I have been searching for a solution for being disconnected on a Windows 7 to Windows 7 Remote Desktop Connection with Center for Internet Security (CIS) compliant machines. We have used the CIS baseline for our Windows 7 machines and when connecting to another Windows 7 machine I am getting session disconnects without warning and I am not sure why. I have machine A and machine B which are both compliant and at random times I will be disconnected so I have to open the session again. When I open the session on the remote machine after a disconnect everything is exactly as I left it so I am just being disconnected. As a test I left machine A in the CIS OU and I took my remote machine B and put this into a regular OU and did a gpupdate /force and then I get no disconnects. If I connect from machine B back to machine A leaving the settings as they were in the first test I get disconnected at random times. This seems to be an issue with the CIS baseline and I was hoping someone has seen this problem and can help me solve it. We are deploying more and more Windows 7 machines and this is starting to become an issue so hopefully someone has run across this before. Thanks, Dennis

Hi, This may be some software have conflict with CIS baseline. We could test if this issue still occurs in Clean Boot mode. Meanwhile, check if you can find any useful information in Event Viewer. Alex Zhao TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Alex, Thanks for the input, I have set the machine up as requested and I will let you know. My test machine has been good so far, as soon as I moved it to the CIS OU and did a gpupdate /force it kicked me out. I logged back on and it has been good so far so this is a good sign. We did have a number of issues with some of our software when installing with the CIS settings before Windows 7 SP1 was released. As soon as we upgraded to SP1 on our test machines this install issue went away but it looks like this one may be lingering. If this does correct the issue then the hard part will be figuring out which one is causing the problem. Thanks for your help with this issue, Dennis

So I had another disconnect after about 2 hours so it is looking less like a software issue if the Clean Boot worked. Here are the only things I could find from the logs when this happened. From the System log: The Group Policy settings for the computer were processed successfully. New settings from 8 Group Policy objects were detected and applied. From the Application Log: Security policies were propagated with warning. 0x534 : No mapping between account names and security IDs was done. Advanced help for this problem is available on http://support.microsoft.com. Query for "troubleshooting 1202 events". Error 0x534 occurs when a user account in one or more Group Policy objects (GPOs) could not be resolved to a SID. This error is possibly caused by a mistyped or deleted user account referenced in either the User Rights or Restricted Groups branch of a GPO. To resolve this event, contact an administrator in the domain to perform the following actions: 1. Identify accounts that could not be resolved to a SID: From the command prompt, type: FIND /I "Cannot find" %SYSTEMROOT%\Security\Logs\winlogon.log The string following "Cannot find" in the FIND output identifies the problem account names. Example: Cannot find JohnDough. In this case, the SID for username "JohnDough" could not be determined. This most likely occurs because the account was deleted, renamed, or is spelled differently (e.g. "JohnDoe"). 2. Use RSoP to identify the specific User Rights, Restricted Groups, and Source GPOs that contain the problem accounts: a. Start -> Run -> RSoP.msc b. Review the results for Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment and Computer Configuration\Windows Settings\Security Settings\Local Policies\Restricted Groups for any errors flagged with a red X. c. For any User Right or Restricted Group marked with a red X, the corresponding GPO that contains the problem policy setting is listed under the column entitled "Source GPO". Note the specific User Rights, Restricted Groups and containing Source GPOs that are generating errors. 3. Remove unresolved accounts from Group Policy a. Start -> Run -> MMC.EXE b. From the File menu select "Add/Remove Snap-in..." c. From the "Add/Remove Snap-in" dialog box select "Add..." d. In the "Add Standalone Snap-in" dialog box select "Group Policy" and click "Add" e. In the "Select Group Policy Object" dialog box click the "Browse" button. f. On the "Browse for a Group Policy Object" dialog box choose the "All" tab g. For each source GPO identified in step 2, correct the specific User Rights or Restricted Groups that were flagged with a red X in step 2. These User Rights or Restricted Groups can be corrected by removing or correcting any references to the problem accounts that were identified in step 1.

Hi, I would like to confirm if you have tried the solutions above, if so, what is the result? Just as a test, please check if you have installed the following hotfix: A user is added to the wrong group on a client computer that is running Windows 7 or Windows Server 2008 R2 Alex Zhao TechNet Subscriber Support in forum If you have any feedback on our support, please contact tnmff@microsoft.com.Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks again for the help, I have not applied any Microsoft Hot-Fixes to this machine other than Microsoft Update released patches. I did find one account that was mis-spelled in the GPO so I will have our GPO guy correct this and I will test it again and report back. Dennis

So the mis-spelled account name has been corrected and this error no longer appears when the GPO is updated but the remote session is still being disconnected when the GPO is updated. Any ideas where I should look now? I have gone through the CIS GPO settings we use and I don't see anything obvious that would cause this issue. Currently we are testing with the default Windows 7 security settings and then applying the CIS settings through GPO.

Thanks for the help Alex, the problem is now solved and it was a problem relating to enforcing RDC through GPO. This problem seems to happen with Server 2008 as well as Windows 7 and when the GPO policies are updated it can cause any active RDC sessions to be disconnected. This link goes over the problem/solution and it has been working all night. I will report back if this didn't work but in the pas it would have been disconnected already so it looks good. http://setspn.blogspot.com/2010/12/remote-desktop-session-disconnection.html