0

Starting situation:
Multiple physical Windows OS computers on production line served by system owner and co-owner, e.g. Alice and Bob work on PC1, Charlie and Dave on PC2, etc. They are all using the same local user name when logging in directly on the console: ProdUser. The computers are connected in an isolated network with no access to internet or office LANs, but with access to a server LAN.
Goal:
Now, all users are working either from home or from the office and cannot be physically present by the production line. They require from the IT to have remote desktop access to the computers while still using the ProdUser account. Furthermore they require that when one employee has established an active remote desktop session, any subsequent attempt from other user(s) is blocked, ideally with a notification as of which user is holding the current active session, i.e. when Alice works on PC1, Bob should not kick her off using the same ProdUser account and receive a notification that Alice is occupying the session.
Already achieved:
RDGW server 2016 is already installed in the server LAN, and configured with RD CAP and RD RAP rules for each group, e.g. Alice and Bob but no ProdUser are CAP enabled, further A & B have access only to PC1 in a RAP rule. Also the .RDP profiles on the clients are preconfigured to authenticate with the real user account against the RDGW (gatewaycredentialssource:i:2), but with ProdUser against the target PC (username:s:ProdUser). This "two steps" authentication is tested successfully and working.
Not working:
When Alice is connected to PC1 and Bob tries to connect to the same, Alice gets kicked off. I cannot use the restrict sessions number option on the server, because it is for all RDGW sessions. Also, even if I go programmatically monitoring the current active sessions and trigger Set-RDSessionHost -NewConnectionAllowed No (aka drain mode) it once again affects the global RDGW behavior and is not restricted only to the PC1 host. Same goes for a programmatical notification per group of people and device/resource.
Questions:
Is there a way to fine grain the block/notify settings per device / resource?
Am I using the correct technology here, or what can be other technologies which support the described scenario natively.

Bo Solo
  • 1
  • 2
  • We can start thinking about a solution when each user gets their own AD account. – Swisstone Oct 25 '20 at 22:09
  • We have started and completed thinking on this: the prod software is so old, it only runs on user with local admin permissions and is saving configuration settings (devices and execution sequences) on the user profile. So this is not an option for the endnotes/prod PCs. As mentioned, we are already utilizing the AD user authentication on the RD CAPs and RAPs. Other ideas? – Bo Solo Oct 26 '20 at 15:56

0 Answers0