Learn how to a build a cloud-first strategyRegister Now


Limit User Access to Single Session across all Servers

Posted on 2012-08-27
Medium Priority
Last Modified: 2012-09-02
We have 3 RDS Servers set up that staff log into.  Each staff member is assigned a server to log into, but occassionally they're asked to change it up, or to move to another if theres an issue on theirs.  Also we have people who connect via Android and iPad we have one of the 3 servers set up to be accessible to tablet users.

Our issue exists primarily with these tablet users.  They're not so great at remembering to log off when they flip to another app on their device and can forget to go back and save & close the document they have open and when they get back to work and back to their normal server, we're called in to close and save the file and end their session for them.

So what I've been working on is to set up Single Session access.  Which I have working for me at this stage.  Using the following GPO, if I already have a session open on that server and log in again, my first session is taken over by the second.  

Computer Configuration>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host>Connections>Restrict Remote Desktop Services users to a single RemoteDesktopServices session>Enabled.

Thats cool, but I can still log into another server and my session on the first one remains.

Is there a way to limit my access to one session across all servers?
Question by:bosshognz
  • 6
  • 4
LVL 65

Expert Comment

ID: 38340525
Actually saw another caveat for single session as well...

If a user specifies a different program to start when the user connects to the RD Session Host server, a new session will be created on the RD Session Host server for the user, even if the RD Session Host server is configured to restrict users to a single session. A user can specify a program to start on connection on the Programs tab under Options in Remote Desktop Connection. However, you can prevent a user from starting a program on connection; for more information about preventing a user from starting a program on connection

Can be prevented by GPO

Furthermore, I was thinking that this may help


Allow reconnections, but prevent new logons. If you select this setting, a user who already has a remote session running on the RD Session Host server can reconnect to that session. However, a new user—that is, a user that does not currently have a remote session running on the RD Session Host server—will not be able to connect to the RD Session Host server. If the RD Session Host server is restarted, no users will be able to connect to the RD Session Host server.

Author Comment

ID: 38343049
breadtan,  thanks for the response.  
All of our users are set by GPO to have Outlook and our CRM login open when they log in.  It the first thing all of them do when they log in so we automate it for them.  Unless theres an absolute better way to get this going, we won't be changing this.

And we want all of our users to log off when they're finished working so that resources are freed up not only for other users, but for the other processes that happen outside them - eg:  SQL DB data transfer, backups, replication etc etc.  Its just messy when people don't log out.  We also have a cycle of server restarts to prevent/minimise leaks etc.

Since asking this question I've researched down the line of creating an RDS Farm and serving to users from there.  Will this provide what we want?
LVL 65

Expert Comment

ID: 38343744
Probably you are already having a small farm already. RDS centralization user into thin client is already streamlining the deployment and importantly the enforcement checks.


 What I like is the flexibility of powershell to assist for automation from operation perspective though go should be best leveraged first where possible.


But you probably have to review long term refresh of high resilient hardware and application delivery controller to optimize performance and maintain user experience.

For sensitive and critical service you may ant to segregate and not do a big bang till the team is comfortable and high availability is assured....
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.


Author Comment

ID: 38343849
I'm just one in the chain in our IT dept.  There is a hardware lifecycle plan in place built with redundancy and DR in mind, but thats not my area of expertise.  

I've just been asked to investigate single user session logins and how we might be able to enforce it across multiple devices and multiple servers.  with the use of the single session GPO setting i'm able to limit logins on the one server with multiple devices, now its looking wider to multiple servers.  

Upon my further research it looks like farms are the way to go but I just want to confirm that before I go back to my manager.  Is it possible on Farms?  Is it something just happens on a farm or is there a setting of some description on there too that needs to be set?
LVL 65

Expert Comment

ID: 38343904
Possible, it is just extension of bigger server pool. Extracted below


To track user sessions in a load-balanced RD Session Host server farm, an RD Connection Broker server stores information in its local database for each and every session. This session information includes where the session resides, its state, the session ID, and the username associated with the session. Using this information, the RD Connection Broker redirects users with an already existing session to the correct RD Session Host server or virtual desktop.

With RD Connection Broker Load Balancing, users with existing sessions are still redirected to those sessions if they attempt to reconnect to them. However, for new session connections, the RD Connection Broker will attempt to distribute the session load between more-powerful and less-powerful servers in the farm based on an assigned server weight value and which server has the least load.

To configure RD Connection Broker Load Balancing, an administrator must create an A or AAAA record for each RD Session Host in a farm. The hostname for the record is then set to the farm’s name and the IP address to the RD Session Host server that is being added. The RD Connection Broker then uses round-robin DNS to distribute a user’s initial connection to an RD Session Host server farm. After the user has connected and authenticated to the initial RD Session Host server, that server then queries the RD Connection Broker for where to redirect the user to. The final RD Session Host server that is returned from the RD Connection Broker is based on the following two decisions:

Does the user have an existing session? If so, redirect that user to the RD Session Host server where that session exists.

If the user doesn’t have an existing session, which RD Session Host server has the least load? Redirect that user to the RD Session Host server with the least load.
LVL 65

Expert Comment

ID: 38343915
Adding some more....and checklist..but more for deployment which may not be your team's role


There are two RD Connection Broker components to consider in a load-balanced RD Session Host server farm.

RD Connection Broker server. This is the server that runs the Remote Desktop Connection Broker service and tracks user sessions for one or more load-balanced RD Session Host server farms. RD Connection Broker uses a farm name to determine which servers are in the same RD Session Host server farm.

RD Session Host servers that use RD Connection Broker. These are RD Session Host servers that are members of a farm in RD Connection Broker. To participate in RD Connection Broker, a server must meet the following criteria:

The server must have the RD Session Host role service installed.

The server must be a member of an Active Directory domain.

The server must be a member of the Session Broker Computers local group on the RD Connection Broker server.

The server must be a member of a load-balanced RD Session Host server farm.

If you are using the RD Connection Broker Load Balancing feature, you can configure load-balancing settings together with other RD Connection Broker settings.

Author Comment

ID: 38344033
In leymans terms, rather than a copy and paste from a website (I found all the same stuff in my research, but didn't get the answers out of it I was looking for - too technical for me!)...... Is it possible on perform on farms?  Is it something just happens on a farm or is there a setting of some description on there too that needs to be set?
LVL 65

Expert Comment

ID: 38344380
I don't see anything that is not even if it is going for farm as a whole. The gpo still apply just that the number of servers increased. In short, it should stay as discussed leaving those implementation detail of such scaling.

Pardon me as I thought you needed the technical details room sieve out any compliance or caveat or prerequisites

Author Comment

ID: 38347653
We're not looking at increasing the number of RDS servers we have, we have 3 at present.  Physical devices - 2 in one blade server and 1 in the other one.  But we provisioned manual load balancing across them - splitting staff up in terms of geographic location, workflow and the hours they work.  So at this stage we don't have a farm as such.

We have the one server available for access via their tablets - which is where the issues occur - with staff who don't use that one server normally.

I just want to how best we can implement single session use across these 3 servers.  If farms are the way to go, then thats what I'll recommend.
LVL 65

Accepted Solution

btan earned 2000 total points
ID: 38348644
I have not tested that before but in forums below, there are discussion on that using the Farm for this approach. The key component is to have broker to manage it and purposely ensures that users to reconnect to their existing sessions in a load-balanced RD Session Host server farm. Importantly, this prevents a user with a disconnected session from being connected to a different RD Session Host server in the farm and starting a new session.

There is some sort of persistency to what I see and highly likely the single session can be enforced.



Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question