ลงชื่อเข้าใช้
 
หน้าหลักLibraryเรียนรู้ดาวน์โหลดการแก้ไขปัญหาชุมชนฟอรัม
ทรัพยากรสำหรับผู้เชี่ยวชาญด้าน IT >
GPO to log off idle terminal server sessions excluding 1 of the terminal servers

Answered GPO to log off idle terminal server sessions excluding 1 of the terminal servers

  • 28 กุมภาพันธ์ 2555 2:25
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0
    What would be the best route in creating a GPO to log off idle terminal server sessions but exclude one of the terminal server? I was thinking about setting it on the user configurations side and then use the delegation, deny to exclude the 1 terminal server...Will that work?
     

ตอบทั้งหมด

  • 28 กุมภาพันธ์ 2555 13:04
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0
    Am 28.02.2012 03:25, schrieb madbeast:
    > What would be the best route in creating a GPO to log off idle
    > terminal server sessions but exclude one of the terminal server? I was
    > thinking about setting it on the user configurations side and then use
    > the delegation, deny to exclude the 1 terminal server...Will that work?
     
    No, it will not. Servers (COmputers) don't care about user GPO settings.
    You need <a
    processing</a> which anyway is best practice for Terminal Servers.
     
     
    sincerely, Martin
     
    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
     
  • 29 กุมภาพันธ์ 2555 2:32
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0
    Would it be better to create an OU for Terminal Servers and configure it on the computer side then? I just need to log off idle terminal sessions after a period of time and exclude 1 of the servers from the GPO.....Also, how would I apply the GPO to multiple domains???
    • แก้ไขโดย madbeast 29 กุมภาพันธ์ 2555 2:35
    •  
     
  • 29 กุมภาพันธ์ 2555 8:24
    ผู้ดูแล
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    Hi,

    Thanks for your posting.

    For your requirement I think you may set idle terminal session time limit through Terminal Services Configuration on some of your Terminal Server not through Group Policy.

    To specify timeout and reconnection settings for a remote session:
    1.Open Terminal Services Configuration. To open Terminal Services Configuration, click Start, point to Administrative Tools, point to Terminal Services, and then click Terminal Services Configuration.

    2.Under Connections, right-click the name of the connection, and then click Properties.

    3.In the Properties dialog box for the connection, click the Sessions tab.

    4.Click OK. Changes to timeout and reconnection settings are not applied to sessions that are connected when the change is made. The changes will take effect the next time the user establishes a new connection to the terminal server.

    You can also configure timeout and reconnection settings by applying group policy settings, and these Group Policy Settings will take precedence over the settings configured in Terminal Services Configuration. So here you need to remove your deployed session timeout limit group policy.

     For more information please refer to following MS articles:

    Configure Timeout and Reconnection Settings for Terminal Services Sessions
    http://technet.microsoft.com/en-us/library/cc754272(v=ws.10).aspx
    Session Time Limits
    http://technet.microsoft.com/en-us/library/cc726057(v=ws.10).aspx

    Lawrence

    TechNet Community Support

     
  • 29 กุมภาพันธ์ 2555 15:47
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0
    I just wanted to correct myself....I need to create a GPO to log off idle RDP sessions on all of our servers (not just terminal servers) in multiple domains....we have over 500 servers...it would take forever to configure idle terminal session time limit through terminal services config....Thanks.
     
  • 1 มีนาคม 2555 6:43
    ผู้ดูแล
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    Hi,

    Thanks for your posting.

    Since you have so many servers (500+), we have to use Group Policy to configure “Idle session limit” time. These Group Policy settings can be configured by either Computer Configuration or User Configuration. But these group policy settings can’t distinguish terminal server, so we can’t exclude specified terminal server.

    For more information please refer to following MS articles:

    Group Policy Settings for Terminal Services in Windows Server 2008
    http://technet.microsoft.com/en-us/library/cc753697(v=WS.10).aspx
    All Group Policy Settings for Terminal Services in Windows Server 2008
    http://technet.microsoft.com/en-us/library/cc770884(v=ws.10).aspx

    Lawrence

    TechNet Community Support

     
  • 1 มีนาคม 2555 16:12
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0
    Lawrence thanks for the reply....I guess in GPO it is now known as Remote Desktop Services. Anyways, I was thinking about creating the GPO under computer configurations and linking it to the domain level.........so that the GPO will hit all servers but how would I exclude workstations from the GPO?
     
  • 2 มีนาคม 2555 2:03
    ผู้ดูแล
     
     คำตอบ
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    Hi,

    Thanks for your posting.

    We can configure Computer Configuration Group Policy for Terminal Services in Windows Server 2008. The following Group Policy nodes are available under the Computer Configuration\Policies\Administrative Templates\Windows Components\Terminal Services node of the Group Policy Management Console.

    If you configure and link the Computer Configuration GPO to your domain level, all computers in the domain will take and apply the GPO as default. But you can use security filtering or delegation to refine which computers will receive and apply the GPO.

    By default, all GPOs have Read and AGP both Allowed for the Authenticated Users group. The Authenticated Users group includes both users and computers. This is how all authenticated users receive the settings of a new GPO when it is applied to an organizational unit, domain or site. However, you can change these permissions to limit the scope to a specific set of users, groups, or computers within the organizational unit, domain, or site.

    Or you can set GPO delegation, set deny access permission for workstations which you don’t want them to apply this GPO.

    For more information please refer to following MS articles:

    Filter using security groups
    http://technet.microsoft.com/en-us/library/cc779291(v=WS.10).aspx
    Security filtering using GPMC
    http://technet.microsoft.com/en-us/library/cc781988(v=WS.10).aspx
    Delegation and policy-related permissions
    http://technet.microsoft.com/en-us/library/cc776858(v=WS.10).aspx

    Lawrence

    TechNet Community Support

     
  • 2 มีนาคม 2555 18:33
     
     
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    Lawrence,

    Yes, I am thinking about linking the GPO to the domain level. But using delegation in the GPO, is there a way to deny all workstations at once? Or do i need to add each computer account and then deny????

     
  • 5 มีนาคม 2555 2:42
    ผู้ดูแล
     
     คำตอบ
    ลงชื่อเข้าใช้เพื่อโหวต
    0

    Hi,

    Thanks for your posting.

    Delegation can be set to any group or user.  You can set a domain local group and add workstations which you don’t want them to apply this GPO to this domain local group. And then set deny read and access permission for the domain local group.

    For more information please refer to following MS articles:

    Delegate policy-related permissions on a domain, OU, or site using GPMC
    http://technet.microsoft.com/en-us/library/cc759064(v=ws.10).aspx

    Lawrence

    TechNet Community Support