Tuesday, May 24, 2005

Making sure Terminal Services on Your Domain Controller Times Out


If you're an avid reader, you know that I manage the dogfood server at Microsoft for the Small Business Server team. If you don't know that, now you do. :)

One of the biggest problems I have is there are anywhere from 4-10 domain administrators on the box. We have a rotating administration policy (so everyone get's a chance) and also, since we dogfood the product (even the beta's!) before the general public, we usually run into problems from time to time and more people need to be administrators to investigate what the heck is going on.

Well, this causes a headache for remote access. Every time I try to remote desktop into the server I get "Connection Limit Exceeded". Of course the work around is to TS directly to the console with the every so handy command:

mstsc /console /v {servername}

It's still annoying.

So, Group Policy comes in handy here again. I created a policy to automatically remove idle and disconnected sessions. Life is much easier now. Here's how to do it!

  1. Open Server Management and expand Advanced Management, Group Policy Management, Forest: {domain}, Domains, {domain name}.

  2. Right-Click on Domain Controllers and choose Create and Link a GPO Here...

  3. Give your GPO a friendly name so you can recognize it. I gave mine Terminal Services Timeout and choose OK.

  4. Find your Policy Object in the list under Domain Controllers and Right-Click it and choose Edit.

  5. In the Group Policy Object Edtior, expand Computer Configuration, Administrative Templates, Windows Components, Terminal Services and click on Sessions.

  6. In the right-hand pane, you have your configuration options, I set:

    • Set time limit for disconnected sessions - to 15 minutes

    • Sets a time limit for active but idle Terminal Services sessions - to 1 hour

    • Terminate session when time limits are reached - to Enabled

    And that's it!



Also, since this policy resides in the Domain Controllers OU, the policy will only affect the SBS box (unless of course you're rich and have backup/replica domain controllers).

Having this policy turned on makes the box *much* more easy to manage as I can always get to it, on the first try. Heck it may even save some resources, but I highly doubt it.
Posted by Sean Daniel at 2:09 PM
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)