When attempting to add new Remote Desktop Session Hosts (RDSH) to a session host collection, you may run into the following error message:

Error

Unable to retrieve the session collection properties

This error can possibly be accompanied by additional messages.

When checking the logs, you apparently cannot find anything wrong with the collections: they show up correctly in Server Manager and users can still log on to the collection using existing servers.

Cause

Sometimes it can happen that the security descriptors of one of the collections get corrupted, in which case it is not possible to add a new session host, whether it's through Server Manager or through Powershell.

The problematic collection does not have to be the collection to which you are adding the RDSH. If you have multiple collections, the problem can exist with another collection, but still block the addition of the host on a different collection.

Solution

First we need to determine which collection has the problem. For that, log on to the broker with Powershell and follow the steps below.

First import the required cmdlets. The module is present on any server with the broker management tools installed.

Import-Module C:\Windows\System32\ServerManagerInternal\RDManagement\RDManagement.psd1

After that, retrieve a list of all collections with some details, including the security descriptors.

$FormatEnumerationLimit = -1
Get-RDSHPool -ManagementServer BrokerFQDN  -Alias *

Note that you can leave out the -ManagementServer parameter if you're running this on the broker itself.

In a normal situation, you should not get any errors here. If you see an error about one of the collections, then that's the collection that's causing the problems:

Error

Get-RDSHPool : Unable to retrieve the session collection properties.

To resolve the corrupt security descriptors, return to the Server Manager, navigate to the collection and its properties:

Edit the properties, and add a different group (i.e. domain admins) to the User Groups, then click OK. This should restore the corrupted security descriptors, allowing to add the RDSH to that (or another) collection. Don't forget to remove the group you just added to the collection with the formerly corrupted security descriptors.