Windows Remote Desktop research, windows Desktop

Windows Remote Desktop research, windows Desktop

Recently, due to a monitoring-related project, I have thoroughly studied windows Remote Desktop knowledge.

1. How to enable the user who has disabled the Remote Desktop Connection to immediately log out of windows server for the corresponding session.

When you log on to windows server using mstsc.exe, 99.99% of users will close the mstsc.exe window without clicking Start> to exit. The problem is that the login user has already raised the issue. However, when querying the user and querying the session, the logged-out user is found to be in the Active/running status on windows server. This will occupy a sesion of resources in vain and may result in an error similar to "exceeding the number of people" reported when others log on.

Solution:

Registry [HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp], modify

MaxDisconnectionTime

Change this value to 0x3e8 (1000), that is, 1000 milliseconds (that is, 1 second), and restart the system.

 

Next look to the following key in the registry:

HKLM \ System \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ Console

&

HKLM \ System \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp

Look for fInheritresetBroken (make dword 0) does not inherit client settings

FInheritReconnectSame (make dword 0) does not inherit the client settings-connect to the previous session

Whether fReconnectSame (make dword 0) is connected to the same previous session

Whether or not fResetBroken (make dword 1) resets the connection after the connection is disconnected, and reinitializes a new session even if the previous session is not used.

If all those values are OK then we'll look at the MaxDisconnectionTime values under the Terminal Server Key.You'll need to expand each subskey and look for these two entries in EVERY key, it exists multiple times

FInheritMaxDisconnectionTime (make this dword 0Disable Inherit) -- Does not inherit the client settings

&

MaxDisconnectionTime (1000 ms, that is, immediately kill the rdp session from windows server after 1 second of rdp connection port .)

 

2.Restrict a single user to be connected only once at the same time

During monitoring, we need to implement that one user name can only be logged on once at the same time, that is, the same user name. In windows server, only one logon session exists. solution:

Set registry:

[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ fSingleSessionPerUser is set to 1. To enable a user, only one session is allowed.

FSingleSessionPerUser:TRUE indicatesEach user can have only a single session; FALSE otherwise.

 

3.Limit/Open limit total number of rdp connections

By default, in some versions, only two administor and one console logon session can be run.

To remove this restriction:

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp \ MaxInstanceCount

Set to ffffffff. No limit is imposed on the number of concurrent rdp sessions.

 

MaxInstanceCount

 

Updated: March 28,200 3

 

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

 

HKLM \ SOFTWARE \ Policies \ Microsoft \ Windows NT \ Terminal Services

Description

Stores configuration data for the policy settingLimit number of connections.(Limit the number of rdp connections)

Change Method

To change the value of this entry, use the Group Policy Object Editor (Gpedit. msc). The corresponding policy is located in Administrative Templates \ Windows Components \ Terminal Services.

 

Https://technet.microsoft.com/en-us/library/cc758332 (v = ws.10). aspx

 

References:

1)Http://remotedesktoprdp.com/force-single-session-allow-multiple-sessions-per-user

Force a single session or allow multiple Remote Desktop sessions per user

Remote Desktop/Terminal Services has two settings for multiple sessions. you can either allow multiple sessions per user (in which case if you log in twice, you'll get two sessions ), or force a single session per user (in which case you can only log in once and subsequent sessions will beRedirectedTo the original session.

To change this setting, you'll need to perform a registry change. The following steps describe the process:

 

2)

Https://msdn.microsoft.com/en-us/library/cc248610.aspx

For a specific terminal server session, USERCONFIG indicates the user and session configuration.

 typedef struct _USERCONFIG {   ULONG fInheritAutoLogon  :1;   ULONG fInheritResetBroken  :1;   ULONG fInheritReconnectSame  :1;   ULONG fInheritInitialProgram  :1;   ULONG fInheritCallback  :1;   ULONG fInheritCallbackNumber  :1;   ULONG fInheritShadow  :1;   ULONG fInheritMaxSessionTime  :1;   ULONG fInheritMaxDisconnectionTime  :1;   ULONG fInheritMaxIdleTime  :1;   ULONG fInheritAutoClient  :1;   ULONG fInheritSecurity  :1;   ULONG fPromptForPassword  :1;   ULONG fResetBroken  :1;   ULONG fReconnectSame  :1;   ULONG fLogonDisabled  :1;   ULONG fWallPaperDisabled  :1;   ULONG fAutoClientDrives  :1;   ULONG fAutoClientLpts  :1;   ULONG fForceClientLptDef  :1;   ULONG fRequireEncryption  :1;   ULONG fDisableEncryption  :1;   ULONG fUnused1  :1;   ULONG fHomeDirectoryMapRoot  :1;   ULONG fUseDefaultGina  :1;   ULONG fCursorBlinkDisabled  :1;   ULONG fPublishedApp  :1;   ULONG fHideTitleBar  :1;   ULONG fMaximize  :1;   ULONG fDisableCpm  :1;   ULONG fDisableCdm  :1;   ULONG fDisableCcm  :1;   ULONG fDisableLPT  :1;   ULONG fDisableClip  :1;   ULONG fDisableExe  :1;   ULONG fDisableCam  :1;   ULONG fDisableAutoReconnect  :1;   ULONG ColorDepth  :3;   ULONG fInheritColorDepth  :1;   ULONG fErrorInvalidProfile  :1;   ULONG fPasswordIsScPin  :1;   ULONG fDisablePNPRedir  :1;   WCHAR UserName[USERNAME_LENGTH + 1];   WCHAR Domain[DOMAIN_LENGTH + 1];   WCHAR Password[PASSWORD_LENGTH + 1];   WCHAR WorkDirectory[DIRECTORY_LENGTH + 1];   WCHAR InitialProgram[INITIALPROGRAM_LENGTH + 1];   WCHAR CallbackNumber[CALLBACK_LENGTH + 1];   CALLBACKCLASS Callback;   SHADOWCLASS Shadow;   ULONG MaxConnectionTime;   ULONG MaxDisconnectionTime;   ULONG MaxIdleTime;   ULONG KeyboardLayout;   BYTE MinEncryptionLevel;   WCHAR NWLogonServer[NASIFILESERVER_LENGTH + 1];   APPLICATIONNAME PublishedName;   WCHAR WFProfilePath[DIRECTORY_LENGTH + 1];   WCHAR WFHomeDir[DIRECTORY_LENGTH + 1];   WCHAR WFHomeDirDrive[4]; } USERCONFIG,  *PUSERCONFIG;

FInheritAutoLogon:The prompt for the password setting. TRUE indicates the use of client-specified autologon settings, FALSE specifies the use of machine autologon settings.

FInheritResetBroken:Reset the session when the connection is broken. TRUE indicates the value to useFResetBrokenFrom the user properties if the machine/user policy is not set, FALSE otherwise.

FInheritReconnectSame:Reconnect from the same client setting. TRUE indicates the value to useFReconnectSameFrom the user properties if the machine/user policy is not set, FALSE otherwise.

FInheritInitialProgram:The initial program setting. TRUE indicates the value to useInitialProgramFrom the user properties if the machine/user policy is not set, FALSE otherwise.

FInheritCallback:The callback setting. TRUE indicates the value to useCallbackFrom the user properties if the machine/user policy is not set, FALSE otherwise. <63>

FInheritCallbackNumber:The callback number setting. TRUE indicates the value to useCallbackNumberFrom the user properties if the machine/user policy is not set, FALSE otherwise. <64>

FInheritShadow:The shadow setting. TRUE indicates the value to useShadowFrom the user properties if the machine/user policy is not set, FALSE otherwise.

FInheritMaxSessionTime:The maximum allowed session connection time setting. TRUE indicates the value to useMaxSessionTimeFrom the user properties if the machine/user policy is not set, FALSE otherwise.

FInheritMaxDisconnectionTime:The maximum allowed session disconnect time setting. TRUE indicates the value to use for MaxDisconnectionTime from the user properties if the machine/user policy is not set,FALSEOtherwise.

FInheritMaxIdleTime:The maximum allowed session idle time. TRUE indicates the value to useMaxIdleTimeFrom the user properties if the machine/user policy is not set, FALSE otherwise.

FInheritAutoClient: The auto client setting. TRUE indicates the value to use for fAutoClientDrivers and fAutoClientLpts from the user properties if the machine/user policy is not set, FALSE otherwise.

FInheritSecurity:Inherit security setting. TRUE indicates the use of security settings from the user properties if the machine/user policy is not set, FALSE otherwise.

FPromptForPassword: Set to TRUEIgnore the credential sent from the client and always prompt for a password,FALSEOtherwise.

FResetBroken: SetTRUETo log off the session when the idle timers for the session expire. Otherwise, the session will be disconnected when the timer expires.

FReconnectSame:FALSE indicates that the user can reconnect from any client computer to a disconnected session.

TRUEIndicates that the user must reconnect to a disconnected session from the same client computer that initially established the disconnected session. Logging on from a different client computer will lead to a new terminal server session being created.

FLogonDisabled:TRUE indicates that a user cannot log on to a session remotely, FALSE otherwise. <65>

FWallPaperDisabled:TRUE indicates display of the desktop wallpaper in the session has been disabled, FALSE otherwise.

FAutoClientDrives:TRUE specifies to automatically redirect local drives on the client so they are accessible to the user in the remote terminal server session, FALSE otherwise.

FAutoClientLpts:TRUE specifies to automatically redirect printers on the client so they are accessible to the user in the remote terminal server session, FALSE otherwise.

FForceClientLptDef:TRUE indicates to force the client's redirected printer to be the default printer for the user, FALSE otherwise.

FRequireEncryption:TRUE indicates the connection must be encrypted, FALSE otherwise.

FDisableEncryption:TRUE indicates the connection does not need encryption, FALSE otherwise.

FUnused1:Not used.

FHomeDirectoryMapRoot:Not used.

FUseDefaultGina:TRUE indicates to override a third-party GINA so that only the default GINA is used for the terminal server session, FALSE otherwise. <66>

FCursorBlinkDisabled:TRUE indicates disable the blinking of the mouse cursor, FALSE otherwise. <67>

FPublishedApp:Not used.

FHideTitleBar:Not used.

FMaximize:Not used.

FDisableCpm:TRUE indicates disable client printer redirection, FALSE otherwise.

FDisableCdm:TRUE indicates disable client drive redirection, FALSE otherwise.

FDisableCcm:TRUE indicates disable client COM port redirection, FALSE otherwise.

FDisableLPT:TRUE indicates disable client printer (LPT) port redirection, FALSE otherwise.

FDisableClip:TRUE indicates disable client clipboard redirection, FALSE otherwise.

FDisableExe:TRUE indicates disable. exe file execution, FALSE otherwise.

FDisableCam:TRUE indicates disable client audio redirection, FALSE otherwise.

FDisableAutoReconnect:TRUE indicates disable auto-reconnect functionality, FALSE otherwise. <68>

ColorDepth:The color depth of the session. <69>

FInheritColorDepth:Set to TRUE to inherit color depth from the user or client configuration, FALSE otherwise. <70>

FErrorInvalidProfile:Set to TRUE if WFProfilePath, WFHomeDir, or WFHomeDirDrive is invalid (too long), FALSE otherwise. <71>

FPasswordIsScPin:Set to TRUE if the password field contains a smart card PIN. <72>

FDisablePNPRedir:Set to TRUE if Plug and Play (PnP) redirection is disabled, FALSE otherwise.

UserName:The user name used in autologon scenarios.

Domain:The domain name used in autologon scenarios.

Password:The password used in autologon scenarios.

WorkDirectory:The work directory for the initial program.

InitialProgram:The program to run instead of the default. <73>

CallbackNumber:The telephone number that will be returned by the Terminal Services server to the client when the server is unable to complete the connection request from the client. the user on the client side can use this number to call back for technical support. <74>

Callback:The callback class for callback operations. <75>

Shadow:The shadow setting of the session.

MaxConnectionTime:The maximum allowed session connection time setting of the session in milliseconds. The session will disconnect/logoff once the limit is reached.

MaxDisconnectionTime: The maximum allowed session disconnect time of the session inMilliseconds (1‰ seconds). The session will logoff once the limit is reached.

MaxIdleTime: The maximum allowed session idle time setting of the session in milliseconds. The session will disconnect/logoff once the limit is reached. (10 minutes)

KeyboardLayout:The keyboard layout (HKL) of the session.

MinEncryptionLevel:The minimum allowed encryption level. possible numeric values for this parameter include 1 (Low), 2 (Client Compatible), 3 (High), and 4 (FIPS ). detailed description of these encryption levels is supported in [MS-RDPBCGR] sections 5.3.1 and 5.4.1.

NWLogonServer:The NetWare logon server name. <76>

PublishedName:Not used.

WFProfilePath:The terminal server profile path. Overrides the standard profile path.

WFHomeDir:The terminal server home directory path. Overrides the standard home directory.

WFHomeDirDrive:The terminal server home directory drive. Overrides the standard home directory.

3) https://msdn.microsoft.com/en-us/library/cc248657.aspx

 

Note: There are still a lot of google-related materials and they are also authoritative. Without google or poor English reading ability, there will be a huge obstacle.