I've been scouring the forums and have yet to find a similar problem that I'm seeking an answer for. I'm wondering if there is a way to enforce a timeout on published apps. Essentially, when someone launches a published app and goes idle or leaves the computer for a certain amount of time I want the screen to lock. I work with a client that has sensitive information and occasionally the researchers will forget to log out or lock the computer and thus a subsequent security breech could occur. I have tried to change the the publishing session timeout option under agent settings for our terminal server in the farm, but this doesn't seem to help. Also, I'm pretty sure in the past with a previous version of the server the sessions were able to lock out according to one of our administrators. Ideas? Thanks in advance.
published items are from terminal servers or VDI hosts? also you want to lock user sessions or log users out completely?
Hi there, to set time-out settings for disconnected, active, and idle sessions please refer to the Microsoft Technet article http://technet.microsoft.com/en-us/libr ... 10%29.aspx. In your case I personally would prefer to set a time out that lead into a disconnect for an active session that idle. In this case the user could reconnect to the published applications w/o loosing a part of his work that may be not saved. Another workaround would be to set a screen saver within the user session of the terminal server, but this only works well with a published full desktop in my eyes as well as it can lead into performance issues with the terminal server... Kind Regards,
Thank you both for the replies. In response to the first post, I was hoping to simply lock the researchers out and then allow them to resume their session by entering their password. They are running the 2X apps from terminal servers and not VDIs. As for the second post, the article you linked to is for Server 2003. 2008 has done away with terminal services (I believe it's just called remote desktop services now.) I will look into modifying similar settings in group policy to see if that helps. Otherwise, I'll try to look for a newer technet article. Regards, Justin
this should still be possible in a normal windows environment for users logging into a TS. I am sure there is a GPO to apply to machines which can be used to lock out the user automatically after the session is idle for X amount. Check the following locations when setting a GPO. Seems where timeouts can be set so see what's what : 1) Domain group policy Computer configuration | Administrative templates | Windows components | Terminal Services | Sessions |.... 2) Domain group policy User configuration | Administrative templates | Windows components | Terminal Services | Sessions |.... 3) Local computer policy Computer configuration | Administrative templates | Windows components | Terminal Services | Sessions |.... 4) Local computer policy User configuration | Administrative templates | Windows components | Terminal Services | Sessions |.... 5) User’s profile in Active Directory. See: Active Directory Users and Computers | User profile | Sessions 6) On the terminal server itself, Terminal Services Configuration console | Connections | right click on RDP-Tcp in the right hand window and choose properties | Sessions |….
Hi Justin, you right with the re-naming. That's why I linked to the terminal services article in tech net because I read 'terminal server farm' within your query. I judged that wrong and assumed that you run an OS below the re-naming. The detailed Technet article for the current OS associated to a remote desktop session host (RDSH) farm can be found at http://technet.microsoft.com/en-us/libr ... 54272.aspx All settings (and more) that were possible under terminal services still apply for remote desktop services. Kind Regards,
I was able to resolve the issue by following the suggestions you posted. Thank you all for the help. For anyone who may encounter this issue in the future, the policy that should be modified is under User Configuration -> Policies -> Administrative Templates -> Control Panel -> Personalization. Then enable the screen saver, password protect the screen saver, and choose a timeout. I had this configured all along but I just recently found out a policy above the hierarchy was actually preventing this from applying.
