Windows – Auto logout rdp sessions

group-policywindowswindows-server-2012-r2

I have a need to logout certain rdp sessions (superadmin account) after 15 minutes of inactivity. if someone forgets to disconnect a session from one of the windows servers and a password changes overnight, it wont lock the account. I have found a group policy setting for this (end a disconnected session in remote desktop services) but i only want to apply it to the super admin account, is this possible by just adding the super admin to the gp permission.

Best Answer

You describe the condition as if someone forgets to disconnect a session and you are applying End a disconnected session setting on your Remote Desktop Services Sessions. First you need to understand the difference between two settings:

End a disconnected session

Specify the maximum amount of time that a disconnected user session is kept active on the RD Session Host server. If you specify "Never," the user's disconnected session is maintained for an unlimited time. When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected.

Idle session limit

Specify the maximum amount of time that an active Remote Desktop Services session can be idle (without user input) before the session is automatically disconnected or ended. The user receives a warning two minutes before the session is disconnected or ended, which allows the user to press a key or move the mouse to keep the session active.

It sounds like you need the latter, instead.

Both of these setting can be set in Computer Configuration or User Configuration. As you want to apply this only on specific user(s), you need to use the settings on User Configuration > Policies > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits.

As always, you can apply a GPO only to specific users if they are on a separate OU container.

Related Topic