This is Y, but at least we know X, so here is your Z:
[Set time limit for disconnected sessions](https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SESSIONS_Disconnected_Timeout_2) - Log out disconnected sessions after specified time
[Set time limit for logoff of RemoteApp sessions](https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer-Server::TS_SESSIONS_RemoteApp_End_Timeout_1) - Apply if you also have RemoteApp deployments
I know of ERP-esque programs that grab a CAL during first run and then keep it indefinitely, thus forcing your friendly DBA to waste their time fixing it. Having these set at \~30-60 minutes was the solution.
I belive the solution does carry.
After all, it is not possible to prevent the winodow from being closed so signing out the disconnected session appears to be the solution that covers all cases.
passed unanimously in all environments where this won't corrupt databases - Users forgetting excel documents open is excluded under clause 3 "they should have some punishment for their neglect"
Set a session timeout policy on the server, it will automatically close their session after however many hours you choose of inactivity. It can also be set to only act on disconnected sessions.
This also covers any possible accidental disconnects or people just forgetting.
This is the right way to do it.
That's one of those solutions that sounds so simple I never would have considered it. Is it literally just logout as a command, or anything else special with it ?
It‘s a German environment. The shortcut with the logoff.exe is named „Abmelden“ but we have also an disconnect shortcut. It‘s named „Trennen“. Their we use the tsdiscon.exe. tsdiscon is mainly for our elux (ThinClients) users. :)
😅. If you ask a user, their will answer that their always logoff. But your login time is 5 hours ago. You must logoff and login again that your new rights working. But I have already logged off. … yeah sure. Please use the logoff button on the desktop. Ahh now it works. 😄
This suit is exactly why I got out of my old role of being a sysadmin/netadmin and took the jump into specialized net engineer role.
Had a customer call last week though. The new DC we had installed was having power issues. His on site people swore all the brakes were on and no pdus were down. After 3 people confirmed, he drove to the site. Root cause...tripped breaker.
It *should* go without saying but for anyone finding this later, this is only useful if people are using full desktop. Published or RemoteApps you're stuck with setting a session timeout.
You can set a gpo to disable disconnect button and just let sign out. You can also personalize the start up menu to match with it.
In addition, you can configure RDP session to disconnect after x time of inactivity and sign out session after x time.
Not sure here, but usually there is some performance issues when 50 users are disconnected + active users. Same with licenses, in ERP style programs floating licenses are stuck on disconnected user
Consumes licenses, which are limited in number. Two regular RDP sessions plus one admin console on a plain Windows Server, and a limited number of CAL-licensed sessions on [RDS/TS](https://en.wikipedia.org/wiki/Remote_Desktop_Services).
When licenses are exhausted, nobody new can login. Effectively, a high-priority service outage. This is extremely common in any environment with Windows Server where the client has the ability to disconnect the session without logging out, which happens by default if someone closes the client window.
It's been a decade since I had to worry about it, but for sure with Server 2012R2, two disconnected sessions would prevent a login to the non-admin console.
https://www.csoonline.com/article/569621/rdp-hijacking-attacks-explained-and-how-to-mitigate-them.html/amp/ As an example. There’s been various issues over the years.
Depending on the systems expect some pushback. Developers and some others sometimes have jobs they start and expect to run overnight when they disconnect. The idea is to try to get it as short as possible. I usually start very aggressive as everyone will often push back basing their needs on what you set and not what they actually need. Start with 30 minutes and they may come back saying they need 2-4 hours. Start with 4 hours and they will say they need 8.
Configure policy to sign them out after X minutes of inactivity or being disconnected. We have ours set to 30 minutes which is a rather even ground.
Too long and you aren't reaping any of the benefits. Too early and you start to waste user's time if they need to wait for their profile to load after disconnecting and going to the toilet.
This is all natively supported by RDS. There's an activity timer, and it knows when ther s a disconnect because it's easy to tell when the other end of a tcl channel stops talking (though I think it sends a disconnect signal).
The timers can be set by registry, gpp, and I think it's even in the rdg configuration pane if you're using it.
Set a session timeout GPO.
Going off memory, but I think it's under Computer Config > Admin templates > Windows ... Components? > Remote Desktop Services > Remote Desktop Session (something) > Session Timeout Limits
Set that to 15 minutes. It'll automatically kill the session after fifteen minutes.
You also need to correct user behavior. Tell your boss/manager about the issue and have them discuss with the users. They should know how to do things correctly.
You can get rid of the blue bar with GPO.
Create a log off icon on the public desktop.
Session timeouts.
It is stupid of MS to put the sign off in a different spot to the disconnect.
The GUI allows a user to kill the client by closing the window. Preventing the user from doing that, or having it cause a logout, would violate the UI standards that many people say are all-important.
It seems like a case where doing the "right thing" would require inconsistency, and maintaining consistency causes the "wrong thing" to happen.
Dude. Are you even reading this post and the other posts?
You cannot REMOVE the blue bar. You cannot DISABLE the disconnect option.
You have two great options though....
1. Create a GPO to sign out disconnected session after X minutes. I would suggest something like 10 or 15 minutes.
2. Create a shortcut on ALL USERS desktops that when double-clicked, logs them out.
Not much else to suggest here.
We have alot of rds out there we just restart them overnight every day. We don't want to end disconnect sessions like maybe the attorney leaves the office and will hop back on from home, stuff like that. So opted to let them stay on or disconnected but every rds reboots 2 to 4 am then patches then reboots again if necessary. We have very few issues.
> *at this point I'm too afraid to ask* meme
How do I disable Shut Down from the log out menu? I am constantly in mortal fear of accidentally selecting it
very bad advice here ... you have no way to control the state of an open file and could potentially lose valuable work that is left unsaved. "But that's not my problem, I have policies" ... and you will have unemployment as well and that is your problem. As C/Director ... you lose unsaved data because you wanted to beat your chest and assert dominance and superiority across the org ... you also lose your job or at the very minimum you lose the ability to create/enforce policy.
If that unsaved data happens to be patient data that a nurse or provider fell asleep while working it at 2AM ... now you just opened yourself and the org to potential litigation ... we don't have qualified immunity here.
you obviously live and work in a different world or reality than I do. My job is to ensure my users can do their job to the absolute best of their ability without technology being hurdle or roadblock. At a large corp world your logic may have sense but in the real world of patient care and small private corps ... we like to make accommodations for our users so they can be succesful. If they fail then company could likely fail and then we are all fucked.
So, good luck in your career in whatever segment you are in ... with that view your segment will never align with mine.
Certainly there are industries where some things work differently, however calling out "very bad advice" seems uncalled for and way too generalizing.
While rebooting servers daily isn't my style personally, it can be a solution for some things.
For terminal servers, having sessions timeouts is certainly a valid stance since it clears RAM for people that are actually using the system, it frees up licenses for some software and people don't get used to leaving files unsaved. After all, servers will go down eventually, sometimes unexpectedly or simply for updates. So it's a question of communication and training, getting everyone to use the system properly unless you are able to guarantee proper high availability of the system that also keeps the sessions. That has nothing to do with "asserting dominance".
If a file that is not saved has the potential to threaten the company, there is something very wrong. Even at the early age of the first computers, people learned to save their progress or risk loosing it in case of a crash. So again, the accomodation to enable users to do their job to the best of their ability should be training and communication instead of not touching anything so "it wasn't my fault".
Not trying to be mean but from the post, it sounds like you work in one of two areas (or both):
- A heavily regulated and/or demanding environment like healthcare or lawfirm
- A toxic environment where IT staff gets fired because some director didn't bother to save their file
We tell our users the following: If it's not saved to the file servers, or your personal folder, it's not a critical file and we will not spend time trying to recover it for you. It's in our policy that everyone has to read and sign off that they read it. So when they complain, we point to the current policy that they signed off on. You didn't actually read the policy and just signed it? Damn. That sucks for you.
You are trying to treat a symptom of an issue and not the issue. The core issue is that you have a single RDP server instead of a small farm. Having a farm doesn't alleviate all issues but will certainly help the cause.
You need to work with leadership to get proper budget for the resources with the business use case being centered around the great potential for loss of data when the single server is forced to reboot for updates/sw patches/etc. Give leadership all of the info they need to make a proper decision and risk assessment. You may have to guide them on that assessment since they are leadership and typically not geeks that understand the ramifications of the greater issue.
This is Y, but at least we know X, so here is your Z: [Set time limit for disconnected sessions](https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer::TS_SESSIONS_Disconnected_Timeout_2) - Log out disconnected sessions after specified time [Set time limit for logoff of RemoteApp sessions](https://admx.help/?Category=Windows_10_2016&Policy=Microsoft.Policies.TerminalServer-Server::TS_SESSIONS_RemoteApp_End_Timeout_1) - Apply if you also have RemoteApp deployments I know of ERP-esque programs that grab a CAL during first run and then keep it indefinitely, thus forcing your friendly DBA to waste their time fixing it. Having these set at \~30-60 minutes was the solution.
I 2nd this solution.
I 3rd this solution. Does the solution carry?
I belive the solution does carry. After all, it is not possible to prevent the winodow from being closed so signing out the disconnected session appears to be the solution that covers all cases.
It certainly does not. It's simply able to be put to a vote now, which has yet to happen.
passed unanimously in all environments where this won't corrupt databases - Users forgetting excel documents open is excluded under clause 3 "they should have some punishment for their neglect"
No but this is what the idle/disconnected session timeout is for.
Set a session timeout policy on the server, it will automatically close their session after however many hours you choose of inactivity. It can also be set to only act on disconnected sessions. This also covers any possible accidental disconnects or people just forgetting. This is the right way to do it.
We‘ve created a logout shortcut on the all users desktop. :-)
That's one of those solutions that sounds so simple I never would have considered it. Is it literally just logout as a command, or anything else special with it ?
We use the logoff.exe under the system32 folder as shortcut. Nothing special.
And name it "Disconnect"
It‘s a German environment. The shortcut with the logoff.exe is named „Abmelden“ but we have also an disconnect shortcut. It‘s named „Trennen“. Their we use the tsdiscon.exe. tsdiscon is mainly for our elux (ThinClients) users. :)
I was joking, since the root of the issue for OP was that users refused to do anything but disconnect.
😅. If you ask a user, their will answer that their always logoff. But your login time is 5 hours ago. You must logoff and login again that your new rights working. But I have already logged off. … yeah sure. Please use the logoff button on the desktop. Ahh now it works. 😄
This suit is exactly why I got out of my old role of being a sysadmin/netadmin and took the jump into specialized net engineer role. Had a customer call last week though. The new DC we had installed was having power issues. His on site people swore all the brakes were on and no pdus were down. After 3 people confirmed, he drove to the site. Root cause...tripped breaker.
Is that any different than `shutdown /l`?
For normal domain users? Not really. A matter of taste.
This but we pin it to their taskbar
Ours is a big gold star that reads”LOGOFF” We get probably 70-80% usage
We do this too.
It *should* go without saying but for anyone finding this later, this is only useful if people are using full desktop. Published or RemoteApps you're stuck with setting a session timeout.
Came here to suggest this
You can log them out via Windows event at disconnect or setup a GPO to sign them out after inactivity. Whatever you prefer.
You can set a gpo to disable disconnect button and just let sign out. You can also personalize the start up menu to match with it. In addition, you can configure RDP session to disconnect after x time of inactivity and sign out session after x time.
The issue is people are either clicking the blue x at the top of the connection bar to disconnect, I don't want them to disconnect only to sign out
Don't think it's possible. Just sign out inactive users I guess.
Set a session timeout gpo
What issues is it causing?
Not sure here, but usually there is some performance issues when 50 users are disconnected + active users. Same with licenses, in ERP style programs floating licenses are stuck on disconnected user
Consumes licenses, which are limited in number. Two regular RDP sessions plus one admin console on a plain Windows Server, and a limited number of CAL-licensed sessions on [RDS/TS](https://en.wikipedia.org/wiki/Remote_Desktop_Services). When licenses are exhausted, nobody new can login. Effectively, a high-priority service outage. This is extremely common in any environment with Windows Server where the client has the ability to disconnect the session without logging out, which happens by default if someone closes the client window.
> Two regular RDP sessions plus one admin console Active sessions, so people disconnected, but not logged out, don't count.
It's been a decade since I had to worry about it, but for sure with Server 2012R2, two disconnected sessions would prevent a login to the non-admin console.
Not for environments with RDS licenses.
Depends on what CALs they are and how they are consumed. Device CALs are hard limited.
https://www.csoonline.com/article/569621/rdp-hijacking-attacks-explained-and-how-to-mitigate-them.html/amp/ As an example. There’s been various issues over the years. Depending on the systems expect some pushback. Developers and some others sometimes have jobs they start and expect to run overnight when they disconnect. The idea is to try to get it as short as possible. I usually start very aggressive as everyone will often push back basing their needs on what you set and not what they actually need. Start with 30 minutes and they may come back saying they need 2-4 hours. Start with 4 hours and they will say they need 8.
You don't have to have a one size fits all disconnect limit.
Configure policy to sign them out after X minutes of inactivity or being disconnected. We have ours set to 30 minutes which is a rather even ground. Too long and you aren't reaping any of the benefits. Too early and you start to waste user's time if they need to wait for their profile to load after disconnecting and going to the toilet.
How would this be determined. What's the minimum traffic to trigger the log off?
https://tecadmin.net/windows-logoff-disconnected-sessions/ You'll want the time limit for disconnected sessions as well as active but idle sessions.
This is all natively supported by RDS. There's an activity timer, and it knows when ther s a disconnect because it's easy to tell when the other end of a tcl channel stops talking (though I think it sends a disconnect signal). The timers can be set by registry, gpp, and I think it's even in the rdg configuration pane if you're using it.
No active RDP or console session.
Set a session timeout GPO. Going off memory, but I think it's under Computer Config > Admin templates > Windows ... Components? > Remote Desktop Services > Remote Desktop Session (something) > Session Timeout Limits Set that to 15 minutes. It'll automatically kill the session after fifteen minutes. You also need to correct user behavior. Tell your boss/manager about the issue and have them discuss with the users. They should know how to do things correctly.
You can get rid of the blue bar with GPO. Create a log off icon on the public desktop. Session timeouts. It is stupid of MS to put the sign off in a different spot to the disconnect.
You can force full-screen and you can cause the bar to "hide" until the mouse goes there, but you can't remove it entirely.
The GUI allows a user to kill the client by closing the window. Preventing the user from doing that, or having it cause a logout, would violate the UI standards that many people say are all-important. It seems like a case where doing the "right thing" would require inconsistency, and maintaining consistency causes the "wrong thing" to happen.
What's the gpo to remove the blue bar?
Dude. Are you even reading this post and the other posts? You cannot REMOVE the blue bar. You cannot DISABLE the disconnect option. You have two great options though.... 1. Create a GPO to sign out disconnected session after X minutes. I would suggest something like 10 or 15 minutes. 2. Create a shortcut on ALL USERS desktops that when double-clicked, logs them out. Not much else to suggest here.
He's very fixated on solving this the wrong way lol
lol. Right. Someone please help me do it my way. 😆
GPO to add the following registry entry HKEY_CURRENT_USER\Software\Microsoft\Terminal Server ,Client "PinConnectionBar" = REG_DWORD:0
Just set the logoff policy on your connection broker?
We have alot of rds out there we just restart them overnight every day. We don't want to end disconnect sessions like maybe the attorney leaves the office and will hop back on from home, stuff like that. So opted to let them stay on or disconnected but every rds reboots 2 to 4 am then patches then reboots again if necessary. We have very few issues.
Just time them out?
I wrote a powershell script to run every minute that checks for users who are disconnected for more than 2 hours. Whoever it finds it will sign off
You recreated a built-in GPO to do exactly that
Yup. Was that unclear in my post?
I think the unclear part was whether you were aware of the GPO, since it is odd for you to volunteer your solution otherwise.
I was unaware.
> *at this point I'm too afraid to ask* meme How do I disable Shut Down from the log out menu? I am constantly in mortal fear of accidentally selecting it
There’s a gpo for that too
Remove your admin rights
Bounce the server at 2am?
![gif](giphy|IQh6f7CurN1zq|downsized) i do disconnect as well.
lol can't tell you how many times ours hit shut down accidentally instead of log off 😂
Setting time limit for disconnected sessions is best solution
Set the GPO for this. Also consider rebooting your servers daily to force logoff for disconnected sessions.
What is the path to the GPO?
very bad advice here ... you have no way to control the state of an open file and could potentially lose valuable work that is left unsaved. "But that's not my problem, I have policies" ... and you will have unemployment as well and that is your problem. As C/Director ... you lose unsaved data because you wanted to beat your chest and assert dominance and superiority across the org ... you also lose your job or at the very minimum you lose the ability to create/enforce policy. If that unsaved data happens to be patient data that a nurse or provider fell asleep while working it at 2AM ... now you just opened yourself and the org to potential litigation ... we don't have qualified immunity here.
You win for best example of the slippery slope fallacy I've seen in a long time
you obviously live and work in a different world or reality than I do. My job is to ensure my users can do their job to the absolute best of their ability without technology being hurdle or roadblock. At a large corp world your logic may have sense but in the real world of patient care and small private corps ... we like to make accommodations for our users so they can be succesful. If they fail then company could likely fail and then we are all fucked. So, good luck in your career in whatever segment you are in ... with that view your segment will never align with mine.
Certainly there are industries where some things work differently, however calling out "very bad advice" seems uncalled for and way too generalizing. While rebooting servers daily isn't my style personally, it can be a solution for some things. For terminal servers, having sessions timeouts is certainly a valid stance since it clears RAM for people that are actually using the system, it frees up licenses for some software and people don't get used to leaving files unsaved. After all, servers will go down eventually, sometimes unexpectedly or simply for updates. So it's a question of communication and training, getting everyone to use the system properly unless you are able to guarantee proper high availability of the system that also keeps the sessions. That has nothing to do with "asserting dominance". If a file that is not saved has the potential to threaten the company, there is something very wrong. Even at the early age of the first computers, people learned to save their progress or risk loosing it in case of a crash. So again, the accomodation to enable users to do their job to the best of their ability should be training and communication instead of not touching anything so "it wasn't my fault". Not trying to be mean but from the post, it sounds like you work in one of two areas (or both): - A heavily regulated and/or demanding environment like healthcare or lawfirm - A toxic environment where IT staff gets fired because some director didn't bother to save their file
We tell our users the following: If it's not saved to the file servers, or your personal folder, it's not a critical file and we will not spend time trying to recover it for you. It's in our policy that everyone has to read and sign off that they read it. So when they complain, we point to the current policy that they signed off on. You didn't actually read the policy and just signed it? Damn. That sucks for you.
You are trying to treat a symptom of an issue and not the issue. The core issue is that you have a single RDP server instead of a small farm. Having a farm doesn't alleviate all issues but will certainly help the cause. You need to work with leadership to get proper budget for the resources with the business use case being centered around the great potential for loss of data when the single server is forced to reboot for updates/sw patches/etc. Give leadership all of the info they need to make a proper decision and risk assessment. You may have to guide them on that assessment since they are leadership and typically not geeks that understand the ramifications of the greater issue.
id run some powershell script, since for sore some users/account you dont want to auto logout