Remote Desktop Services Restrict Single Session

oORomanOo used Ask the Experts™

I Deployed a RDS-Farm with 3 Servers (2012R2) where multiple users use remoteapps, webapps and remotedesktop to connect to the RDS-Farm.
And there we have a strange issue with the Single Sessions Restriction.

I created a GPO for the Servers with the Policy  "Restrict Remote Desktop Services users to a single Remote Desktop Services session" which i have enabled  to force single session per User.

If now a User connect over remoteapps he will connect to (example) session 1 on Server 1. Okay now if the same user connect over webapps he will be connected to the same session. But if the user connect over remotedesktop (rdp) he will be connected to a other session on a other Server and there is the Problem if he connect with a other session on a other Server he will use Temp. profiles.

I would like to force single session for the users, never mind with Connection method they use.

Maybe someone knows how i could do this.

Thanks in advance for all help.
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Infrastructure Manager
The remoteapps server creates a headless session for that user which you can't connect to outside of the presented remote app.  You still have an open session to interact with other applicatoins, but this is different than a remote desktop session.


The behavior you are seeing is expected and cannot be changed.  What you can do is configure your server so that disconnected RemoteApp sessions are ended automatically using group policy setting Set time limit for logoff of RemoteApp sessions.
Distinguished Expert 2018
Unfortunately you can't do what you want the way you are trying to do it.  If you allow users to connect directly using RDC then the policy you are setting is only getting enforced by that server. It has no way to check and see if the user has already logged on with another server, so you can't do a global policy like that.  

In 2012, Microsoft has really gone away from even having users fire up RDC at all though. The "apps" in the various app stores (google play, Apple store, etc) as well as the win8/10 app, as well as the RDWeb interface for older clients (XP-Win7) all rely on connecting to the RD Connection Broker first. This ensures session affinity and resolves all of your problems in one fell swoop. The RDCB will redirect to the existing session and that machine will enforce the policy.  This is the modern architecture and Microsoft has orchestrated *everything* around it.  

So short answer? Don't deploy files that use RDC directly. Don't give out information with machine name so users can do it manually. Have them use the modern apps (which pull the XML data from RDWeb) or have them use RDWeb. Then they will always be going through RDCB as intended.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial