How can I make sure that users log out of Remote Desktop sessions instead of just closing the RDP window?

We have a bunch of servers that our engineers remote desktop into, but each server has a two connection limit. We will often attempt to RDP into these boxes and we will see the "This machine has exceeded the maximum number of connections" message.

It's a big pain because we have sent out several email messages to these users, and they never get the point.

I know how to connect to the root console and boot people, but I'd prefer not to do that. I also know that there are ways of booting inactive sessions after a period of time, and I don't want to do that either.

I want to force users to learn that they need to log out. This doesn't happen if you log them out manually (plus logging them out manually is a pain). If you just log them out manually, these engineers won't think twice about staying connected in an RDP session because it is convenient for them.

I would prefer some notification system where the inconsiderate user is notified via email or NET SEND message that their account is being disconnected from machine. That way, they will realize that they are doing something wrong. Even better, if they are in violation several times, I would like their account to be locked until a system administrator unlocks it.

Is there a way to achieve the goal of having users log out manually? All suggestions are welcome.


Solution 1:

You can use the Remote Desktop Session Host Configuration tools, or (better) Group Policies to define rules around RDP disconnects.

If you use Group Policy and OUs, you will be able to allow some users to stay "disconnected" and force others to log-off after disconnect.

Specifically check out these policy branches:

  • Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits
  • User Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Session Time Limits

And policies like these:

End a disconnected session

Specify the maximum amount of time that a disconnected user session is kept active on the RD Session Host server. If you specify "Never," the user's disconnected session is maintained for an unlimited time.

When a session is in a disconnected state, running programs are kept active even though the user is no longer actively connected.

.

When a session limit is reached or connection is broken

Specify whether to disconnect or end the user's Remote Desktop Services session when an active session limit or an idle session limit is reached.

If the user's session is disconnected, the programs that the user is running are kept active even though the user is no longer actively connected.

If the user's session is ended, the user will need to establish a new Remote Desktop Services session with an RD Session Host server.

For more info, check out this page from MS about RDP disconnection policies.

Solution 2:

For a notification system, I guess you would have to develop it, using APIs such as WTSEnumerateSession.

This means developing something like a windows service which would query regularly your servers in order to hunt disconnected sessions, and do what you want with them.

This could take you a bunch of days of work to get it right.

Otherwise, I suggest another approach to this trouble:

  • Setup two groups of rdp users on servers: say TrustedDisconnectors and UntrustedDisconnectors.
  • Setup a policy for UntrustedDisconnectors, causing them to have their session logged out on a somewhat short disconnection timeout.
  • Communicate about that change. States that engineers frequently failing to disconnect properly without valid reasons would no more be allowed to disconnect without being logged off.