30 May 2022

Enable/Disable Multiple RDP Sessions

So the caveat to this article is that this is specifically for Windows Servers. If you’re trying to enable multiple RDP sessions on Windows 10 or 11, you’ll need to do some further googling to find out how to do that – as this alone won’t be enough.

Enable Multiple RDP Sessions

  1. Log into the server you are trying to enable multiple Remote Desktop sessions on.
  2. Click on the start menu button, type “gpedit.msc” and open it.
  3. Navigate to ‘Computer Configuration’ -> ‘Administrative Templates’ -> ‘Windows Components’ -> ‘Remote Desktop Services’ -> ‘Remote Desktop Session Host’ -> ‘Connections’.
  4. Set “Restrict Remote Desktop Services user to a single Remote Desktop Services session” to ‘Disabled’.
  5. Double-click on “Limit number of connections” and set the value of the RD Maximum Connections allowed to ‘999999’.

Disable Multiple RDP Sessions

  1. Log into the server that allows multiple Remote Desktop sessions.
  2. Click on the start menu button, type “gpedit.msc” and open it.
  3. Navigate to ‘Computer Configuration’ -> ‘Administrative Templates’ -> ‘Windows Components’ -> ‘Remote Desktop Services’ -> ‘Remote Desktop Session Host’ -> ‘Connections’.
  4. Set “Restrict Remote Desktop Services user to a single Remote Desktop Services session” to ‘Enabled’.
17 April 2020

RDS customizations

This is a bit of a long post, so I apologize in advance… Sorry, but not sorry. There are a lot of things that you can customize in a RDS / RD Web Access deployment.

I’m doing these edits, or customizations on a Windows Server 2019 deployment, they should [in theory] work though on RDS deployments as far back as Windows Server 2012/R2, though your mileage may vary – see disclaimer below.

Standard disclaimer… Make sure to backup folders and files before you start making changes. I’m not responsible for anything you break, you’ve been warned.


Eliminate “/RDWeb” from the RDS URL

When adding the RD Web Access role on your remote desktop gateway or broker, it will auto-magically create the RDWeb website in IIS for you.

RDS sets up the the url for your site in the following format: “rds.playswellwithflavors.com/RDWeb” or “example.com/RDWeb”. However, you likely are not using this IIS host to serve up any other webpages other that RDS Web Access… So you probably want to eliminate the need for user to have to enter that “/RDWeb” at the end of the url. And make it appear as just “rds.playswellwithflavors.com” or “example.com”.

Microsoft makes this very easy to accomplish with a simple redirect in IIS.

  • Open IIS.
  • Click on the ‘Default Web Site’ in the left-side pane.
  • Click on ‘HTTP Redirect’ in right-side pane.
  • Check the box for ‘Redirect requests to this destination’.
    Enter in the field under it: /RDWeb
  • Click ‘Apply’.
  • Restart IIS
  • Test your website to confirm that you can reach it with the base url, without the “/RDWeb” appended at the end.

Password Reset Link

This customization will edit the Web Access Login Page to add a password reset link where users can change their AD passwords from the main login page.

  • Open IIS
  • In the left-hand pane, drill down into “Server”->”Sites”->”Default Site”->”RDWeb”->”Pages”
  • Double-click on “Application Settings” in the right-hand pane.
  • Find the value “PasswordChangeEnabled” and double-click on it. Edit it to ‘True’.
  • Click ‘Ok’.

Now that we edited that value to ‘true’, if the user’s password expires they will be prompted to change their password. That’s handy, right!?
Well, if you liked that, then let me tell you that it is possible to go one step further and make a link on the main page for them to reset their password, anytime.

  • Open the following folder: %windir%\Web\RDWeb\
  • Since we are going to be editing stuff here, make a backup copy of the “Pages” folder.
  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Right-click on the file “login.aspx” and select ‘Edit’.
  • With the file open, press “Ctrl+F” and then search for “userpass”.
  • Scroll down under the table that “userpass” is in. This is where we want to add our password reset link. Copy the code below and paste it into your file, then save and close it.
<tr>
<td align="right">
Click <a href="password.aspx" target="_blank">here</a> to reset your password.
</td>
</tr>
  • Reload the page in your browser to view the password reset link.

Change “Domain\user name” to “Email”

At the Web Access login page, I like to change the prompt for “Domain\user name” to “Email Address”. Call me cynical, but I find that users can remember their email address, but will almost always call and ask what to put as the domain. I like to just change this to what the user will understand and prevent them from needing to call me.

  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “login.aspx” and select ‘Edit’.
  • Look for “L_DomainUserNameLabel_Text” on line 21.
  • Change the value “Domain\\user name:” to “Email Address:”.
  • Look for “L_DomainNameMissingLabel_Text” on line 30.
  • Change the value “You must enter a valid domain name.” to “You must enter a valid email address.”
  • Save and close the file.
  • Reload the page in your browser to view the change.

Change the “Work Resources” text on the Login page

This will let you customize the text displayed with your logo in the upper left corner of the RDWeb login page.

  • Open an administrator PowerShell window on the RD Connection Broker.
  • Enter the following command: Set-RDWorkspace -Name "<YourBrandingHere>"
  • Reload the page in your browser to view the change.

Changing the RD Logos

You can brand your RD Web Access page with your company logo. There are two logos you can change. One is in the upper left corner, and the other one is smaller and in the upper right corner.

  • Take your logo image and resize it into two .png files with the names and dimensions specified below;
    • logo_01.png – 16pixels x 16pixels
    • logo_02.png – 48pixels x 48pixels
  • Now open the folder: %windir%\Web\RDWeb\Pages\images\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Copy and paste the your logo image files into this folder.
  • Open IIS and restart the service.
  • Reload the page in your browser to view the change.
  • The “logo_01.png” file will replace the icon in the upper right corner.
  • The “logo_02.png” file will replace the icon in the upper left corner.

Change the “To protect against” message

This is the message on the login page that is beneath the “Sign In” button. You can customize it to your own message.

  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “login.aspx” and select ‘Edit’.
  • Look for “L_TSWATimeoutLabel_Text” on line 43.
  • Modify that value there to include your custom message.
  • Save and close the file.
  • Reload the page in your browser to view the change.

Change the RD Workspace name and other text

You can customize other text displayed on your RDWeb login page. Things like the page title and other small branding type changes…

  • Now open the folder: %windir%\Web\RDWeb\Pages\en-US\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “RDWAStrings.xml” and select ‘Edit’.
  • Make changes as desired to reflect what you want displayed;
    • PageTitle, line 3
    • HeadingRDWA, line 10
    • HeadingApplicationName, line 11
    • Help, line 12
  • Reload the page in your browser to view the change.
    • Note: Chrome based browsers like to cache these… Use a private browsing tab, or flush your browser cache if the changes are not appearing after reloading the page.

Remove ‘Help’ Link

This will remove the ‘Help’ link on the RDWeb login page that links to this MS documentation.

  • Now open the folder: %windir%\Web\RDWeb\Pages\
  • Make sure that you have already made a backup copy of the “Pages” folder.
  • Right-click on the file “site.xsl” and select ‘Edit’.
  • Press ‘Ctrl+G’ and enter 150, to go to line 150
  • Select and then delete lines 150-158.
  • Open IIS and restart the service.
  • Reload the page in your browser to view the change.

Change the Server Logo on Login Page

You can remove the “Server 2012” or “Server 2016” or “Server 2019” logo that is on the login page. I like to replace it with a 1px-by-1px transparent image. It won’t do much overall… But perhaps it’ll make a malicious person have to work a tad bit harder to determine what you’re OS you are on.

  • Replace the following image: %windir%\web\rdweb\pages\images\WS_h_c.png

Change the Microsoft Logo on Login Page

You can remove the “Microsoft” logo that is on the login page. I like to replace it with a 1px-by-1px transparent image. It doesn’t hurt anything being there, but if you’re cleaning up and editing the branding of your site, why would you leave this logo on it?

  • Replace the following image: %windir%\web\rdweb\pages\images\mslogo_black.png

If I come across other customization tips I’ll add them here…

27 February 2020

Server Manager – Orphaned RDS

So I’ve seen this a couple times and I always forget how to handle it, so hopefully writing this down will help me remember for next time…

You are replacing some Remote Desktop Session Host (RDSH) with a newer server, and everything looks good-to-go. Back on your Remote Desktop Connection Broker (RDCB), you have Server Manager open, and you proceed to remove the old RDSH servers. Easy. You then go back to edit other properties in in your RDS deployment and – BAM – you get an error message that states:

The following servers in this deployment are not part of the server pool:
1. <Old.RDSH.ServerName>
The servers must be added to the server pool

Powershell to our rescue! On your RDCB, open up a PowerShell window as an Administrator. Run the command below.

PS C:\> Get-RDServer

This will return a list of all the Remote Desktop servers you have in RDCB as well as their installed roles. You should see your old, unwanted, RDSH server in that list. Next, we can enter the command below to remove our orphaned RDSH server.

PS C:\> Remove-RDServer Old.RDSH.ServerName RDS-RD-SERVER

This will remove the ‘RDS-RD-SERVER’ role. Now if you go back to your RDCB, and back to your deployment, everything should be back to normal. It is no longer expecting the “Old.RDSH.Server” to be a server that Server Manger manages. In fact, at this point you should be able to remove it as a managed server.

Note: RDS is a complicated beast. The above mentioned trick utilizing PowerShell has worked for me the couple times I’ve needed in my scenario. However, your mileage may vary depending on your environment.

27 November 2019

My users rebooted the RDSH!

So when using RDS in Windows Server 2016 there is a funny issue that arises… Users can actually reboot your Remote Desktop Session Host (RDSH). Yes, you read that right! Your users have the rights/permissions to reboot your host. If your like the dozens of forum posts i discovered, they will probably/definitely do it during production hours.

I know what you’re probably thinking… I had set up my GPOs and it was working before when we were on Windows Server 2012 or 2012 R2.

Well folks, 2012 R2 is where the support for that GPO ended. It is not supported on 2016 or higher. Stupid, right?!? Why would they take away that setting? Or better yet, why would users need to restart a server, that’s an administrator’s role? To be honest I don’t know.

The setting you used to use was “Allow non-administrators to receive update notifications”. It is found under “Computer Configuration\Administrative Templates\Windows Components\Windows Update\”. (Full description here – https://gpsearch.azurewebsites.net/#2794)

It seems like the only viable, and IMHO equally dumb option, to prevent users from applying updates and restarting your server is to completely disable windows updates.

That setting, if you choose to go that route, is “Turn off access to all Windows Update features”. It is found under “Computer Configuration\Administrative Templates\System\Internet Communication Management\Internet Communication settings\”. (Full description here – https://gpsearch.azurewebsites.net/#4728)

Hopefully Microsoft fixes this and administrators are again able to take control back and stop our users applying windows updates and rebooting our machines.