none
User Configuration and Computer Configuration

    Question

  • Hi All, 

    I am not sure how to achieve this. Basically I have a Server OU and a User OU and what I am trying to do is set session timeouts for remote desktop sessions. I applied a policy at a parent container to these two ou's which was user configuration policy which ended RDP sessions after 2 hours of idle time. I have based it on a user configuration because I have a number of users that that need to be excluded from the policy as they are service type accounts which run an interactive app (bad I know). Now I have a secondary requirement that depending on the server the session timeout is different i.e. the session is terminated after 30mins. So the same group of users are applied but the machine dictates the session limits. I have tried to exclude the machines from the default policy but have found that it does not work (probably because it is a user configuration). And if I change it to a computer configuration the user accounts that should be excluded are also logged off. I was looking at using loopback but not sure if this is the correct practise 

    Any information would be great

    Tuesday, February 17, 2015 12:37 PM

Answers

  • so you want to differentiate the timeout based on computer, but have exceptions for some users?

    First of all loopbackprocessing will not help you here, as it only allows applying a single set of userpolicies to the computer/user instead of or together with the userpolicies attached to the user.

    Second, I do not think there is a solution using  gpo terminal server settigns alone. After all, as documented in the GPO, the computer configuration will always have precedence. So if users should have different settings, all settings should go in the userpolicies attached to user  OU's (which could be a different OU and thus a different GPO for service accounts), which no longer allows you to differentiate the timeout per machine (unless you apply computer configuration gpo only on computers that do not have to run the awkward console application and accept that the same timeout will apply to all users of that computer).

    Another way might be to simplify the requirements and no longer differentiate for the service accounts. They can run the application in console session (which has no terminal services timeout) or have a custom application to prevent sessions idle (also not a beauty of a solution).


    MCP/MCSA/MCTS/MCITP


    Tuesday, February 17, 2015 12:54 PM
  • > Any information would be great
     
    Basically, all GPO settings are simple registry values. If we look at
    http://gpsearch.azurewebsites.net/#8099, we have the registry value at hand.
     
    We then can deploy this value through GPP Registry (instead of ADM
    templates), and this gives us full control by using Item Level
    Targeting. Have a look at
    example.
     
    If you now combine this method with some "Computer is a member of" or
    "User is a member of", you can easily achieve your goal :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 5:05 PM

All replies

  • so you want to differentiate the timeout based on computer, but have exceptions for some users?

    First of all loopbackprocessing will not help you here, as it only allows applying a single set of userpolicies to the computer/user instead of or together with the userpolicies attached to the user.

    Second, I do not think there is a solution using  gpo terminal server settigns alone. After all, as documented in the GPO, the computer configuration will always have precedence. So if users should have different settings, all settings should go in the userpolicies attached to user  OU's (which could be a different OU and thus a different GPO for service accounts), which no longer allows you to differentiate the timeout per machine (unless you apply computer configuration gpo only on computers that do not have to run the awkward console application and accept that the same timeout will apply to all users of that computer).

    Another way might be to simplify the requirements and no longer differentiate for the service accounts. They can run the application in console session (which has no terminal services timeout) or have a custom application to prevent sessions idle (also not a beauty of a solution).


    MCP/MCSA/MCTS/MCITP


    Tuesday, February 17, 2015 12:54 PM
  • Thanks SenneVL.


    Tuesday, February 17, 2015 1:47 PM
  • I assume a combination of GPO user settings  and WMI filtering could not be used
    Tuesday, February 17, 2015 2:02 PM
  • > Any information would be great
     
    Basically, all GPO settings are simple registry values. If we look at
    http://gpsearch.azurewebsites.net/#8099, we have the registry value at hand.
     
    We then can deploy this value through GPP Registry (instead of ADM
    templates), and this gives us full control by using Item Level
    Targeting. Have a look at
    example.
     
    If you now combine this method with some "Computer is a member of" or
    "User is a member of", you can easily achieve your goal :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 5:05 PM