Configuring RDP/RDS Sessions Limits (Timeouts) on Windows

When a user closes the RDP/RDS session window in a terminal client (mstsc.exe, RDCMan or Remote Desktop HTML5 web client) by simply clicking the cross in the top right corner without logging off, his session goes from active to a disconnected mode. In this mode, all apps, open documents, and windows are still running on a Remote Desktop computer and consuming system resources.

By default, a user’s RDP session in Windows may stay in the disconnected state until terminated by the user or administrator, or until the computer is restarted. It is quite convenient, since a user may any time connect to his previous remote desktop session and continue working with running apps and open files.

The following screenshot shows that disconnected user sessions on an RDS server running Windows Server 2019 consume about 40% of the server RAM.

Also, these sessions can block open files on your file servers, cause problems with incorrect saving of data in the apps, roaming profile folders, or on User Profile Disks. Disconnected RDP sessions often cause a domain user account lockout issue after a password change (when the RDS session continues to run under the user’s old password).

Using the qusercommand, you can view when a user RDP session was started, how long it was idle, and the current session state.

You can also display information about the duration of user sessions in the RDS farm using a PowerShell script (specify the FQDN of your RDS Connection Broker server):

$connectionBrocker = “mun-rdscb.woshub.com"
Get-RDUserSession -ConnectionBroker $connectionBrocker |select-object -Property CollectionName, HostServer, DomainName, UserName, ServerIPAddress, CreateTime, DisconnectTime,  SessionState, IdleTime , SessionID , `
@{Name='SessionAge ([days.]hours:minutes)';Expression={ ((get-date ) - $_.CreateTime) } }

You can configure the maximum duration of active, disconnected, and idle (no user activity) sessions for Remote Desktop Services.

Automatically Log off Disconnected and Idle Remote Desktop User Sessions

To automatically end disconnected RDP/RDS sessions in a specified period of time, you need to set session limits (timeouts) correctly.

If you have a Remote Desktop Services farm deployed on Windows Server, you can configure user session timeout settings in the RDS collection settings on the Session tab.

Specify the time period, after which you want to kill a disconnected remote desktop session, at the End a disconnected session option (by default, an RDP session duration is unlimited – Never). You can also set the maximum time of an active user session (Active session limit) and end an idle session (Idle session limit). These hard timeouts are applied to all user sessions in the RDS collection.

In Windows Server 2022/2019/2016/2012R2, you can set RDP session timeouts using Group Policies. You can do it either in the domain GPO editor (gpmc.msc) or in the Local Group Policy Editor (gpedit.msc) on a specific RDS host (or on a desktop version of Windows if you have allowed multiple RDP connections to it).

The settings of RDP session timeouts are located in the following GPO section Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Session Time Limits. The following Remote Desktop timeout settings are available:

• Set time limit for disconnected session;
• Set time limit for active but idle Remote Desktop Services sessions — the policy allows to end idle RDP sessions that have no user input (like moving a mouse or typing something on a keyboard);
• Set time limit for active Remote Desktop Services sessions — it is the maximum time of any RDP session (even an active one), after which it switches to the disconnected state;
• End Session when time limits are reached — sets the time, after which an RDP session will be terminated (logoff) instead of disconnecting it;
• Set time limit for logoff of RemoteApp sessions.

By default, these options are not configured. To automatically end all disconnected RDP user sessions in 8 hours, enable the “Set time limit for disconnected sessions” policy and select 8 hours in the dropdown list.

Save the changes and update the Group Policy settings on your RD host (gpupdate /force). New timeout settings will only be applied to new RDP sessions (you will have to end the current user sessions on RDSH manually ).

GPO settings take precedence over timeout settings in the RDS collection.

You can also set RDP session time limits through the registry. The following DWORD parameters from HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services registry key corresponding to the Group Policy options described above:

• MaxDisconnectionTime
• MaxIdleTime
• MaxConnectionTime
• MaxDisconnectionTime
• RemoteAppLogoffTimeLimit

For example, to set the maximum duration for a disconnected RDP session to 15 minutes (90000 ms), you can change a registry parameter using the following PowerShell command:

Set-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" -Name MaxDisconnectionTime -Type 'DWord' -Value 900000

You can also set the limits of an RDP session on the Settings tab in the properties of a local (lusrmgr.msc) or domain user (dsa.msc — Active Directory Users and Computers console). The following options are available here:

• End a disconnected session;
• Active session limit;
• Idle session limit;
• When a session limit is reached or connection is broken: “Disconnect from session” or “End session”;
• Allow reconnection: “From any Client” or “From originating client only”.

If you have an RD Gateway Server deployed for remote access to RDS hosts, you can configure separate timeouts for users connected via RDGW (open the connection authorization policy and go to the Timeouts tab).

In Windows Server 2008 R2, you could also set RDP session timeouts using a special tsconfig.msc (RD Session Host Configuration) console. It was enough to open the console and right-click RDP-Tcp -> Properties. The session timeout limits are located on the Sessions tab. However, there is no such console in newer Windows Server versions (although you can manually copy tsadmin.msc and tsconfig.msc files and use these consoles on newer Windows Server versions as well).

Remote Desktop Session Has Been Idle Over Its Time Limit

After configuring RDS timeouts users will see the following warning before disconnecting an idle session:

Idle timer expired
Session has been idle over its time limit.
It will be disconnected in 2 minutes.
Press any key to continue the session.

And before the user disconnect, the Event ID 26 is logged in the System Event Viewer.

You can disable this warning by setting the EnableTimeoutWarning = 0 in the WMI class Win32_TSSessionSettings.

Set-WmiInstance -Path "\\localhost\root\CIMV2\TerminalServices:Win32_TSSessionSetting.TerminalName='RDP-Tcp'" -Argument @{EnableTimeoutWarning=0}

Now, when Windows automatically ends idle RDP sessions, the user will receive the following message from the RDP client:

Your Remote Desktop Services session ended because the remote computer didn’t receive any input from you.

In some cases, you may encounter this error in the RDP client:

Your Remote Desktop Services session has ended. Another user connected to the remote computer, so your connection was lost. Try connecting again, or contact your network administrator.

This means that someone else signed into the computer via RDP when the number of simultaneous RDP sessions on the computer is restricted by the Limit number of connections parameter (for example, only one remote session is available on desktop Windows versions). Or you have logged in to the RDP host from a new computer.

You can allow multiple connections under the same user account to the RDP host using the GPO option Restrict Remote Desktop Services users to a single Remote Desktop Services session = Disabled (under Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Connections).