Limit User Access to Single Session across all Servers

We have 3 RDS Servers set up that staff log into.  Each staff member is assigned a server to log into, but occassionally they're asked to change it up, or to move to another if theres an issue on theirs.  Also we have people who connect via Android and iPad we have one of the 3 servers set up to be accessible to tablet users.

Our issue exists primarily with these tablet users.  They're not so great at remembering to log off when they flip to another app on their device and can forget to go back and save & close the document they have open and when they get back to work and back to their normal server, we're called in to close and save the file and end their session for them.

So what I've been working on is to set up Single Session access.  Which I have working for me at this stage.  Using the following GPO, if I already have a session open on that server and log in again, my first session is taken over by the second.  

Computer Configuration>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host>Connections>Restrict Remote Desktop Services users to a single RemoteDesktopServices session>Enabled.

Thats cool, but I can still log into another server and my session on the first one remains.

Is there a way to limit my access to one session across all servers?
Who is Participating?
btanConnect With a Mentor Exec ConsultantCommented:
I have not tested that before but in forums below, there are discussion on that using the Farm for this approach. The key component is to have broker to manage it and purposely ensures that users to reconnect to their existing sessions in a load-balanced RD Session Host server farm. Importantly, this prevents a user with a disconnected session from being connected to a different RD Session Host server in the farm and starting a new session.

There is some sort of persistency to what I see and highly likely the single session can be enforced.
btanExec ConsultantCommented:
Actually saw another caveat for single session as well...

If a user specifies a different program to start when the user connects to the RD Session Host server, a new session will be created on the RD Session Host server for the user, even if the RD Session Host server is configured to restrict users to a single session. A user can specify a program to start on connection on the Programs tab under Options in Remote Desktop Connection. However, you can prevent a user from starting a program on connection; for more information about preventing a user from starting a program on connection

Can be prevented by GPO

Furthermore, I was thinking that this may help

Allow reconnections, but prevent new logons. If you select this setting, a user who already has a remote session running on the RD Session Host server can reconnect to that session. However, a new user—that is, a user that does not currently have a remote session running on the RD Session Host server—will not be able to connect to the RD Session Host server. If the RD Session Host server is restarted, no users will be able to connect to the RD Session Host server.
bosshognzAuthor Commented:
breadtan,  thanks for the response.  
All of our users are set by GPO to have Outlook and our CRM login open when they log in.  It the first thing all of them do when they log in so we automate it for them.  Unless theres an absolute better way to get this going, we won't be changing this.

And we want all of our users to log off when they're finished working so that resources are freed up not only for other users, but for the other processes that happen outside them - eg:  SQL DB data transfer, backups, replication etc etc.  Its just messy when people don't log out.  We also have a cycle of server restarts to prevent/minimise leaks etc.

Since asking this question I've researched down the line of creating an RDS Farm and serving to users from there.  Will this provide what we want?
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

btanExec ConsultantCommented:
Probably you are already having a small farm already. RDS centralization user into thin client is already streamlining the deployment and importantly the enforcement checks.

 What I like is the flexibility of powershell to assist for automation from operation perspective though go should be best leveraged first where possible.

But you probably have to review long term refresh of high resilient hardware and application delivery controller to optimize performance and maintain user experience.

For sensitive and critical service you may ant to segregate and not do a big bang till the team is comfortable and high availability is assured....
bosshognzAuthor Commented:
I'm just one in the chain in our IT dept.  There is a hardware lifecycle plan in place built with redundancy and DR in mind, but thats not my area of expertise.  

I've just been asked to investigate single user session logins and how we might be able to enforce it across multiple devices and multiple servers.  with the use of the single session GPO setting i'm able to limit logins on the one server with multiple devices, now its looking wider to multiple servers.  

Upon my further research it looks like farms are the way to go but I just want to confirm that before I go back to my manager.  Is it possible on Farms?  Is it something just happens on a farm or is there a setting of some description on there too that needs to be set?
btanExec ConsultantCommented:
Possible, it is just extension of bigger server pool. Extracted below

To track user sessions in a load-balanced RD Session Host server farm, an RD Connection Broker server stores information in its local database for each and every session. This session information includes where the session resides, its state, the session ID, and the username associated with the session. Using this information, the RD Connection Broker redirects users with an already existing session to the correct RD Session Host server or virtual desktop.

With RD Connection Broker Load Balancing, users with existing sessions are still redirected to those sessions if they attempt to reconnect to them. However, for new session connections, the RD Connection Broker will attempt to distribute the session load between more-powerful and less-powerful servers in the farm based on an assigned server weight value and which server has the least load.

To configure RD Connection Broker Load Balancing, an administrator must create an A or AAAA record for each RD Session Host in a farm. The hostname for the record is then set to the farm’s name and the IP address to the RD Session Host server that is being added. The RD Connection Broker then uses round-robin DNS to distribute a user’s initial connection to an RD Session Host server farm. After the user has connected and authenticated to the initial RD Session Host server, that server then queries the RD Connection Broker for where to redirect the user to. The final RD Session Host server that is returned from the RD Connection Broker is based on the following two decisions:

Does the user have an existing session? If so, redirect that user to the RD Session Host server where that session exists.

If the user doesn’t have an existing session, which RD Session Host server has the least load? Redirect that user to the RD Session Host server with the least load.
btanExec ConsultantCommented:
Adding some more....and checklist..but more for deployment which may not be your team's role

There are two RD Connection Broker components to consider in a load-balanced RD Session Host server farm.

RD Connection Broker server. This is the server that runs the Remote Desktop Connection Broker service and tracks user sessions for one or more load-balanced RD Session Host server farms. RD Connection Broker uses a farm name to determine which servers are in the same RD Session Host server farm.

RD Session Host servers that use RD Connection Broker. These are RD Session Host servers that are members of a farm in RD Connection Broker. To participate in RD Connection Broker, a server must meet the following criteria:

The server must have the RD Session Host role service installed.

The server must be a member of an Active Directory domain.

The server must be a member of the Session Broker Computers local group on the RD Connection Broker server.

The server must be a member of a load-balanced RD Session Host server farm.

If you are using the RD Connection Broker Load Balancing feature, you can configure load-balancing settings together with other RD Connection Broker settings.
bosshognzAuthor Commented:
In leymans terms, rather than a copy and paste from a website (I found all the same stuff in my research, but didn't get the answers out of it I was looking for - too technical for me!)...... Is it possible on perform on farms?  Is it something just happens on a farm or is there a setting of some description on there too that needs to be set?
btanExec ConsultantCommented:
I don't see anything that is not even if it is going for farm as a whole. The gpo still apply just that the number of servers increased. In short, it should stay as discussed leaving those implementation detail of such scaling.

Pardon me as I thought you needed the technical details room sieve out any compliance or caveat or prerequisites
bosshognzAuthor Commented:
We're not looking at increasing the number of RDS servers we have, we have 3 at present.  Physical devices - 2 in one blade server and 1 in the other one.  But we provisioned manual load balancing across them - splitting staff up in terms of geographic location, workflow and the hours they work.  So at this stage we don't have a farm as such.

We have the one server available for access via their tablets - which is where the issues occur - with staff who don't use that one server normally.

I just want to how best we can implement single session use across these 3 servers.  If farms are the way to go, then thats what I'll recommend.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.