Wednesday, July 6, 2011

GPO "Restrict each user to a single session" set to disabled while using shared domain accounts

As you might know there is a GPO named "Restrict each user to a single session". In most production environments this GPO setting is enabled on a RD Session Host because generally you assign each individual person a unique domain account. And in my opinion you should enable it. However, I've seen scenario's where people share a domain account to access a Remote Desktop Services environment assuming that disabling the above policy will fully fulfill their needs. What they are usually not aware of is the following:

A first user connects to the RD Session Host using account1 and gets a new session.
While the first user is still active, a second user connects to RD Session Host using account1. Since the above GPO is disabled, he also receives a new session. So far so good. Both users log off.

Now consider this:

Again, a first user connects to the RD Session Host using account1 and gets a new session. This time this first user disconnects from the RD Session Host (leaving a disconnected session). While the first user's session is disconnected, a second user connects to RD Session Host using account1. He now does not get a new session but is being reconnected to the other user's disconnected session.

This is of course expected behavior and as designed, but it might not be what some people expect. General word of advice; assign each person a unique account. There actually is a ("fast publish") KB about this as well, that was recently updated. See below.

Article ID: 2572658 - Last Review: July 5, 2011 - Revision: 2.0
Remote Desktop users may be connected to a different session than expected if the session is initiated using the same logon credentials.

No comments:

Post a Comment