Seen a similar question in the forum and I have also tried a few other settings with no luck yet.
We are trying to configure idle session timeouts for our external user group.
I have disabled the Horizon Global Settings for idle session timeout.
Internal we would utilize the Imprivata SSO policies to disconnect idle user based on the computer SSO policies.
When a user that had a previous session internally disconnects, and now connects to that session at home (externally). ADMX based settings get refreshed and a policy is applied for idle session timeout to be set to 15 minutes.
I can see the regkey get set on the user, however I can't get the policy to actually run until the user disconnect and reconnects again.
I see the same issue when I first connect from home (Externally) and then reconnect to my session internally (the external idle session timeout is still in play).
Because the regkey is under HKCU\SOFTWARE\Policies I can't use a config file with pre-defined settings unfortunately.
Thanks to anyone who can provide some input.
Running Horizon 7.12 and DEM 9.11
Hi @simpss,
Something like this might serve as a starting point:
@ECHO OFF
SETLOCAL
SETLOCAL ENABLEEXTENSIONS
SET Key=HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
SET Value=MaxIdleTime
CALL :SetEnvVarFromRegistry RegValue.Before "%Key%" "%Value%"
ECHO.
ECHO Pretending to perform an ADMX-based settings refresh here
PAUSE
CALL :SetEnvVarFromRegistry RegValue.After "%Key%" "%Value%"
IF NOT [%RegValue.Before%]==[%RegValue.After%] ECHO Pretending to run "%WINDIR%\System32\tsdiscon.exe"
GOTO :EOF
:SetEnvVarFromRegistry
SET %~1=
SET TEMPFILE="%TEMP%\EnvVarFromRegistry-%RANDOM%-%RANDOM%.tmp"
"%WINDIR%\System32\REG.exe" QUERY "%~2" /v "%~3" >%TEMPFILE% 2>NUL
IF NOT ERRORLEVEL 1 FOR /F "usebackq skip=2 tokens=2,*" %%A IN (%TEMPFILE%) DO SET %~1=%%B
DEL 2>NUL %TEMPFILE%
GOTO :EOF
Hi, maybe this Computer Policy (GPO) will help you? (German version):
Hi @simpss,
It's often the case that changes to configuration settings aren't picked up dynamically, but only at certain points in time. I can imagine that a session idle timeout setting will be read before logon and reconnect, so that a change after reconnect won't be picked up until the next disconnect/reconnect. ProcMon might shed some more light on this timing.
As for "Because the regkey is under HKCU\SOFTWARE\Policies I can't use a config file with pre-defined settings unfortunately.": an ADMX-based setting should have the same effect as such a predefined setting – what exactly would you like to do here?
HI @DEMdev ,
It seems to be the case for such. For testing purposes I have two ADMX based settings configured.
Internal - The idle session timeout is set to 1 minute
External - The Idle session timeout is set to 5 minutes
1. I logon internally (new logon, not reconnect), and after 1 minute I get a session idle message - which works as planned.
2. I reconnect to my session externally and have a triggered task to refresh ADMX based settings at reconnect.
3. I can see the ADMX settings get refreshed and the MaxIdleTime key under "HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" gets changed to 5 minutes.
4. Even though the regkey is changed and the admx based settings were refreshed. I still receive the 1 minute idle session.
5. If I disconnect and reconnect to that session again, the new settings start to work.
"As for "Because the regkey is under HKCU\SOFTWARE\Policies I can't use a config file with pre-defined settings unfortunately.": an ADMX-based setting should have the same effect as such a predefined setting – what exactly would you like to do here? "
I noticed in another thread, you mentioned creating a config file and having pre-defined settings with a triggered task at reconnect. With the Config File and pre-defined settings, I don't see the regkey get created at all.
Our end goal is to attempt to configure different idle session timeouts for external users and internal users. But we have users that would start their day externally and come in the office later in the day and vice versa.
Thanks @burgerking68 .
I can't use the computer policy in this scenario because it's and RDSH published apps environment.
Hi @simpss,
Yeah, I'm afraid that that MaxIdleTime setting is read early during session setup (at logon and reconnect), and DEM's refresh only gets to run later. Not much later, but too late.
(Thank you for clarifying the predefined settings bit. Even if that were able to import settings into the Policies key, it would not help as it would be too late as well.)
It's a bit (well, a lot...) of a hack, but maybe you can run tsdiscon.exe at reconnect for internal/external (and vice versa) switches, to force the "disconnect and reconnect to that session again" so the new MaxIdleTime will be picked up?
Appreciate the assistance...
Only problem I see with this would be if user was internal and decided to login from another workstation (IP Address change) which would trigger the reconnection task to run when it technically wasn't required.
No way I can get around that possibility right?
Hi @simpss,
I suppose you currently have a few ADMX-based settings that configure different idle timeouts, using conditions to target internal/external connections, and the perform an ADMX-based settings refresh using a triggered task at reconnect?
If that's a correct assumption, the following would do the trick:
It's important that this is robust as you don't want to be disconnecting sessions that shouldn't be disconnected :), but I think the above should work.
@DEMdev ,
That is correct, exactly how I have things setup.
I will try your suggestion to see if this will work.
Thanks again!
Hi @simpss,
Something like this might serve as a starting point:
@ECHO OFF
SETLOCAL
SETLOCAL ENABLEEXTENSIONS
SET Key=HKCU\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
SET Value=MaxIdleTime
CALL :SetEnvVarFromRegistry RegValue.Before "%Key%" "%Value%"
ECHO.
ECHO Pretending to perform an ADMX-based settings refresh here
PAUSE
CALL :SetEnvVarFromRegistry RegValue.After "%Key%" "%Value%"
IF NOT [%RegValue.Before%]==[%RegValue.After%] ECHO Pretending to run "%WINDIR%\System32\tsdiscon.exe"
GOTO :EOF
:SetEnvVarFromRegistry
SET %~1=
SET TEMPFILE="%TEMP%\EnvVarFromRegistry-%RANDOM%-%RANDOM%.tmp"
"%WINDIR%\System32\REG.exe" QUERY "%~2" /v "%~3" >%TEMPFILE% 2>NUL
IF NOT ERRORLEVEL 1 FOR /F "usebackq skip=2 tokens=2,*" %%A IN (%TEMPFILE%) DO SET %~1=%%B
DEL 2>NUL %TEMPFILE%
GOTO :EOF
Hi @DEMdev ,
I think I may have this working with another solution. Can you tell me if any of the -UEMrefresh triggers would refresh files and folders at reconnect. Or is this only done at logon?
Thanks again!
Hi @simpss,
Sorry, Files and Folders settings are not refreshable. Depending on what you're trying to do here you might be able to individually import one (or a few) via "manual" FlexEngine.exe invocations, though...
Hi @simpss,
Maybe I misunderstood (as I'm not sure how a Files and Folders setting would allow you to remove a file), but an alternative to refreshing files and folders at reconnect to get one of those settings to apply would be the following:
If I did misunderstand, and you're not looking to import settings but run a task, tweak the above as follows:
If I still misunderstood, please elaborate 🙂
I ran into a similar issue with screensavers. We did not want a screensaver on our virtual desktops; however, we need to have it enabled for remote users so we can implement the screensaver timeout policy to lock the desktop. After months of scratching our heads, it was evidently clear that was not possible for roaming sessions. The reason it was not doable is simply because the setting applies only during logon. Even though the policy changes if the user originally connected internally, disconnect, and reconnect from home but it would not take effect. Security team simply had to write an exception for that and accept it as is.