[Last Call] Learn how to a build a cloud-first strategyRegister Now


Excempt user(s) from Terminal Services policies

Posted on 2012-09-12
Medium Priority
Last Modified: 2012-09-13
We have a terminal server that has a license for up to 50 connections at once.  Users connect via RDP to run an application on the server which is quicker than running a thick-client on their desktops (mainly for offsite users).  The problem is that there are several admin accounts that need to stay logged in but disconnected due to services that are run specifically under those accounts.  I had previously setup disconnect and idle policies under the Terminal Services Configuration that would log off disconnected and idle sessions, but found out the hard way that those previously mentioned admin accounts needed to stay connected after they were bounced by my changes.

Is there a way to setup a GPO or a local policy that will exempt specific users from these policies?  I need to keep those two admin accounts active/logged on while all other idle/disconnected sessions need to be logged off.  Users, even after repeatedly being told, will not 'log off' but will simply close the RDP box leaving their session open.
Question by:netfriendsinc
  • 2
LVL 47

Accepted Solution

Donald Stewart earned 2000 total points
ID: 38392394
If you go to the Delegation Tab of the Group Policy and add these admins and deny read(click on the advanced tab>>highlight user>>and select deny Read)

Author Comment

ID: 38395795
Ok great, so I've enabled the "Set time limit for disconnected sessions" to 30min via the "Computer configuration > policies > admin templates > windows components > remote desktop services" in the GP management Editor on Windows 2008 R2.  I went back to Terminal services server and ran gpupdate and verified it had picked up the GPO by using rsop.msc  However, so far it has not logged off any disconnected sessions - they stay disconnected.  Any idea why that is the case?  I added the two admin accounts to the delegation tab as instructed and set them to 'deny read'.  Thanks for your help thus far!

Author Comment

ID: 38396155
Nevermind!  It took a little longer than expected - perhaps I didn't figure in propagation - but the gpo is now logging off disconnected sessions.  Thanks for the help!

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip Migration Tip #1 – Source Server Health can be found here: http://www.experts-exchang…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question