GP Management Editor - what is the right way to apply policies?

Evgeny Shupik 191 Reputation points
2024-01-11T14:32:25.0966667+00:00

Hello everybody! Need some advice about GPO using. So the situation is: we have a terminal server and we should limit RDP session time to 2 hours for each account. Looks like this not a problem - *Group Policy Management Editor->Computer Configuration->Policies->Administrative Templates->Windows Components->Remote Desktop Services->remote Desktop Session Host->Session Time Limits->*Set time limit for disconnected sessions: 2 hours. Then gpupdate - it applies to Default Domain Policy, it's OK. But we also need to create an exception for a one account, User1 (as example) - there should be no time limit for this employee. How to modify group policies to achieve this result? I tried to create OU with name "Test" and moved account User1 to it. And then I created a new policy "No_limit" and setup parameter "Set time limit for disconnected sessions" to "never". Finally, I linked this new policy to OU "Test" but if I try to run rsop.msc as User1 on any workstation I see "Set time limit for disconnected sessions: 2 hours". Seems to me there is some problem with policies precedence. What can you advice in this situation? Thank you in advance.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
5,797 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,701 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Daisy Zhou 29,376 Reputation points Microsoft Vendor
    2024-01-15T07:27:23.1566667+00:00

    Hello Evgeny Shupik, Thank you for posting in Q&A forum. Based on the description, you set the setting (Computer Configuration->Policies->Administrative Templates->Windows Components->Remote Desktop Services->remote Desktop Session Host->Session Time Limits->*Set time limit for disconnected sessions: 2 hours) within Default Domain Policy, and you want User1 (as example) do not apply this setting.

    To meet your needs, here are two options for your references.

    Method one: You can create one OU, where the computers used by users who need to apply a time limit policy will be moved to this OU. And create one GPO and link this GPO to this OU.

    Because the policy you created is a computer policy, the objects included in the organizational unit should be computers.

    Method two: Create one new GPO (such as GPO1) and link it to domain. Create one group (such as group1) and put all the domain computers except user1' computer into this group. In this GPO1, add this group1 via Security filtering. Make Authenticated users have read permission. Make this new group have read and apply group policy permission. I hope the information above is helpful. If you have any questions or concerns, please feel free to let us know. Best Regards, Daisy Zhou

    If the Answer is helpful, please click "Accept Answer" and upvote it.  

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.