none
GPO - Session Time Limits - Remote Desktop Session Host - No time out For Administrator group and Time out for a Specific Security Group

    Question

  • Hello,

    I am using a server 2012 r2 with remote Desktop session enable on this server - I have two security group one for administrator TS-MAINTENANCE and on for my regular user's TS-RDSERVER.

    I would like to apply (set time limit for disconnected session) to NEVER and also (Set time limit for active but idle Remote desktop Service Session) to NEVER to the specific TS-MAINTENANCE 

    And to apply to security group TS-RDSERVER apply (set time limit for disconnected session) to 3 Hours and also (Set time limit for active but idle Remote desktop Service Session) to 3 Hours.

    I Configure it as a previous post and the GPO is applied to both Group's Anyone can help me  

    

    Wednesday, January 25, 2017 8:38 PM

Answers

  • HI,

    >>I Configure it as a previous post and the GPO is applied to both Group's Anyone can help me 

    You could configure two different GPO for these two user groups, putting two different groups into two different OUS, then apply dedicated GPO for them.

    For GPO related settings, you only need to configure use settings and enabled block inheritance for these OUs, in  case default domain policy will effect them.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 26, 2017 3:52 AM
    Moderator
  • Create two GPOs

    GPO#1, is for your scenario : Security Group = TS-MAINTENANCE (your administrators)
    Set the session settings in \User Configuration\, as you desire, for TS-MAINTENANCE group members.
    Set the Security Filtering on GPO#1 : Authenticated Users = Read GPO, and, TS-MAINTENANCE = Read GPO + Apply GPO
    Link this GPO to the OU where the RDS server object resides.
    Test for correct operations (only TS-MAINTENANCE group members should have the desired session settings)

    GPO#2, is for your scenario : Security Group = TS-RDSERVER (your users)
    Set the session settings in \User Configuration\, as you desire, for TS-RDSERVER group members.
    Set the Security Filtering on GPO#1 : Authenticated Users = Read GPO, and, TS-RDSERVER = Read GPO + Apply GPO
    Link this GPO to the OU where the RDS server object resides.
    Test for correct operations (only TS-RDSERVER group members should have the desired session settings), and, TS-MAINTENANCE group members should retain their desired session settings.

    The OU where the AD groups (TS-MAINTENANCE & TS-RDSERVER) are located, is irrelevant.

    NB: Ensure that you are configuring \User Configuration\, else this approach will fail.
    Ensure that Group Policy Loopback Processing, is *not* enabled in *any* GPO linked or inherited to your RDS server object.
    ....Because Loopback Processing will introduce unnecessary/conflicting logic.

    https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx

    https://technet.microsoft.com/en-us/library/ee791886(v=ws.10).aspx

    http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Thursday, January 26, 2017 6:19 AM
    • Marked as answer by J.Silver_Neotech Thursday, January 26, 2017 3:14 PM
    Thursday, January 26, 2017 6:18 AM
  • Thanks for the help DonPick. 

    I am trying it at the moment.

    Thursday, January 26, 2017 3:15 PM

All replies

  • HI,

    >>I Configure it as a previous post and the GPO is applied to both Group's Anyone can help me 

    You could configure two different GPO for these two user groups, putting two different groups into two different OUS, then apply dedicated GPO for them.

    For GPO related settings, you only need to configure use settings and enabled block inheritance for these OUs, in  case default domain policy will effect them.

    Best regards,

    Andy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, January 26, 2017 3:52 AM
    Moderator
  • Create two GPOs

    GPO#1, is for your scenario : Security Group = TS-MAINTENANCE (your administrators)
    Set the session settings in \User Configuration\, as you desire, for TS-MAINTENANCE group members.
    Set the Security Filtering on GPO#1 : Authenticated Users = Read GPO, and, TS-MAINTENANCE = Read GPO + Apply GPO
    Link this GPO to the OU where the RDS server object resides.
    Test for correct operations (only TS-MAINTENANCE group members should have the desired session settings)

    GPO#2, is for your scenario : Security Group = TS-RDSERVER (your users)
    Set the session settings in \User Configuration\, as you desire, for TS-RDSERVER group members.
    Set the Security Filtering on GPO#1 : Authenticated Users = Read GPO, and, TS-RDSERVER = Read GPO + Apply GPO
    Link this GPO to the OU where the RDS server object resides.
    Test for correct operations (only TS-RDSERVER group members should have the desired session settings), and, TS-MAINTENANCE group members should retain their desired session settings.

    The OU where the AD groups (TS-MAINTENANCE & TS-RDSERVER) are located, is irrelevant.

    NB: Ensure that you are configuring \User Configuration\, else this approach will fail.
    Ensure that Group Policy Loopback Processing, is *not* enabled in *any* GPO linked or inherited to your RDS server object.
    ....Because Loopback Processing will introduce unnecessary/conflicting logic.

    https://technet.microsoft.com/en-us/library/cc754272(v=ws.11).aspx

    https://technet.microsoft.com/en-us/library/ee791886(v=ws.10).aspx

    http://www.it.ltsoy.com/windows/lock-down-remote-desktop-services-server-2012/


    Don [doesn't work for MSFT, and they're probably glad about that ;]


    • Edited by DonPick Thursday, January 26, 2017 6:19 AM
    • Marked as answer by J.Silver_Neotech Thursday, January 26, 2017 3:14 PM
    Thursday, January 26, 2017 6:18 AM
  • Thanks for the help DonPick. 

    I am trying it at the moment.

    Thursday, January 26, 2017 3:15 PM
  • Thanks it worked Like a Charm..

    Friday, January 27, 2017 8:24 PM