Usually huge IT infrastructures are faced with a scenario, where server administrators, usually while using Remote Desktop Snapin in MMC, do not log off their sessions. And when they close their MMC, they are disconnected and not ‘logged off’ from the servers. This causes them to occupy and keep valuable connections on the server disallowing any other users to connect to it. Also open sessions mean that applications and processes which were running when the user disconnected would continue to run indefinitely causing them to occupy valuable system resources.
The following steps would ‘log off’ all such sessions after a specific period of time.
Note: If you want to implement this policy in your organization, please make sure that you communicate this to your server administrators. Because force ‘logging off’ (even if it is a disconnected session) would stop any application and/or copy job they might have initiated and left to run. Server Administrators must be aware of this policy so that they can plan such jobs accordingly. Also it would be a good idea to put the time-out value as high as e.g. 12-24 hours, during which most operations will finish.
- Open Group Policy Management through gpmc.msc. Create a linked policy on either the domain level (not a good practice) or on the OU level (best practice). Make sure you make the policy on the OU where all your Servers reside.
- Enforce the policy. I love this option since it gives you a clear mind that this policy is being applied way down the OU chain and would always win in case of precedence and conflict wars with other policies.
- Go in Computer Configuration > Administrative Templates > Windows Components > Terminal Services > Sessions.
- Select the option ‘Set time limit for disconnected sessions’. Enable it, and enter the time limit. ‘Never’ means the session will remain open indefinitely. Usually a time limit of 12 hours and/or 24 hours should be good enough.
- Please note that this setting will only log off those sessions which are disconnected by the user. It will not log off any active session.
I hope my readers know the difference between Active, Idle and Disconnected sessions. Cause if you don’t and you plan to implement a group policy, then God help your organization.
Some Hurdles
If you have put this group policy on the domain or OU level and its applied on all your servers and things are going hunky dory and suddenly Aziz from development comes and says that he made an application and he has to initiate his application from the remote desktop from a freakish service account. And after starting it, he disconnects the remote desktop, and that application is supposed to run indefinitely and with the current settings you have messed it all up! As due to force log off all applications running in the session are also closed. Now either you can lecture Aziz on the best practices of code development and execution OR you can just go in the Group Policy, put this computer account and deny the execution of group policy for this computer. And as you might know, ‘Deny’ is the mother of all precedence.
Some Alternates & Notes
- This setting will not work on connections to Windows XP Professional.
- If group policies give you a chill, then you can do this setting manually on each server or maybe you just want to do it on your mission critical and resource hungry servers. Manually it can be done by changing the RDP-Tcp Properties on the server.
- You can also put this limit on one or more users by making changes in their properties > sessions tab.
- If you can do this setting on multiple places then you would be wondering the priority each setting will have over other similar settings. The following is the priority
- Group Policy – Computer Configuration
- Group Policy – User Configuration
- RDP-Tcp Properties
- User Session Properties
No comments:
Post a Comment