Excempt user(s) from Terminal Services policies

Posted on 2012-09-12
Last Modified: 2012-09-13
We have a terminal server that has a license for up to 50 connections at once.  Users connect via RDP to run an application on the server which is quicker than running a thick-client on their desktops (mainly for offsite users).  The problem is that there are several admin accounts that need to stay logged in but disconnected due to services that are run specifically under those accounts.  I had previously setup disconnect and idle policies under the Terminal Services Configuration that would log off disconnected and idle sessions, but found out the hard way that those previously mentioned admin accounts needed to stay connected after they were bounced by my changes.

Is there a way to setup a GPO or a local policy that will exempt specific users from these policies?  I need to keep those two admin accounts active/logged on while all other idle/disconnected sessions need to be logged off.  Users, even after repeatedly being told, will not 'log off' but will simply close the RDP box leaving their session open.
Question by:netfriendsinc
    LVL 47

    Accepted Solution

    If you go to the Delegation Tab of the Group Policy and add these admins and deny read(click on the advanced tab>>highlight user>>and select deny Read)

    Author Comment

    Ok great, so I've enabled the "Set time limit for disconnected sessions" to 30min via the "Computer configuration > policies > admin templates > windows components > remote desktop services" in the GP management Editor on Windows 2008 R2.  I went back to Terminal services server and ran gpupdate and verified it had picked up the GPO by using rsop.msc  However, so far it has not logged off any disconnected sessions - they stay disconnected.  Any idea why that is the case?  I added the two admin accounts to the delegation tab as instructed and set them to 'deny read'.  Thanks for your help thus far!

    Author Comment

    Nevermind!  It took a little longer than expected - perhaps I didn't figure in propagation - but the gpo is now logging off disconnected sessions.  Thanks for the help!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    Remote Apps is a feature in server 2008 which allows users to run applications off Remote Desktop Servers without having to log into them to run the applications.  The user can either have a desktop shortcut installed or go through the web portal to…
    On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    This video is in connection to the article "The case of a missing mobile phone (". It will help one to understand clearly the steps to track a lost android phone.

    794 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now