I want my sessions to terminate when Remote Desktop disconnects. Show Right now I'm doing this manually ala: Where I'm selecting End session as the option to When a session limit is reached or connection is broken:. I'd like to do this with a script, and I want to know what the registry key is that I can set to make this the default behavior. I ran into the same problem, but was unable to access the Group Policy or Registry, due to restricted privileges. However, I found another solution which uses Windows Script Host to run a piece of JScript which will toggle Scroll Lock every five minutes, for one hour. Here's the script. Just save it with a .js extension, and run it with "Microsoft Windows Based Script Host". var WshShell = WScript.CreateObject["WScript.Shell"]; for [var i = 0; i < 12; i++] { // Loop 12 times WshShell.SendKeys['{SCROLLLOCK}']; WshShell.SendKeys['{SCROLLLOCK}']; // Toggle Scroll Lock WScript.Sleep[300000]; // Wait 5 minutes }If you want to change the key being pressed, check out this link, and swap out the SendKeys parameter for another character. The same solution, in PowerShell: [void] [System.Reflection.Assembly]::LoadWithPartialName["'System.Windows.Forms"] $allowCloseAfter = [Get-Date].ToUniversalTime[].AddHours[24] while [$allowCloseAfter -gt [Get-Date].ToUniversalTime[]] { [System.Windows.Forms.SendKeys]::SendWait["{SCROLLLOCK}"] [System.Windows.Forms.SendKeys]::SendWait["{SCROLLLOCK}"] Write-Host '.' -NoNewline Start-Sleep -Seconds 300 }One of the annoying default settings in Windows 10 is that it will automatically log off idle Remote Desktop sessions [RDS] after a period of inactivity. Luckily, there are a few Group Policy settings that we can change to prevent this. 1. Run gpedit.msc 2. Expand Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Session Time Limits. 3. If any of the listed policies are not Disabled, double-click on them to open the Properties window. 4. Click on the Disabled radio button and click OK. 5. Expand User Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Session Time Limits. 6. If any of the listed policies are not Disabled, double-click on them to open the Properties window, and follow the same instructions as for step #4 above to disable them. 7. Reboot the computer for the changes to take effect. Your Windows 10 computer should no longer log you off automatically after being idle. By default, when a user closes the RDP/RDS session window in a terminal client [mstsc.exe, RDCMan or Remote Desktop HTML5 web client] by simply clicking the cross in the top right corner without logging off, his session goes into disconnected mode. In this mode, all apps, open files and windows are still running on a remote desktop server and consuming resources. By default, a user’s RDP session in Windows may stay in the disconnected state until terminated by the user or administrator, or until the computer is restarted. It is quite convenient, since a user may any time connect to his old remote desktop session and go on working with running programs or open files. In the following screenshot you can see that the disconnected user sessions on the RDS server running Windows Server 2016 are using about 40% of the server RAM. Also, these sessions may block open files on your file servers, cause problems of incorrect saving of data in the apps, roaming profile folders or on User Profile Disks. Using the quser command, you can view when a user RDP session was started, how long it was idle and the current session state. To automatically terminate disconnected RDP/RDS sessions in a specified period of time, you need to set session limits [timeouts] correctly. If you use an RDS server, you can configure session timeout parameters in the RDS collection settings on the Session tab. Specify the time period, after which you want to kill a disconnected remote desktop session, in the End a disconnected session option [by default, a session period is unlimited – Never]. You can also set the maximum time of an active session [Active session limit] and end an idle session [Idle session limit]. These hard timeouts are applied to all sessions in the RDS collection. You can also set the limits of an RDP session in the properties of a local [lusrmgr.msc] or domain user [dsa.msc — Active Directory Users and Computers]. In Windows Server 2012 R2/2016/2019, you can set RDP session timeouts using Group Policies. You can do it either in the domain GPO editor [gpmc.msc] or in the Local Group Policy Editor [gpedit.msc] on an RDS server or client [if you are using a desktop Windows edition as a terminal server]. The settings of RDP session timeouts are located in the following GPO section Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Session Time Limits. The following Remote Desktop timeout settings are available:
By default, these options are not configured. To automatically terminate disconnected RDP user sessions in 8 hours, enable the Set time limit for disconnected session policy and select 8 hours in the dropdown list. Save the changes and update the Group Policy settings on your RD host [gpupdate /force]. New timeout settings will be applied to new RDP sessions only [you will have to end the current RDS sessions manually]. In Windows Server 2008 R2, you could also set RDP session timeouts using a special console: tsconfig.msc [RD Session Host Configuration]. It was enough to open the console and right-click RDP-Tcp -> Properties. The settings of session limits are located on the Sessions tab. However, there is no such console in newer Windows Server versions [although you can manually copy tsadmin.msc and tsconfig.msc files and use these consoles on newer Windows Server versions as well]. In the program run [Windows + R], enter “gpedit. msc”. Press the button “OK” or enter. In the window that opens, follow the path Computer Configuration → Administrative Templates → Windows Components → Remote Desktop Services → Remote Desktop Session Host → Session Time Limit. To automatically terminate disconnected RDP/RDS sessions in a specified period of time, you need to set session limits [timeouts] correctly. If you use an RDS server, you can configure session timeout parameters in the RDS collection settings on the Session tab. Kill a Remote Desktop Session. After you get all session list from qwinsta command, you can use rwinsta command to kill a session from the server. This command Enables you to reset [delete] a session on a Remote Desktop Session Host [rd Session Host] server. Before we continue, please remember the “ID” that you get from qwinsta command. Log on to the remote server if required. Authenticated server will be listed on the left pane. Select the applicable server with not responding Remote Desktop session. On the right pane, go to Sessions pane. Right click on the session that wanted to be disconnected and select Disconnect. How do I create a new Remote Desktop Connection?To create a new Remote Desktop Connection. On the Start menu, point to Programs or All Programs, click Accessories, and then click Remote Desktop Connection. In Computer, type a computer name or IP address, and then click Connect. In the Windows Security dialog box, type your password, and then click OK. What is remote desktop session?Remote Desktop Session Host [RDSH] is a role in Remote Desktop Services [RDS], which was known as or Terminal Services prior to Windows Server 2008 R2. RDSH servers host Windows applications or desktops that are accessed by remote users over a network connection. If you’re a System Administrator and you had to perform a Risk Assessment, Security Assessment, Due Diligence or Compliance Questionnaire at least once, you most likely know that in order to meet the security requirements asked by most modern regulations and standards – such as the ISO/IEC 27001:2013, ISO/IEC 27002:2013, ISO/IEC 20000:2011, NIST CyberSecurity Framework, SSAE/SOC2, ITIL, PCI-DSS and so on – you have to setup your Windows Server environment accordingly. Since I’ve also been working on this, I’ll share some basic knowledge that will be most likely useful for those who need to do that in a series of dedicated posts on this blog. This is the first one of them, in which we’ll be talking about setting up a Remote Desktop Session Time Limit for active, yet idle connections in Windows Server 2012. Here’s a common RA requirement that can be met in such way:
That’s something we can easily expect from a decent Risk Assessment questionnaire. Those who want to PASS this – assuming they’re using Windows-based server machines – will need to adjust the behaviour of the Remote Desktop Session Host, which features no given timeout by default. To do that, perform the following tasks:
That’s it! As soon as you click Apply, the new settings will be saved: from now on, all newly-initialized Remote Desktop session will be disconnected after the given amount of time. On top of that, the remote connected users will also have the chance to see the following alert popup, so that they will know what’s about to happen and they’ll have the chance to prevent the disconnection – in case they’re still there: Now our system is fully compliant with the above requirements. Computer Configuration vs User ConfigurationFor those interested in dealing with the Microsoft-way of handling the global policy , it can be worth to briefly summarize the concept of Computer Configuration as opposed to User Configuration. In a given Group Policy context, Computer Configuration is applied to computers, regardless of who logs on to the computers; conversely, User Configuration is applied to users, regardless of which computer they log on to. If we set the settings collide with each other in Computer Configuration and User Configuration in one GPO, the Computer configuration will override the User Configuration. For details, please refer to the following article. |
