remote Desktop Services sessions and enable the auto-terminating when time limits reached.
5. Use GPUpdate on both the RDS servers.
By using the steps above, only the normal users OU (NormalUsers) is affected by the timeout settings while other users don’t.
Hope the method above helps in your scenarios. Please feel free to let me know if I can provide any further assistance. Thanks and have a nice day.
Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
- Marked As Answer byMatthew Theobald Tuesday, November 03, 2009 3:07 PM
- you can control which groups the GPO is applied to by going into Delegations -> Advanced. Select the group you want the GPO to NOT apply to (i.e. domain admins), and on the option "Apply Group Policy" select Deny. Deny takes precedence over Allow, so whenever Domain Admins login, the GPO will not be applied to them.
There's an excellent article about creating a special TS/RDS GPO to control how they act separately from the rest of your domain :
http://www.dabcc.com/article.aspx?id=10452- Proposed As Answer byj2 Global Wednesday, November 04, 2009 2:51 AM
- Marked As Answer byLionel Chen - MSFTMSFT, ModeratorThursday, November 05, 2009 8:51 AM
Thank you, I will combine my solution with the suggestion in the article w.r.t. loopback processing. By doing so, I should be able to control Session Time Limits individually for: 1) normal users in OUs I control; 2) administrative users in OUs I control; and 3) other users in OUs that I don't control. I had forgotten about the third category.
Regards,
Matthew Theobald- Marked As Answer byLionel Chen - MSFTMSFT, ModeratorMonday, November 09, 2009 2:08 AM
All Replies
Hello Matthew,
Thanks for posting in our forum.
It is not possible to assign different session timeout between RemoteApp and Remote Desktop, for the same group of computers or the same group of users. However, the example, that you want to apply different session timeout configurations based on different user groups, is possible. From my test, I think it can be met by using per user group policy settings via the following steps:
In my test environment, the domain controller (DC) is based on Windows Server 2008 R2, please note that the locations of the policy settings are some different among versions of Windows Server.
1. On the Domain Controller, run “gpmc.msc” to start Group Policy Management console.
2. Make the users that you want to apply different configurations into different OUs. For example, AdminUsers and NormalUsers.
3. Create and link corresponding Group Policy Object to the OU. For example, if you want to apply timeout setting to normal users, create a GPO to the NormalUsers.
4. Edit the GPO settings in the following location: User Configuration \ Policies \ Administrative Templates \ Windows Components \ Remote Desktop Services \ Remote Desktop Session Host \ Session Time Limits. For example, set the limit for active Remote Desktop Services sessions and enable the auto-terminating when time limits reached.
5. Use GPUpdate on both the RDS servers.
By using the steps above, only the normal users OU (NormalUsers) is affected by the timeout settings while other users don’t.
Hope the method above helps in your scenarios. Please feel free to let me know if I can provide any further assistance. Thanks and have a nice day.
Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
- Marked As Answer byMatthew Theobald Tuesday, November 03, 2009 3:07 PM
- Thank you for the proposed solution. Unfortunately, my administrative and normal users are in the same OU. However, I presume that I can accomplish much the same result by using security filtering. I will create a GPO for the administrative users, filter it by group, override the Session Time Limits, and ensure it has a higher link order (so as to override the settings for normal users).
Regards,
Matthew - you can control which groups the GPO is applied to by going into Delegations -> Advanced. Select the group you want the GPO to NOT apply to (i.e. domain admins), and on the option "Apply Group Policy" select Deny. Deny takes precedence over Allow, so whenever Domain Admins login, the GPO will not be applied to them.
There's an excellent article about creating a special TS/RDS GPO to control how they act separately from the rest of your domain :
http://www.dabcc.com/article.aspx?id=10452- Proposed As Answer byj2 Global Wednesday, November 04, 2009 2:51 AM
- Marked As Answer byLionel Chen - MSFTMSFT, ModeratorThursday, November 05, 2009 8:51 AM
Hello Matthew,
Thanks for your feedback in this thread.
Based on my experience, both the ideas from you and J2 can work in such a scenario. Please choose one and give it a try. Let me know the result if needing any further assistance.
Have a nice day, Matthew and J2.
· Lionel Chen
TechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
Thank you, I will combine my solution with the suggestion in the article w.r.t. loopback processing. By doing so, I should be able to control Session Time Limits individually for: 1) normal users in OUs I control; 2) administrative users in OUs I control; and 3) other users in OUs that I don't control. I had forgotten about the third category.
Regards,
Matthew Theobald- Marked As Answer byLionel Chen - MSFTMSFT, ModeratorMonday, November 09, 2009 2:08 AM
- Hello Matthew,
Thanks for letting me know the issue can be resolved by our solutions.
Please follow up here if you need any further helps from me. Thanks and have a nice day.
Lionel ChenTechNet Subscriber Support in forum
If you have any feedback on our support, please contact tngfd@microsoft.com
