Configuring RDP/RDS Session Limit (Timeout) on Windows | Ranjan.info

5 months ago
by Ranjan Chatterjee

When a user closes the RDP/RDS session window in the terminal client (mstsc.exeRDCMan or Remote Desktop HTML5 Web Client) without logging off just by clicking on the cross in the top right corner, his session goes to the active one disconnected way. In this mode, all apps, open documents, and windows are still running on the remote desktop computer and consuming system resources.

material:

By default, a user’s RDP session in Windows can remain in a disconnected state until terminated by the user or administrator, or until the computer is restarted. This is quite convenient, as the user can connect to their previous Remote Desktop session at any time and continue working with running apps and open files.

The following screenshot shows that a disconnected user session on an RDS server running Windows Server 2019 consumes about 40% of the server RAM.

Disconnected user session on rds host

Also, these sessions can block open files on your file server, incorrect saving of data in apps, roaming profile folders, or user profiles can cause problems on disk. Disconnected RDP sessions often cause domain user account lockout issues after a password change (when the RDS session continues to run under the user’s old password).

using the qusercommand, you can see when the user’s RDP session was started, how long it was inactive, and the current session state.

quser command - list all rds sessions with logon time, idle and status

You can also display information about the duration of user sessions in an RDS farm using a PowerShell script (specify the FQDN of your RDS Connection Broker server):

$connectionBrocker = “mun-rdscb.woshub.com"
Get-RDUserSession -ConnectionBroker $connectionBrocker |select-object -Property CollectionName, HostServer, DomainName, UserName, ServerIPAddress, CreateTime, DisconnectTime,  SessionState, IdleTime , SessionID , `
@{Name="SessionAge ([days.]hours:minutes)";Expression={ ((get-date ) - $_.CreateTime) } }

You can configure the maximum duration of active, disconnected, and inactive (no user activity) sessions for Remote Desktop Services.

Automatically log off disconnected and inactive Remote Desktop user sessions

In order to automatically end disconnected RDP/RDS sessions within a specified period of time, you need to set the session limit (timeout) correctly.

If you have a Remote Desktop Services farm deployed on a Windows Server, you can configure the user session timeout settings in the RDS archive settings session tab.

Specify the time period after which you want the disconnected Remote Desktop session to end end disconnected session Option (By default, the duration of an RDP session is unlimited – never) You can also set the maximum time of an active user session (active session limit) and end an inactive session (idle session limit) These hard timeouts apply to all user sessions in the RDS store.

RDS Server Timeout in Session Collection Properties on RD Session Host

In Windows Server 2022/2019/2016/2012R2, you can set RDP session timeout using Group Policies. You can do this either in the Domain GPO Editor (gpmc.msc) or on a specific RDS host in the Local Group Policy Editor (gpedit.msc) (or on the desktop version of Windows if you have allowed multiple RDP connections to it).

The settings for the RDP session timeout are located in the following GPO section Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Session Time Limit, The following Remote Desktop timeout settings are available:

  • set the time limit for the disconnected session;
  • Set a time limit for active but inactive Remote Desktop Services sessions — The policy allows the termination of inactive RDP sessions with no user input (such as moving the mouse or typing something on the keyboard);
  • Set a time limit for active Remote Desktop Services sessions — This is the maximum time of any RDP session (even an active session), after which it goes into a disconnected state;
  • end session when time limit expires – sets the time after which the RDP session will be terminated (logoff) instead of disconnected;
  • Set a time limit for logoff of RemoteApp sessions.

Configure RDP/RDS session timeout via GPO

By default, these options are not configured. To automatically end all disconnected RDP user sessions in 8 hours, enable “Set a time limit for disconnected sessions” policy and select 8 hours in dropdown list.

"Set time limit for disconnected session" --group policy parameter to restrict rdp session time

Save the changes and update the Group Policy settings on your RD host (gpupdate /force) The new timeout settings will only apply to new RDP sessions (you must manually end current user sessions on RDSH).

GPO settings take precedence over timeout settings in the RDS store.

You can find similar RDP timeout settings in the User GPO section: User Configuration -> Administrative Templates -> Windows Components. Using the policy from the Users section, you can more flexibly configure user groups with different limits on the duration of RDP sessions.

You can also set the time limit of an RDP session through the registry. From the following DWORD parameter HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services Registry key corresponding to the Group Policy options described above:

  • maxdisconnectiontime
  • Max Idle Time
  • MaxConnectionTime
  • maxdisconnectiontime
  • RemoteAppLogoffTimeLimit

For example, to set the maximum duration of a disconnected RDP session to 15 minutes (90000 ms), you can change a registry parameter by using the following PowerShell command:

Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name MaxDisconnectionTime -Type 'DWord' -Value 900000

You can also set RDP session limits Adjustment tab in properties of local (lusrmgr.msc) or domain user (dsa.msc – Active Directory Users and Computers Console). The following options are available here:

  • Terminate the disconnected session;
  • active session limit;
  • idle session limit;
  • When the session limit is reached or the connection is broken: “Disconnect from session” or “Terminate session”;
  • Allow reconnection: “from any client” or “only from the origin client”.

rds session timeout in user properties in Active Directory

You should not make the RDP session timeout too short, otherwise, user sessions will expire almost immediately after being idle.

If you have an RD Gateway server deployed for remote access to RDS hosts, you can configure different timeouts for users connected via RDGW (open the Connection Authorization Policy and timeout tab).

Remote Desktop Gateway: Session Timeout Settings

In Windows Server 2008 R2, you can also set an RDP session timeout using a special tsconfig.msc (RD Session Host Configuration) Console. It was enough to open the console and right-click on RDP-Tcp -> Properties. Sessions are located on timeout session tab. However, there is no such console in newer Windows Server versions (although you can manually copy the tsadmin.msc and tsconfig.msc files and use these consoles on newer Windows Server versions as well).

tsconfig.msc session limits on windows server 2008 r2

Remote Desktop session has become inactive beyond its time limit

After configuring RDS timeout, users will see the following warning before disconnecting the idle session:

Idle timer expired
Session has been idle over its time limit.
It will be disconnected in 2 minutes.
Press any key to continue the session.

idle timer expired rdp session message

And before the user disconnects, Event ID 26 is logged in the System Event Viewer.

Event ID 26: Session expired

You can disable this warning by setting enable timeout alert = 0 in wmi class Win32_TSSessionSettings,

Set-WmiInstance -Path "\\localhost\root\CIMV2\TerminalServices:Win32_TSSessionSetting.TerminalName="RDP-Tcp"" -Argument @{EnableTimeoutWarning=0}

Now, when Windows automatically ends the idle RDP session, the user will receive the following message from the RDP client:

Your Remote Desktop Services session ended because the remote computer didn’t receive any input from you.

Remote Desktop Services session terminated - The remote computer did not receive any input from you

In some cases, you may encounter this error in the RDP client:

Your Remote Desktop Services session has ended. Another user connected to the remote computer, so your connection was lost. Try connecting again, or contact your network administrator.

RDP session terminated - Another user connected to the remote computer

This means that someone else has signed in to the computer via RDP when the number of simultaneous RDP sessions on the computer is restricted. Limit number of connection parameters (For example, only a remote session is available on desktop Windows versions). Or you have logged into the RDP host from a new computer.

You can allow multiple connections under the same user account to an RDP host by using the GPO option Limit Remote Desktop Services users to a single Remote Desktop Services session = Disabled (under Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections).

GPO: Restrict RDS user to single session

You may also like

Leave a Comment