How can I make sure that users log out of Remote Desktop sessions instead of just closing the RDP window?

remote-desktop windows-server-2008 windows-server-2008-r2
87,448

Solution 1

You can use the Remote Desktop Session Host Configuration tools, or (better) Group Policies to define rules around RDP disconnects.

If you use Group Policy and OUs, you will be able to allow some users to stay "disconnected" and force others to log-off after disconnect.

Specifically check out these policy branches:

  • Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
  • User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits

And policies like these:

End a disconnected session

Specify the maximum amount of time that a disconnected user session is kept active on the RD Session Host server. If you specify "Never," the user's disconnected session is maintained for an unlimited time.

When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected.

.

When a session limit is reached or connection is broken

Specify whether to disconnect or end the user's Remote Desktop Services session when an active session limit or an idle session limit is reached.

If the user's session is disconnected, the programs that the user is running are kept active even though the user is no longer actively connected.

If the user's session is ended, the user will need to establish a new Remote Desktop Services session with an RD Session Host server.

For more info, check out this page from MS about RDP disconnection policies.

Solution 2

For a notification system, I guess you would have to develop it, using APIs such as WTSEnumerateSession.

This means developing something like a windows service which would query regularly your servers in order to hunt disconnected sessions, and do what you want with them.

This could take you a bunch of days of work to get it right.

Otherwise, I suggest another approach to this trouble:

  • Setup two groups of rdp users on servers: say TrustedDisconnectors and UntrustedDisconnectors.
  • Setup a policy for UntrustedDisconnectors, causing them to have their session logged out on a somewhat short disconnection timeout.
  • Communicate about that change. States that engineers frequently failing to disconnect properly without valid reasons would no more be allowed to disconnect without being logged off.
Share:
87,448
JackAce
Author by

JackAce

I write a program.

Updated on September 18, 2022

Comments

  • JackAce
    JackAce over 1 year

    We have a bunch of servers that our engineers remote desktop into, but each server has a two connection limit. We will often attempt to RDP into these boxes and we will see the "This machine has exceeded the maximum number of connections" message.

    It's a big pain because we have sent out several email messages to these users, and they never get the point.

    I know how to connect to the root console and boot people, but I'd prefer not to do that. I also know that there are ways of booting inactive sessions after a period of time, and I don't want to do that either.

    I want to force users to learn that they need to log out. This doesn't happen if you log them out manually (plus logging them out manually is a pain). If you just log them out manually, these engineers won't think twice about staying connected in an RDP session because it is convenient for them.

    I would prefer some notification system where the inconsiderate user is notified via email or NET SEND message that their account is being disconnected from machine. That way, they will realize that they are doing something wrong. Even better, if they are in violation several times, I would like their account to be locked until a system administrator unlocks it.

    Is there a way to achieve the goal of having users log out manually? All suggestions are welcome.

    • ganesh
      ganesh over 8 years
      The best practical way I can think of is what you are already doing. Mail them all but add 'user A and user B are actively working on this machine at this time. Can either of you two mail use when you have finished and logged out?'. Goal: Yes, you are waiting. These are the people who forgot to log out, go complain to them. Also, if you regualy need more users then there is a solution: Terminal server. As far as I know that means paying for a license and changing one DLL.
  • JackAce
    JackAce about 12 years
    Doesn't VNC only allow one connection? That might make matters worse (trying to log in when someone is already logged in). Plus VNC makes me nervous because someone may be standing in front of the machine you are controlling watching everything you type without you ever knowing it.
  • JackAce
    JackAce about 12 years
    Plus there are times when you legitimately want to disconnect and let some operation continue running. There are times when I want to disconnect when I leave work and then reconnect from home.
  • Mick
    Mick about 10 years
    Be careful with VNC...if you are using symmetric encryption (aka a single password for all users), it can be easily decrypted: raymond.cc/blog/crack-or-decrypt-vnc-server-encrypted-passwo‌​rd
  • Admin
    Admin about 9 years
    Also discussed on ServerFault: serverfault.com/questions/301640/…

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Teamviewer multi-user mode
Outlook 2010 corrupts all Office attachments on a Server 2008R2 Remote Desktop Server
Auto-login on a Remote Desktop session after reboot
Remote Desktop - remote computer that was reached is not the one you specified
Single sign on with Windows 2008 R2 RemoteApps
task in task scheduler failing when executing batch file
Can't Log Out of Windows Server 2008
Windows Server 2008 R2 + IIS 7.5 + ASP.NET 4.0 = HTTP Error 500.0
Stop sync windows 2008 r2 clock
How to Access Remote USB Smartcard during RDP