locked
GPO refresh (without /force) kicks users off RDSH RRS feed

  • Question

  • Hi All,

     

    I’m currently running two RDSH farms with 4 servers in each farm. I’m using loopback process on the GPO’s to apply user specific settings.

     

    I’ve had reports of users being disconnect from their session but we all know how reliable that information can be so I took it with a pinch!

    In an effort to discover what’s 'really' going on I created a Powershell script which gets the connection information from the RDS Session brokers of each farm. I then looked for disconnects and found that I did indeed have a problem and it happens on all of the RDSH servers at different times with no real pattern ... or so I thought ;o)

     

    I referenced the time of the disconnects with other events on the RDSH servers and noticed they seemed to occur at the same time as a Group Policy refresh. We had a Citrix/Terminal Services expert in recently and I thought that he may have heard of similar issues but he dismissed that as a possibility so I assumed I was barking up the wrong tree.

    I’ve just created a Powershell script which runs a gpupdate (without /force) on all RDSH to roll out some changes I’ve been testing and it just disconnected all the users from the RDSH servers, just call me Mr Popular!

     

    (I the run the command via Invoke-WmiMethod is "gpupdate /target:Computer /wait:0")

     

    So main questions are …

    A: Should a gpupdate (not force) disconnect users from a RDSH? (Perhaps loopback is giving me an issue while using policy side extension?)

    B: Is there any way of stopping a RDSH from refreshing Group Policy during a time period ie 08:00 until 22:00?

     

    Any/All help would be much appreciated :o)

     

    Kind Regards,

     

    John

    • Moved by Kaushal Mehta [MSFT] Wednesday, September 29, 2010 4:10 PM Question related to gpupdate (From:Remote Desktop Services (Terminal Services))
    Wednesday, September 29, 2010 4:08 PM

Answers

  • Hi,

    I've disabled background refreshing of group policy and I no longer get the error. Group policy still applies at login and I've got a scheduled reboot of the farm every night to clear the system and read new GPO settings at boot up.

    maniatwork : - Could you setup another mandatory GPO which adjusts the refresh to greater than 24 hours and then setup a similar reboot?

    J

    • Marked as answer by John Grenfell Thursday, December 2, 2010 6:27 PM
    Thursday, December 2, 2010 6:26 PM

All replies


  • There was a similar problem, a community member provide a possible solution:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
    "fDenyTSConnections"=dword:00000000

    For more information, please refer to the following article:
    Group Policy and Windows Advanced Firewall network blip
    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/cd94ea99-a843-4781-bbcf-7538182511c9

    we can modify the Group Policy refresh interval so that it will not refresh during 8 to 22. For your reference: 

    How to modify the default Group Policy refresh interval
    http://support.microsoft.com/kb/203607

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Friday, October 1, 2010 10:18 AM
  • Hi, I can't use the registry setting as my servers are Remote Desktop Session Hosts and need rdp enabled. I have adjusted the refresh rate of group policys but there doesn seem to be a way to set a specific time range. I guess I'll have to setup a scheduled reboot at night to ensure the server doesn't refresh during the day :o( J
    Tuesday, October 5, 2010 7:18 PM
  • Hello all,

     

    i have the same problem with many Vista Clients i be connected to with Microsoft RDP.

    The solution described here

    http://support.microsoft.com/kb/2083411/en-us/

    does not work for my clients. The group policy refresh intervall can not be changed, because it is a mandatory GPO for my customers.

    Any ideas for me?


    ml
    Monday, October 25, 2010 10:31 PM
  • Hi,

    I've disabled background refreshing of group policy and I no longer get the error. Group policy still applies at login and I've got a scheduled reboot of the farm every night to clear the system and read new GPO settings at boot up.

    maniatwork : - Could you setup another mandatory GPO which adjusts the refresh to greater than 24 hours and then setup a similar reboot?

    J

    • Marked as answer by John Grenfell Thursday, December 2, 2010 6:27 PM
    Thursday, December 2, 2010 6:26 PM
  • For anyone else stumbling on this problem, as a possible alternative solution, check:

    http://setspn.blogspot.com/2010/12/remote-desktop-session-disconnection.html

    and

    http://support.microsoft.com/kb/2083411

    for an official explanation.

    P.S. As stated by Mervyn, fDenyTSConnections"=dword:00000000 actually enables RDP. "DenyTSconnections = 1" would disable it...


    http://setspn.blogspot.com
    Tuesday, December 21, 2010 7:26 PM