We have a customer with a Windows Server 2008r2 RDS farm consisting of 2 session hosts and a single connection broker. We have a GPO that configures session timeouts both as a computer policy and a user policy with loopback processing (merge) which is linked to the OU containing the Session Hosts. The "Active Session" timeout is set to disabled both on the computer policy setting and the user setting. RSOP confirms the GPO is applied to the hosts, both local group policy and the registry confirm the setting is applied. Active Directory user objects are configured with all session timeouts to "Never".
However, active users are still getting disconnected at exactly 8 hours. They can immediately reconnect to their session with no issues.
The 8 hours is woefully exact, to the second. It occurs for multiple users on the network. There is nothing abnormal in the Connection Broker logs nor in the Session Host logs. It's behaving exactly like an 8 hour active session timeout is configured.
Users are connecting from their personal computers off the network through an RDS Gateway. There are no conflicting GPOs. Settings in local computer group policy are untouched.
Since we have a GPO and since AD user objects are configured, what could possibly be overriding my GPO?
While it's true that the internet only seems to know about the session host time limits, it turns out that there is a TS/RDS gateway time limit as well.
These time limits allow you to configure an idle timeout (in minutes) and an overall session timeout (in minutes). The configuration can be found in the RD Gateway Manger (on Windows Server 2008r2) under the Server > Policies > Connection Authorization Policies. Right click the appropriate policy, select Properties and click on the Timeouts tab.
In my case the Enable session timeout setting was enabled and set to 480 minutes (8 hours) and configured to Disconnect the session.
Note that this is a new setting in Server 2008r2 RDS and that it is not configurable by Group Policy. You can read more about this setting on the "What's new in Remote Desktop Services" page on Technet.
One reason this setting may be hard to find on the internet is the change in vocabulary, specifically the use of the word "timeout" instead of "time limit".