none
Session Time Limits in GPO are not applying on some RDD Session Hosts RRS feed

  • Pregunta

  • Environment:

    • OU called "RDS Session Hosts" which contains 4 RDS Session Host servers, all running 2012 R2
    • GPO called "RDS Session Time Limits" with User Configuration settings enabled to control Session Time Limits. This is linked to the "RDS Session Hosts" OU
    • Loopback processing is enabled and set to Merge on the "RDS Session Hosts" OU since our users who log on to the RDS Session Hosts are in another OU.

    The issue I am having is the settings configured in the GPO are only applying on 1 of the 4 RDS Session Host servers. When I run a Group Policy RSoP report on all 4 servers, the results are the same and show the policy is being applied successfully.

    I searched the Registry on all 4 servers and found there was a difference in the "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" key, specifically the values of the fResetBroken, MaxConnectionTime, MaxDisconnectionTime, and MaxIdleTime keys (screenshot included below). Based on my tests, these Registry keys are what is controlling the session time limits rather than the GPO. My understanding is that Group Policy with override any settings configured on the RDS collection, so I'm not sure where these settings are being configured. I checked the collections properties for all 4 servers, and none of them have any session time limits configured. Does anyone know where these values in this Registry key location are being configured, and is it okay to manually edit them?

    lunes, 22 de julio de 2019 14:14

Respuestas

Todas las respuestas

  • Hi David,

     

    1. How did you enable the GPO of session time limits? User configuration or Computer configuration?

     

    When choosing Merge of Loopback processing, it is noted that "The user policy settings applied are the combination of those included in both the computer and user GPOs. Where conflicts exist, the computer GPOs take precedence."

     

    Kindly check if there is any conflicts of this GPO.

     

    2. There are four options under session time limit, corresponding to registry value as below:

    Policy Setting Name

    Policy Path

    Registry Information

    End session when time limits are reached

    Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits

    HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!fResetBroken

    Set time limit for disconnected sessions

    Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits

    HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxDisconnectionTime

    Set time limit for active but idle Remote Desktop Services sessions

    Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits

    HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxIdleTime

    Set time limit for active Remote Desktop Services sessions

    Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits

    HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services!MaxConnectionTime

     

    From your screenshot, it seemed only 1 session host has no policy or value changed while rest has one or more changes.

     

    Please double confirm whether there is any missing on the GPO.

     

    Thanks,

    Jenny


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    martes, 23 de julio de 2019 5:57
  • Hi Jenny,

    Thanks for your reply. The "RDS Session Time Limits" GPO is only configured with User Configuration policies to control session time limits. There are no Computer Configuration policies in the GPO. This is the only GPO in our domain that is configured to control session time limits.

    The key values in HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Windows NT are identical on all 4 servers and configured with the correct session time limits values from the "RDS Session Time Limits" GPO, which would confirm the GPO is working properly.

    The screenshot in my original post is the Registry values for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp key which is what seems to be taking precedence and controlling the session time limits for the servers. For example: if I disconnect from the first or second server, I'm logged off after 5 minutes (300000 ms); if I disconnect from the third server, I'm not automatically logged off; if I disconnect from the last server, I'm logged off after 30 minutes (18000000 ms). This key isn't set by Group Policy to my knowledge, so I was hoping someone would be able provide insight into what is controlling these key values. 

    martes, 23 de julio de 2019 12:28
  • Hi David,

     

    Thanks for the update and please expect more time for me to test and search more.

     

    If there is any findings, I will keep you posted.

     

    Thanks,

    Jenny



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    miércoles, 24 de julio de 2019 9:23
  • Thanks for helping with this, Jenny. I believe I may have found the answer. I am going to be doing some more testing today and will respond with my findings.
    miércoles, 24 de julio de 2019 12:02
  • I have found a solution for this and included links below for the references I used.

    I was able to change the RDP-Tcp settings in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp key without manually modifying the Registry by logging on to a Windows Server 2008 R2 server, opening Remote Desktop Session Host Configuration (tsconfig.msc), and connecting to each of the 3 affected servers from the snap-in. I've included a screenshot below of server #4's settings as an example. After I modified these settings on all 3 servers, their Registry values were what I was hoping to see.

    https://windowsrunbook.blogspot.com/2016/08/rdp-tcp-recreation-on-windows-2012r2.html?showComment=1563900306927#c4198762481959066019

    https://support.microsoft.com/en-us/help/259129/how-to-modify-or-query-the-rdp-connection-permissions-for-terminal-ser

    • Marcado como respuesta David C. Bird miércoles, 24 de julio de 2019 13:39
    miércoles, 24 de julio de 2019 13:39