When do changes to the group policy take affect for remote desktop idle times?

remote-desktop-services group-policy windows-server-2019

[...]If I'm understanding this correctly, they've been idle for a day and 11 hours. Is that correct?

No, because there's a catch... or two...

The Idle Time reported by Remote Desktop Services is misleading because the value is only relevant when the Session State is: Disconnected.

When a user disconnects (for example, by closing the RDP window without logging off), Windows will update the Session State from Active to Disconnected and update the Disconnect Time too. The Idle Time value is simply the difference between "Now" and the Disconnect Time. So far, so good, because a user disconnects, the session state is updated, the Disconnect Time is updated too, and when you open up the Server Manager, the Idle time column shows you the time elasped between the value shown in Disconnect Time and Now.

However, here comes the first catch: When a user Reconnects to their Disconnected session, Windows will update the Session State from Disconnected to Active again, but the Disconnect Time value will not be erased, the Disconnect Time still shows the last time the user disconnected, and the Idle Time value will still happily show you the time elasped between the value shown in Disconnect Time and Now. And because the session is Active, this value is meaningless (the session is idle only when Disconnected, and now the session is Active).

However, the second thing you should be aware of is that there is another "Idle" concept: The time elapsed between the last user input when the session is Active. That's the case when the user is technically connected to the Session Host ("Active") but away from their device, or when the user is not interacting with the RDP window. I call that the "last input time", and Windows will not show you this value.

Now, let's summarize this:

  • We have the "Idle Time" shown in Server Manager => That's the time elapsed between the value shown in "Disconnect Time" and "Now". Forget about this value if the session state is "Active". Let's call this value the "Session Idle Time" for the sake of simplicity.

  • We have the "last input time" too, that's the last time the user did something within their Active session. Windows keeps track of this but will not show you this value.

Now we can talk about managing the timeouts.

First of all, I recommend you to set the policy you configured ("Set time limits for disconnected session") back as "Not Configured" because we should manage this from the Session Collection settings. You can use the group policy if you have special needs that you can't address with Session Collection settings, but please be sure that you are not configuring different values between Session Collection settings and Group Policy, and that you can keep track of your settings.

Here we can see where we can manage the timeouts in the Session Collection settings, I'll explain these settings below:

Session Collection settings

End a disconnected session: Here you can tell Windows when you want to Log Off sessions shown as "Disconnected", that's based on what I call the "Session Idle Time" i.e. the "Idle Time" shown in Server Manager. This settings will have no effect on "Active" sessions.

Active session limit: That's to prevent user from keeping their session Active indefinitely, be careful with this setting because it will disconnect the user even if they are actively working.

Idle session limit: With this setting you can ask Windows to Disconnect an Active session when the time elapsed since the "last input time" exceeds a certain value. i.e: The user is away from their device, and stopped interacting with their Session but the RDP connection is still established. When the Idle Session Limit value is exceeded, Windows will Disconnect the session (now the session shows up as "Disconnected" in your Server Manager and the "End a disconnected session" timer will start counting).

Consider this: if you set the Idle session limit to 1 hour, and the End a disconnected session value to 1 hour too, this means that when a user stops interacting with their RDP window, the system will Disconnect the session after 1 hour (the user can still Reconnect and resume their work) and at this point the second "timer" will kick in and after another hour the End a disconnected session value will Log Off the user session (2 hours after the user stopped interacting with the session).
Of course, if the user closes their RDP client, the session switches immediately in the "Disconnected" state and the "End a disconnected session" value will Log Off this user after 1 Hour ("Idle session limit" is ignored because the session is already Disconnected).

You asked if the setting takes effect immediately: As far as I can tell, the new settings applies only to new sessions established after modifying the settings in the Session Collection, existing sessions should not be affected.

Related

iptables: How to block UDP between devices on LAN-side of gateway (using dd-wrt firmware)
losing line endings using Linux mail sending email to Windows Outlook
How does "DROP all anywhere" in the FORWARD table not render my router useless?
Wireshark find DNS response "Refused"
What does sfdisk do, and how does it compare to fdisk or parted?
How to copy only new files AND only those that are modified after a certain date?
Can I pair multiple hosts to a single Bluetooth headphones device?
No supported authentication methods available in FileZilla
How can I join two simple home networks together using an ethernet cable?
How can I check if a domain uses DNSSEC?
Using Paint or Gimp WHERE is the UNSELECT?
Can I stop windows 7 from fading windows on alt-tab?