Solved

Forcefull Session LogOff Window server 2008

Posted on 2014-03-04
9
3,167 Views
Last Modified: 2014-03-10
Only two simultaneous session are allowed by default in window server 2008. I want if another user try to log in, then one of the connected user will automatically or forcefully logged off from server.
0
Comment
Question by:martincrew
  • 3
  • 3
  • 2
  • +1
9 Comments
 
LVL 23

Expert Comment

by:Mysidia
Comment Utility
How does this differ from what you are seeing?     When you attempt to log the third session in,  there should be a prompt to select which user to disconnect and an optional  "Force" checkbox.

This is correct.   By default,  remote desktop on Windows server is configured for "remote admin. mode".    Per Microsoft licensing rules,  these  two connections are permitted to be used  exclusively for administering the server:    essentially, these connections are only legally allowed to be used for activities such as configuring the server.

Running business applications or other applications ("remote desktop services")   on a server,  legally requires additional licensing, and the purchase of a RDS CAL   for each  named person--e.g. employee  (or  named device)  authorized to connect -- depending on type of CALs used.
0
 

Author Comment

by:martincrew
Comment Utility
User Selection prompt comes without optional "Force" check box , as user having only "User" privilege , it comes only when user having "Administrator" privilege .

When user select one of the user from selection prompt , then it need to wait for logged in user to accept or reject request I am attaching screen shot for it . I want third user don't need to wait for current user response , just select the user and log in directly .
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
In some occasions you get a message displayed "maximum rdp sessions" and the RMD gets terminated.
In that case you could logon to another server and use the quser and logoff command.

quser /SERVER:<servername>           and remember the logon id's

next

logoff 2 /SERVER:<servername>         2 if the user you want to logoff has ID2 in previous command.
0
 
LVL 23

Expert Comment

by:Mysidia
Comment Utility
"as user having only "User" privilege , it comes only when user having "Administrator" privilege . "
This is quite right.   You can only logoff a session with Full Control rights to that session.
Any unsaved changes in that session may be lost.

There are some admin tools that don't cope with this appropriately, and it can cause damage to the server if the session is administrative.

The way to grant the permissions is, either:

1.)  Add the user to the Local Administrators  group on the server in question; or add the user to a group in Active Directory  that is listed in the Local Administrators group on the server.

or

2.)   Open Administrative Tools > Remote Desktop Services > Remote Desktop Host Configuration
on the server

Right click the  RDP-TCP   session pick Properties, go to the security tab
Click the "Advanced"  button

Click "ADD";  Select the desired group,  OK

Tick all the  Allow boxes.
OK
OK

Now the user should have the Full Control  rights to RDP sessions  that is required in order to log off another user's Remote desktop session.

Note this does include the ability to  'Remote control'  or take over control of another user's open  RDP session.

But according to the applicable Microsoft documentation,  Full control permission is indeed required to  disconnect another user,  as noted here:
http://technet.microsoft.com/en-us/library/cc755252.aspx
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 11

Expert Comment

by:Manjunath Sullad
Comment Utility
Default you will get 2 sessions for Windows server 2008,

If you want one more session, You need to configure Winows Terminal service on that server,

and you need to procure a TS (RDS) license for accessing multiple users.

Configure TS : http://technet.microsoft.com/en-us/library/cc754288(v=ws.10).aspx

Manage RDS CAL : http://technet.microsoft.com/en-us/library/dd759163.aspx
0
 

Author Comment

by:martincrew
Comment Utility
Thanks for all replies . I don't want RDS license .

I just want to know is there any possibility or technique from which a third user can log off the session on selection screen of current connected users.
0
 
LVL 19

Expert Comment

by:Patricksr1972
Comment Utility
I gave you the option to didnt i?
0
 

Author Comment

by:martincrew
Comment Utility
Sage thanks for the option but that don’t work for me .
0
 
LVL 23

Accepted Solution

by:
Mysidia earned 200 total points
Comment Utility
As I mentioned above; the only way to log off another user remotely requires the user who wishes to login to have certain administrative user rights and the security permissions to the terminal server RDP configuration; listed in the above referenced Microsoft document in order to do so.

This would be by design.   You can control which users or groups have adminsitrative rights  and which users have special permissions in the Terminal Services config, but if you do not license RDS,  you cannot control how the 2 connected session limit is enforced.

Of course, you can also set an idle timeout period with forced automatic logout (or disconnect),  which can be established on a per-user basis if necessary.

Terminal Services for administration will not allow the 3rd session to connect, and the 'force disconnect'  option is  only presented if the user requesting to login has certain permissions.


This is not a configurable or customizable aspect of remote desktop for administration -- what happens at login for a new session when the limit is already reached and the user identity logging in is a user that lacks the permissions that are necessary in order to disconnect an existing session.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

7 Experts available now in Live!

Get 1:1 Help Now