Give access to user to logoff other users - Windows server 2008 R2 Terminal Services
Hi,
I have a Windows Server 200 R2 terminal server. I'd like to give access to a user to logoff other users and kill processes of other users without making them an administrator.
I've been having a look everywhere on how to do this but can;t figure it out...
Thanks
I have a Windows Server 200 R2 terminal server. I'd like to give access to a user to logoff other users and kill processes of other users without making them an administrator.
I've been having a look everywhere on how to do this but can;t figure it out...
Thanks
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Muhammad Farjad Arshad
move into Run type "secpol.msc" without quotations and from here move into localpolicies and add the user into allow logon through remote desktop services see if this works for you
ASKER
There is a domain group in there that the user is already a member of. If they weren't then they wouldn't be able to logon to the server, which is not the problem.
I want them to see the running processes on the server for other users and be able to kill other users processes.
I want them to see the running processes on the server for other users and be able to kill other users processes.
Hi I'm not very exactly sure but i can say this to you...
1. In AD Users and Computers, create a global security group for your support users, for example named RDS Support Users. Members of this group will have the ability to log off/remote control/etc. RDS/TS users and grant users the ability to log on to your RDS/TS servers by adding users to a group. Please add the users that you would like to maintain your ts users to this group.
2. In AD Users and Computers, create a global security group for each one of your RDS/TS servers, for example named SERVERNAME Remote Desktop Users or if you do not need granular control create a single global security group that will be used to grant access to all RDS/TS servers. Your support users from step 1 will add users to this group when they want to grant access to your RDS/TS servers.
3. Log on to each RDS/TS server as an admin, open Computer Management, and make the appropriate global group you created in step 2 a member of the local Remote Desktop Users group.
4. In AD Users and Computers, make sure View--Advanced Features is selected. Right-click on each of the groups created in step 2 and choose Properties. On the Security tab, click the Advanced button, click Add, enter the group name from step 1, then on the Properties tab select Allow Write Members and then save the entry.
5. On each RDS/TS, RD Session Host Configuration or Terminal Services Configuration, double-click on RDP-Tcp and grant the group from step 1 Full Control. You said you already did this step but I am including it for completeness.
After finishing all of the above steps please make sure that your support users log off and back on for the changes in group membership to take effect. If your support users will be remote controlling other users please have the target users (the normal users) log off and back on so that the security changes will take effect. They must completely log off of the RDS/TS servers, not just disconnect/reconnect.
Please test that your support users are able to add/remove user accounts to the groups created in step 2 and that they are able to log off sessions, etc.
This is what i tried when i was to work on terminals...
I hope it works fine for you.
1. In AD Users and Computers, create a global security group for your support users, for example named RDS Support Users. Members of this group will have the ability to log off/remote control/etc. RDS/TS users and grant users the ability to log on to your RDS/TS servers by adding users to a group. Please add the users that you would like to maintain your ts users to this group.
2. In AD Users and Computers, create a global security group for each one of your RDS/TS servers, for example named SERVERNAME Remote Desktop Users or if you do not need granular control create a single global security group that will be used to grant access to all RDS/TS servers. Your support users from step 1 will add users to this group when they want to grant access to your RDS/TS servers.
3. Log on to each RDS/TS server as an admin, open Computer Management, and make the appropriate global group you created in step 2 a member of the local Remote Desktop Users group.
4. In AD Users and Computers, make sure View--Advanced Features is selected. Right-click on each of the groups created in step 2 and choose Properties. On the Security tab, click the Advanced button, click Add, enter the group name from step 1, then on the Properties tab select Allow Write Members and then save the entry.
5. On each RDS/TS, RD Session Host Configuration or Terminal Services Configuration, double-click on RDP-Tcp and grant the group from step 1 Full Control. You said you already did this step but I am including it for completeness.
After finishing all of the above steps please make sure that your support users log off and back on for the changes in group membership to take effect. If your support users will be remote controlling other users please have the target users (the normal users) log off and back on so that the security changes will take effect. They must completely log off of the RDS/TS servers, not just disconnect/reconnect.
Please test that your support users are able to add/remove user accounts to the groups created in step 2 and that they are able to log off sessions, etc.
This is what i tried when i was to work on terminals...
I hope it works fine for you.
ASKER
Palicos,
The solution you have provided is a copy and paste direct from another forum (without any reference or credit to the original post).
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/20fbaf7a-d454-4dc0-80fd-eed374b717cf/
I have also already tried this and it didn't provide the access to see other users running processes...
The solution you have provided is a copy and paste direct from another forum (without any reference or credit to the original post).
http://social.technet.microsoft.com/Forums/en-US/winserverTS/thread/20fbaf7a-d454-4dc0-80fd-eed374b717cf/
I have also already tried this and it didn't provide the access to see other users running processes...
As i already mention that I'm not sure as i already google out for you...
So i suppose this is nothing to remind me off..
Well if it helps you its fine else when you get the exact answer you can update back to the community....
So i suppose this is nothing to remind me off..
Well if it helps you its fine else when you get the exact answer you can update back to the community....
ASKER
Thanks for the replies.
Thats link describes the part of the solution that i've already done which is allowing access to disconnect, logoff and remote control other users.
The part i'm missing in the more granular access of of allowing a user to kill a specific process for another user.
The 'power' user can actually launch tsadmin and can see other users sessions (and log them off), but can't see the individual processes.
Thanks anyway...
Thats link describes the part of the solution that i've already done which is allowing access to disconnect, logoff and remote control other users.
The part i'm missing in the more granular access of of allowing a user to kill a specific process for another user.
The 'power' user can actually launch tsadmin and can see other users sessions (and log them off), but can't see the individual processes.
Thanks anyway...
Oh sorry for that actually i forgot to do that , sometimes its like this that you had something on your mind but some or the other way to forgot and then the the mistake occure so its like this only...
Yes would keep that in mind....
And as it is...
Thanks
Lindsay palicos.
Yes would keep that in mind....
And as it is...
Thanks
Lindsay palicos.
ASKER
I haven't been able to get a solution to this problem so i worked around it by giving the user a second 'admin' login
ASKER
Only half of my question was actually answered