none
GPO to kill disconnected and idle RDP connections RRS feed

  • Întrebare

  • Hello

    I'm looking for a way to Kill RDP connection with idle & disconnected state. the server's owners usually connect to the servers from their PCs to the servers using the Remote Desktop Connection and they forget to disconnect properly. some left disconnected connections cause an issue later for those user where their AD accounts get locked out due to reset their password.

    now I want to apply a group policy on all servers in the domain to do:

    • kill disconnected connection after 1 hour.
    • kill idle connection after 4 hours.

    our domain is windows 2008 R2 (native) and the we have a mix of OS running on the member servers. we have a few windows server 2003 R2 and the majority is windows server 2008 and windows server 2008 R2.

    any idea is highly appreciated....


    Systems Specialist

    marți, 3 iulie 2012 07:07

Răspunsuri

  • Hi

    Actually in Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2, both set time limit for disconnect session and set time limit for active but idle RDP session group policy are in different location.

    In Windows Server 2003 -> Computer Configuraiton\Administrative Templates\Windows Components\Terminal Services\Sessions

    In Windows Server 2008 -> Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits

    In Windows Server 2008 R2 -> Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remtoe Desktop Session Host\Session Time limits.

    Generally, there are three ways to achieve that "kill disconnected connection after 1 hour, kill idle connection after 4 hours

    "

    a. Edit it via GUI.

    b. Edit it via Group policy.

    c. Edit it via registry.

    Using the Group policy is the recommended way, if both  set time limit for disconnect session and set time limit for active but idle RDP session group policy have been applied successfully on the TS servers/RDS servers, then the registry

    MaxDisconnectionTime=128238540 and MaxIdleTime=1282031640 under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services will be added.

    So currently please check whether above registried have been written on these servers that you said didn't work.

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marcat ca răspuns de 朱鸿文 marți, 24 iulie 2012 01:38
    miercuri, 11 iulie 2012 08:49
  •  
    > I checked one of the servers that I applied the policy on, and the
    > above registery value is not as specified above. the server is windows
    > 2008 R2 and the value of the registery is:
     You applied the policy, but: Did the server agree with you and picked it up?
     
    please run gpresult /h report.html from an elevated commandline, examine
    report.html and check whether
    a) your policy is applied
    b) the setting in your policy is not overwritten by another policy
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marcat ca răspuns de 朱鸿文 marți, 24 iulie 2012 01:38
    miercuri, 18 iulie 2012 19:55
  •  
    > is this the normal behaivor to restart all server or there is
    > something wrong?
     
    Depends on the actual GPO setting... In this case, maybe restarting
    terminal services would have been sufficcient, but who knows ;-))
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marcat ca răspuns de 朱鸿文 marți, 24 iulie 2012 01:38
    luni, 23 iulie 2012 12:20

Toate mesajele

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    We can check the article below:

    Configure Timeout and Reconnection Settings for Remote Desktop Services Sessions

    http://technet.microsoft.com/en-us/library/cc754272

    And here is another thread for your reference:

    RDP session idle 10min for users group

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/c047f704-af6d-4151-b368-a117451ca9d3/

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    miercuri, 4 iulie 2012 02:31
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Have a great day!

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

      
    vineri, 6 iulie 2012 03:50
  • hello K_evin Zhu

    i tried that and unfortunatly it didn't work. I configured a gpo on the domain controller to kill disconnected & idle session but nothing happened. still I can see some diconnected sessions on some servers not killed.

    the gpo setting is as follow

    Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits

    set time limit for disconnect session after 1 hour

    set time limit for active but idle RDP session = 3 hours

    any idea.


    Systems Specialist

    sâmbătă, 7 iulie 2012 06:36
  • Hi,

    Thank you for clarifying the issue for us.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     
    luni, 9 iulie 2012 04:44
  • Hi

    Actually in Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2, both set time limit for disconnect session and set time limit for active but idle RDP session group policy are in different location.

    In Windows Server 2003 -> Computer Configuraiton\Administrative Templates\Windows Components\Terminal Services\Sessions

    In Windows Server 2008 -> Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits

    In Windows Server 2008 R2 -> Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remtoe Desktop Session Host\Session Time limits.

    Generally, there are three ways to achieve that "kill disconnected connection after 1 hour, kill idle connection after 4 hours

    "

    a. Edit it via GUI.

    b. Edit it via Group policy.

    c. Edit it via registry.

    Using the Group policy is the recommended way, if both  set time limit for disconnect session and set time limit for active but idle RDP session group policy have been applied successfully on the TS servers/RDS servers, then the registry

    MaxDisconnectionTime=128238540 and MaxIdleTime=1282031640 under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services will be added.

    So currently please check whether above registried have been written on these servers that you said didn't work.

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • Marcat ca răspuns de 朱鸿文 marți, 24 iulie 2012 01:38
    miercuri, 11 iulie 2012 08:49
  • Hi,

    We have not heard you for a couple of days, could you let us know how is the issue going on?

    Thanks and we look forward to your update.

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    luni, 16 iulie 2012 09:24
  • sorry for the late response...

    I really appreciated your feedback...

    I checked one of the servers that I applied the policy on, and the above registery value is not as specified above. the server is windows 2008 R2 and the value of the registery is:

    MaxDisconnectionTime= 0x0036ee80(3600000)
    MaxIdleTime= 0x00a4cb80(10800000)

    any idea...


    Systems Specialist

    miercuri, 18 iulie 2012 12:55
  •  
    > I checked one of the servers that I applied the policy on, and the
    > above registery value is not as specified above. the server is windows
    > 2008 R2 and the value of the registery is:
     You applied the policy, but: Did the server agree with you and picked it up?
     
    please run gpresult /h report.html from an elevated commandline, examine
    report.html and check whether
    a) your policy is applied
    b) the setting in your policy is not overwritten by another policy
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marcat ca răspuns de 朱鸿文 marți, 24 iulie 2012 01:38
    miercuri, 18 iulie 2012 19:55
  • Hi,

    Could you please try Martin's suggestion and check whether the issue can be resolved?

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    vineri, 20 iulie 2012 10:00
  • Hello

    I ran that command and I can see that the policy is applied on all server but the policy didn't work as expected. what I did is restart all servers and the policy worked perfectly.

    is this the normal behaivor to restart all server or there is something wrong?


    Systems Specialist


    luni, 23 iulie 2012 11:55
  •  
    > is this the normal behaivor to restart all server or there is
    > something wrong?
     
    Depends on the actual GPO setting... In this case, maybe restarting
    terminal services would have been sufficcient, but who knows ;-))
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • Marcat ca răspuns de 朱鸿文 marți, 24 iulie 2012 01:38
    luni, 23 iulie 2012 12:20
  • We have problem when connect to active remote desktop session from terminal server or task manager(shadowing) , and after this we disconnect with "CTRL+*" from this user we disconnect and active user session, on sever 2008 r2. We have and server 2003 but there when disconnect from session,she keep active and working ... How i can fix this...TY
    • Editat de sys_Nikolay vineri, 19 octombrie 2012 11:39
    vineri, 19 octombrie 2012 10:28
  • Dear all,

    i have one query , can we give  kill disconnected connection value in minutes???



    marți, 4 decembrie 2012 13:07
  •  
    > i have one query , can we give  kill disconnected connection value in
    > minutes???
     No, but in Milliseconds...
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    marți, 4 decembrie 2012 20:19
  • Hello, I'm having the same issue (GPO policy isn't working), I checked the regedit and the MaxIdleTime/MaxDisconnectionTime/fResetBroken values are there, I also restarted the Terminal Services but the existing Disconnected Sessions remains on the server. 

    Do you have an idea how can I get this policy working without restart the server, that's because I have +300 Servers and restart those are not a viable solution.

    Thanks in advice.



    Edilberto Martinez

    marți, 11 februarie 2014 23:08
  • I realise this is an old thread, but it came up in a google search as one of the most relevant to the issue I was facing here.

    It appears the policy only applies to sessions that connected after the policy is created.  I left a session running and it was disconnected after the appropriate time. 5 or 6 disconnected sessions that were on the server before I applied the GPO remained until manually logged off.

    vineri, 8 aprilie 2016 05:41
  • So this policy, will it kill of logoff these disconnected sessions?  

    I need something like this, but also need to make sure that everything is logged off the right way in stead of simply dropping connections. I've had issues before where some files were suddenly locked on the fileserver causing a problem where users cannot log in again after being auto-disconnected because some files in their roaming profiles remained locked.

    marți, 1 noiembrie 2016 14:39
  • sâmbătă, 10 iunie 2017 20:27
  • Is there a way of targeting this towards specific users?

    I have a situation where I could do with logging a particular account out, as it causes issues if it is left logged in.

    Thanks

    vineri, 2 martie 2018 12:10
  • Is there a way of targeting this towards specific users?

    I have a situation where I could do with logging a particular account out, as it causes issues if it is left logged in.

    Thanks

    Well, isn't it the purpose of Active Directory / Organizational Unit / GPO... to be able to apply different policies granularly?

    Either place these users/machines (you segment your stuff the way you want) in a particular OU and then assign that policy to that OU? Or associate the GPO to your particular group of users...
    joi, 8 noiembrie 2018 20:28