none
GPO to kill disconnected and idle RDP connections RRS feed

  • 问题

  • Hello

    I'm looking for a way to Kill RDP connection with idle & disconnected state. the server's owners usually connect to the servers from their PCs to the servers using the Remote Desktop Connection and they forget to disconnect properly. some left disconnected connections cause an issue later for those user where their AD accounts get locked out due to reset their password.

    now I want to apply a group policy on all servers in the domain to do:

    • kill disconnected connection after 1 hour.
    • kill idle connection after 4 hours.

    our domain is windows 2008 R2 (native) and the we have a mix of OS running on the member servers. we have a few windows server 2003 R2 and the majority is windows server 2008 and windows server 2008 R2.

    any idea is highly appreciated....


    Systems Specialist

    2012年7月3日 7:07

答案

  • Hi

    Actually in Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2, both set time limit for disconnect session and set time limit for active but idle RDP session group policy are in different location.

    In Windows Server 2003 -> Computer Configuraiton\Administrative Templates\Windows Components\Terminal Services\Sessions

    In Windows Server 2008 -> Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits

    In Windows Server 2008 R2 -> Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remtoe Desktop Session Host\Session Time limits.

    Generally, there are three ways to achieve that "kill disconnected connection after 1 hour, kill idle connection after 4 hours

    "

    a. Edit it via GUI.

    b. Edit it via Group policy.

    c. Edit it via registry.

    Using the Group policy is the recommended way, if both  set time limit for disconnect session and set time limit for active but idle RDP session group policy have been applied successfully on the TS servers/RDS servers, then the registry

    MaxDisconnectionTime=128238540 and MaxIdleTime=1282031640 under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services will be added.

    So currently please check whether above registried have been written on these servers that you said didn't work.

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • 已标记为答案 朱鸿文 2012年7月24日 1:38
    2012年7月11日 8:49
  •  
    > I checked one of the servers that I applied the policy on, and the
    > above registery value is not as specified above. the server is windows
    > 2008 R2 and the value of the registery is:
     You applied the policy, but: Did the server agree with you and picked it up?
     
    please run gpresult /h report.html from an elevated commandline, examine
    report.html and check whether
    a) your policy is applied
    b) the setting in your policy is not overwritten by another policy
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • 已标记为答案 朱鸿文 2012年7月24日 1:38
    2012年7月18日 19:55
  •  
    > is this the normal behaivor to restart all server or there is
    > something wrong?
     
    Depends on the actual GPO setting... In this case, maybe restarting
    terminal services would have been sufficcient, but who knows ;-))
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • 已标记为答案 朱鸿文 2012年7月24日 1:38
    2012年7月23日 12:20

全部回复

  • Hi,

    Thanks for posting in Microsoft TechNet forums.

    We can check the article below:

    Configure Timeout and Reconnection Settings for Remote Desktop Services Sessions

    http://technet.microsoft.com/en-us/library/cc754272

    And here is another thread for your reference:

    RDP session idle 10min for users group

    http://social.technet.microsoft.com/Forums/en-US/winserverGP/thread/c047f704-af6d-4151-b368-a117451ca9d3/

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

    2012年7月4日 2:31
  • Hi,

    Just checking in to see if the information provided was helpful. Please let us know if you would like further assistance.

    Have a great day!

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

      
    2012年7月6日 3:50
  • hello K_evin Zhu

    i tried that and unfortunatly it didn't work. I configured a gpo on the domain controller to kill disconnected & idle session but nothing happened. still I can see some diconnected sessions on some servers not killed.

    the gpo setting is as follow

    Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits

    set time limit for disconnect session after 1 hour

    set time limit for active but idle RDP session = 3 hours

    any idea.


    Systems Specialist

    2012年7月7日 6:36
  • Hi,

    Thank you for clarifying the issue for us.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Regards

    Kevin

    TechNet Subscriber Support

    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

     
    2012年7月9日 4:44
  • Hi

    Actually in Windows Server 2003, Windows Server 2008 and Windows Server 2008 R2, both set time limit for disconnect session and set time limit for active but idle RDP session group policy are in different location.

    In Windows Server 2003 -> Computer Configuraiton\Administrative Templates\Windows Components\Terminal Services\Sessions

    In Windows Server 2008 -> Computer Configuration\Administrative Templates\Windows Components\Terminal Services\Terminal Server\Session Time Limits

    In Windows Server 2008 R2 -> Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remtoe Desktop Session Host\Session Time limits.

    Generally, there are three ways to achieve that "kill disconnected connection after 1 hour, kill idle connection after 4 hours

    "

    a. Edit it via GUI.

    b. Edit it via Group policy.

    c. Edit it via registry.

    Using the Group policy is the recommended way, if both  set time limit for disconnect session and set time limit for active but idle RDP session group policy have been applied successfully on the TS servers/RDS servers, then the registry

    MaxDisconnectionTime=128238540 and MaxIdleTime=1282031640 under HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services will be added.

    So currently please check whether above registried have been written on these servers that you said didn't work.

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    • 已标记为答案 朱鸿文 2012年7月24日 1:38
    2012年7月11日 8:49
  • Hi,

    We have not heard you for a couple of days, could you let us know how is the issue going on?

    Thanks and we look forward to your update.

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    2012年7月16日 9:24
  • sorry for the late response...

    I really appreciated your feedback...

    I checked one of the servers that I applied the policy on, and the above registery value is not as specified above. the server is windows 2008 R2 and the value of the registery is:

    MaxDisconnectionTime= 0x0036ee80(3600000)
    MaxIdleTime= 0x00a4cb80(10800000)

    any idea...


    Systems Specialist

    2012年7月18日 12:55
  •  
    > I checked one of the servers that I applied the policy on, and the
    > above registery value is not as specified above. the server is windows
    > 2008 R2 and the value of the registery is:
     You applied the policy, but: Did the server agree with you and picked it up?
     
    please run gpresult /h report.html from an elevated commandline, examine
    report.html and check whether
    a) your policy is applied
    b) the setting in your policy is not overwritten by another policy
     
    regards, Martin
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • 已标记为答案 朱鸿文 2012年7月24日 1:38
    2012年7月18日 19:55
  • Hi,

    Could you please try Martin's suggestion and check whether the issue can be resolved?

    Regards,


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    2012年7月20日 10:00
  • Hello

    I ran that command and I can see that the policy is applied on all server but the policy didn't work as expected. what I did is restart all servers and the policy worked perfectly.

    is this the normal behaivor to restart all server or there is something wrong?


    Systems Specialist


    2012年7月23日 11:55
  •  
    > is this the normal behaivor to restart all server or there is
    > something wrong?
     
    Depends on the actual GPO setting... In this case, maybe restarting
    terminal services would have been sufficcient, but who knows ;-))
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    • 已标记为答案 朱鸿文 2012年7月24日 1:38
    2012年7月23日 12:20
  • We have problem when connect to active remote desktop session from terminal server or task manager(shadowing) , and after this we disconnect with "CTRL+*" from this user we disconnect and active user session, on sever 2008 r2. We have and server 2003 but there when disconnect from session,she keep active and working ... How i can fix this...TY
    2012年10月19日 10:28
  • Dear all,

    i have one query , can we give  kill disconnected connection value in minutes???



    2012年12月4日 13:07
  •  
    > i have one query , can we give  kill disconnected connection value in
    > minutes???
     No, but in Milliseconds...
     

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    Wenn meine Antwort hilfreich war, freue ich mich über eine Bewertung! If my answer was helpful, I'm glad about a rating!
    2012年12月4日 20:19
  • Hello, I'm having the same issue (GPO policy isn't working), I checked the regedit and the MaxIdleTime/MaxDisconnectionTime/fResetBroken values are there, I also restarted the Terminal Services but the existing Disconnected Sessions remains on the server. 

    Do you have an idea how can I get this policy working without restart the server, that's because I have +300 Servers and restart those are not a viable solution.

    Thanks in advice.



    Edilberto Martinez

    2014年2月11日 23:08
  • I realise this is an old thread, but it came up in a google search as one of the most relevant to the issue I was facing here.

    It appears the policy only applies to sessions that connected after the policy is created.  I left a session running and it was disconnected after the appropriate time. 5 or 6 disconnected sessions that were on the server before I applied the GPO remained until manually logged off.

    2016年4月8日 5:41
  • So this policy, will it kill of logoff these disconnected sessions?  

    I need something like this, but also need to make sure that everything is logged off the right way in stead of simply dropping connections. I've had issues before where some files were suddenly locked on the fileserver causing a problem where users cannot log in again after being auto-disconnected because some files in their roaming profiles remained locked.

    2016年11月1日 14:39
  • Is there a way of targeting this towards specific users?

    I have a situation where I could do with logging a particular account out, as it causes issues if it is left logged in.

    Thanks

    2018年3月2日 12:10
  • Is there a way of targeting this towards specific users?

    I have a situation where I could do with logging a particular account out, as it causes issues if it is left logged in.

    Thanks

    Well, isn't it the purpose of Active Directory / Organizational Unit / GPO... to be able to apply different policies granularly?

    Either place these users/machines (you segment your stuff the way you want) in a particular OU and then assign that policy to that OU? Or associate the GPO to your particular group of users...
    2018年11月8日 20:28