1

Hi there,

Our IT department manages an environment with 100’s of servers. Now and then the RDP tool we use crashes or people just forget to logoff which results to disconnected domain admin sessions on numerous servers.

Ideally we would like ALL disconnected sessions to auto logoff after 2 hours. I know this can be achieved using a GPO, however as far as i know this only works on terminal servers / remote desktop servers. To make it even more interesting we would like to be able to make exceptions on certain servers ocasionally (during migratings for example).

We thought about enabling the GPO locally on each server using PS-remoting and then create a script for admins to run on a local server to temporary disable the GPO during ‘special occasions’. This would however only work for terminal servers / remote desktop servers.

I’m just curious if there’s some better way to get the result we want. Any tips?

Oh, we use server 2008 and up.

8 Spice ups
2

You can do it from domain GPO

User ConfigurationAdministrative TemplatesWindows ComponentsTerminal ServicesTerminal ServerSession Time Limits

1 set time for disconnected sessions

  1. Terminate sessions when …

on GPO scope add the servers.

if you want to do on server locally

You can also select individual users on AD select sessions tab

1 Spice up
3

Thanks for the quick reply JitenSh!

Any idea’s how i would enforce this policy on servers that are not terminal server / remote desktop server ?

4

If these are not terminal servers…why are users RDP into the servers ? By Default …only admins are supposed to be allowed to RDP into servers. For admins…it is very hard to tell if the admins are active or disconnected (running stuff in the foreground or downloading large files like ISO such as MS office or Svr 2016 iso which are 4GB to 6GB in size). So it is rather hard to just log off admins from servers…

5

One idea maybe to set a task scheduler to run a task “logoff”, to activate the task even someone logs on and triggers when the machine is in idle for 120 min.

6

Admins are connecting to these servers for local maintenance tasks. Think about applicationservers, db servers, etc.

I agree. Thats why we need a manual ‘killswitch’ on server level to prevent disconnected sessions from being logged off during ‘special operations’.

7

@12:08

Solution is good (enough) for me. Thanks for thinking outside-the-box on this one :slight_smile:

8

Admins should be connecting to services on a Windows Server by an Admin Master MMC console of RSAT tools. An Admin should RARELY RDP to a server. As for 3rd party applications and SQL, they should provide another method of remote connecting that can be installed on an Admin’s machine for remote Administration.

The bigger picture here is not to look for a disconnected session and log the admin off, but rather think differently and use best practices and manage the servers remotely.

1 Spice up
9

I got to agree with @overdrive since that’s is what we use for all our servers.

https://www.lynda.com/Windows-Server-tutorials/Working-Remote-Server-Administration-Tools-RSAT/194132/374138-4.html

Auto logoff will be something you need to have administration enforce at the company policies (Even for computers).

10

I agree with both of you. The thing is not all administrative tasks are executed remotely. Somestimes it’s a necessity, other times its old habits die hard.

We will focus on both. Thanks guys!