diff --git a/modules/rdp.nix b/modules/rdp.nix
index cd83008..8ba2c36 100755
--- a/modules/rdp.nix
+++ b/modules/rdp.nix
@@ -13,6 +13,11 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
   # Enable the GNOME Remote Desktop service at the system level
   services.gnome.gnome-remote-desktop.enable = true;
 
+  # Prevent the system-level service from auto-starting via GDM's target ordering.
+  # This avoids the "Session Already Running" GDM dialog when free is auto-logged-in.
+  # We start the service explicitly from the setup script after configuration is complete.
+  systemd.services."gnome-remote-desktop".wantedBy = lib.mkForce [];
+
   # Open RDP port in the firewall
   networking.firewall.allowedTCPPorts = [ 3389 ];
 
@@ -39,6 +44,7 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
       pkgs.openssl
       pkgs.hostname
       pkgs.gawk
+      pkgs.systemd
     ];
     script = ''
       # Ensure directory structure exists
@@ -82,16 +88,14 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
       if [ ! -f /var/lib/gnome-remote-desktop/rdp-password ]; then
         PASSWORD=$(openssl rand -base64 16)
         echo "$PASSWORD" > /var/lib/gnome-remote-desktop/rdp-password
+        chmod 600 /var/lib/gnome-remote-desktop/rdp-password
       else
         PASSWORD=$(cat /var/lib/gnome-remote-desktop/rdp-password)
       fi
-      chown root:gnome-remote-desktop /var/lib/gnome-remote-desktop/rdp-password
-      chmod 640 /var/lib/gnome-remote-desktop/rdp-password
 
       # Write username to a separate file for the hub
       echo "sovran" > /var/lib/gnome-remote-desktop/rdp-username
-      chown root:gnome-remote-desktop /var/lib/gnome-remote-desktop/rdp-username
-      chmod 640 /var/lib/gnome-remote-desktop/rdp-username
+      chmod 600 /var/lib/gnome-remote-desktop/rdp-username
 
       # Get current IP address
       LOCAL_IP=$(hostname -I | awk '{print $1}')
@@ -113,56 +117,16 @@ lib.mkIf config.sovran_systemsOS.features.rdp {
 
       chmod 600 "$CRED_FILE"
 
+      grdctl --system rdp enable
+      grdctl --system rdp set-credentials sovran "$PASSWORD"
+      grdctl --system rdp disable-view-only || true
+
+      # Start the service now that everything is configured.
+      # The service won't auto-start (wantedBy is empty), so we start it explicitly
+      # after TLS certs and credentials are fully configured.
+      systemctl start gnome-remote-desktop.service || true
+
       echo "GNOME Remote Desktop RDP configured successfully"
     '';
   };
-
-  # User-level service that enables RDP screen sharing within the free user's graphical session.
-  # This avoids the GDM "Session Already Running" conflict caused by the system-level RDP endpoint.
-  systemd.user.services.gnome-remote-desktop-session = {
-    description = "Enable GNOME Remote Desktop screen sharing for user session";
-    wantedBy = [ "graphical-session.target" ];
-    after = [ "graphical-session.target" ];
-    serviceConfig = {
-      Type = "oneshot";
-      RemainAfterExit = true;
-    };
-    path = [
-      pkgs.gnome-remote-desktop
-    ];
-    script = ''
-      # Read the password generated by the system-level setup service.
-      # Wait for the password file to be available (system service may still be running).
-      for i in $(seq 1 30); do
-        [ -f /var/lib/gnome-remote-desktop/rdp-password ] && break
-        sleep 1
-      done
-
-      if [ ! -f /var/lib/gnome-remote-desktop/rdp-password ]; then
-        echo "ERROR: Timed out waiting for RDP password file"
-        exit 1
-      fi
-
-      PASSWORD=$(cat /var/lib/gnome-remote-desktop/rdp-password 2>/dev/null || echo "")
-      if [ -z "$PASSWORD" ]; then
-        echo "ERROR: RDP password file is empty"
-        exit 1
-      fi
-
-      # Enable RDP in the user session (screen sharing mode — takes over existing desktop)
-      grdctl rdp enable
-      grdctl rdp set-credentials sovran "$PASSWORD"
-      grdctl rdp disable-view-only || true
-
-      echo "GNOME Remote Desktop user-session screen sharing enabled"
-    '';
-  };
-
-  # Add free user to gnome-remote-desktop group so the user-level service can read credential files
-  users.users.free.extraGroups = [ "gnome-remote-desktop" ];
-
-  # Prevent the system-level RDP service from starting — we use user-session sharing instead.
-  # We keep services.gnome.gnome-remote-desktop.enable = true for the grdctl binary,
-  # but prevent the system service from auto-starting (which causes the GDM "Session Already Running" conflict).
-  systemd.services."gnome-remote-desktop".wantedBy = lib.mkForce [];
 }