none
Automatically log out idle and disconnected users

    Question

  • Hi,

    Windows Server 2008 R2 Domain.

    Im trying to have users that are connected with RDP to other servers and clients to automatically log out if there are idle og disconnected for more than 30 minutes. Im able to get it working if i use computer configuration, but I want this to work under user configuration, so im not sure what I am doing wrong.

    I have configured the following. Created a single GPO on the root of the domain, and put a desktop 7 client in this container. Then i have configured a GPO with the following settings: User Configuration>Policies>Administrative Templates>Windows Components>Remote Desktop Services>Session Time Limits: Here I have enabled "Set time limit for disconncted sessions", "Set time limit for active but idle...." and "End session when time...."

    If i check the GPO, under security filtering i have Authenticated Users, and they have read and apply, and it is linked to the correct OU.

    If I now log in to my client and do a gpupdate /force log out and in again, I can see the GPO is not applied correct. The strange thing is that is named under Computer Settings> The following GPOs were not applied because they are filtered out.. here is my GPO and reason is "Not applied (Empty). Under User settings there is no such GPO applied...

    I thought that it should have been under user settings .... if i configure the GPO as a computer settings it works.... but should not this also work for users ?


    /Regards Andreas

    Tuesday, January 06, 2015 11:58 AM

Answers

  • http://technet.microsoft.com/en-in/library/cc758177%28v=ws.10%29.aspx

    This article says this must be a computer configuration.  Can you visit?

    • Marked as answer by Andreas2012 Tuesday, January 06, 2015 12:45 PM
    Tuesday, January 06, 2015 12:01 PM

All replies

  • http://technet.microsoft.com/en-in/library/cc758177%28v=ws.10%29.aspx

    This article says this must be a computer configuration.  Can you visit?

    • Marked as answer by Andreas2012 Tuesday, January 06, 2015 12:45 PM
    Tuesday, January 06, 2015 12:01 PM
  • Hi,

    Thanks for information. Ok I see, i must just use the computer configuration.

    I want this policy to be deploy at the top level, but there are some computers and users that should not be part of this policy. What is the best way to do this ? Should i for example just create a group and add all the users / groups that should be part of this policy to this group. Then within the GPO under security filtering remove Authenticated users and just add the group i created ?


    /Regards Andreas

    Tuesday, January 06, 2015 12:39 PM
  • Correct ... You should go with security filtering.
    • Proposed as answer by Prabhu Mallick Tuesday, January 06, 2015 12:43 PM
    Tuesday, January 06, 2015 12:42 PM
  • Ok.

    But one other thing, these time limits are only for RDP session.

    Where could I configure the same if the users log on the console ? Is there any gpo for that, I have only seen 2 parts screen savers and programs.


    /Regards Andreas

    Tuesday, January 06, 2015 12:46 PM
  • It will come at : User Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits

    Refer below link

    http://technet.microsoft.com/en-us/library/cc753112%28v=ws.10%29.aspx

    Tuesday, January 06, 2015 1:09 PM
  • What do you mean it will come ? isnt that link only for terminal services ?

    Another thing i have tried with security filtering, and it works with the default Authenticated Users and if i add the computer account name. But if I add a user account, or a user group the policy fails with the reason "unknown". Should I not be able to add directly users or groups with users ?

    Thanks for fast reply :)


    /Regards Andreas

    Tuesday, January 06, 2015 1:15 PM
  • It will come at : User Configuration\Policies\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits

    Refer below link

    http://technet.microsoft.com/en-us/library/cc753112%28v=ws.10%29.aspx

    It will come means, you will find the settings at the mentioned path. That's for terminal session can be applied on servers not necessarily only for Terminal servers.

    Best practice is to add security group in the security filter. But yes if you have less number of users, you can add them directly.

    Wednesday, January 07, 2015 5:58 AM
  • Hi,

    Thanks for clearing that regarding terminal server.

    But when it comes to just add users or security groups if does not work. Like I said it works for authenticated users and if i add the computer account, but not for security groups or users directly, and the policy fails with the reason "unknown". I should be able to add these right? or must i use authenticated users or computer account since this is a computer setting ?

    Sorry not to familiar with GPOs...


    /Regards Andreas

    Wednesday, January 07, 2015 8:48 AM
  • Since this is a user based setting, you must add the security group containing users only. Secondly if you want it for all keep authenticated users group (which is default), else remove that group and add your newly created security group at the security filtering option.

    Regards Prabhu

    Wednesday, January 07, 2015 8:52 AM
  • Hm, I may misunderstand her.

    If we concentrate on the users should automatically log out after 30 min when they use RDP, then I have to configure this under COMPUTER SETTINGS since USER SETTINGS are not working here, am I right ?

    If im right, then im not able to add user groups to this policy since this is a computer setting, because if i try to add a user group it want apply the policy, but if i apply a computer account it apply.

    Am i missing somethings here?


    /Regards Andreas

    Friday, January 09, 2015 6:59 PM