?
Solved

Allow non-admin user to log off terminal sessions

Posted on 2014-10-10
19
Medium Priority
?
962 Views
Last Modified: 2014-10-13
Hi,

I have a 2008 environment and I want to give some users rights to log of users from the terminal servers without giving them admin rights.

I found an article that stated the following solutions:
"To grant the user right to finish sessions for terminal server. You have to open Terminal Server configurations - Connections - Select RSP-TCP - Rigth Click - Properties - Security and modify the security as you require."

I can't seem to find this setting, nor do i know if this is an actual solution to my problem.

Any way to do this from group policy?
0
Comment
Question by:intuitivesolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 8
19 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40373851
Hi,

There sounds like a risk involved with this, if a user genuinely is working and then a user remotes on and then choses to log them off whilst working that shows a potential risk. Also why do you want to implement this?
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40374032
If you want to implement this due to the lack of TS Cal licenses you have available I would strongly recommend a purchase of licenses rather than implement something like this as this is not best practice in any environment.
0
 

Author Comment

by:intuitivesolutions
ID: 40374084
Roshan, sorry I don't think you understand my questions.  

Its not a security issue, because I want certain users to have the ability to log off users for technical purposes.
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 13

Expert Comment

by:Rizzle
ID: 40374100
If its for Technical Purposes then thats fine. Does this help at all?  
http://technet.microsoft.com/en-us/library/cc755252.aspx
0
 

Author Comment

by:intuitivesolutions
ID: 40374119
Roshan,

Sorry, but that doesn't help. Please ready my question again. I'm not asking how to log off a users, I'm asking how to give non-admin users RIGHTS to log off users.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40374135
Right okay got it now.

You can use the commands Query session y logoff to finish sessions in command line.

As you said above:
"To grant the user right to finish sessions for terminal server. You have to open Terminal Server configurations - Connections - Select RSP-TCP - RightClick - Properties - Security and modify the security as you require."

You can only give the user the right to log off sessions in advanced button.

I believe Terminal Server configurations means Remote Desktop Session Manager.

To grant a group Full Control to the RDP-Tcp listener on a Server 2012 RDSH server you may open an administrator command prompt and enter the following command:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "domain\group",2
Alternatively if you have a Server 2008 R2 server you may use RD Session Host Configuration (tsconfig.msc) to connect to your Server 2012 RDSH server and modify the RDP-Tcp listener permissions that way.

After making a permission change you should log off any users that will be the target of a log off so that the change will take effect.  I have not tested to make sure that a non-admin user with Full Control still has the ability to log off other users under Server 2012 like they could under Server 2008 R2 and earlier.

Currently replicating this in my test lab now to ensure the correct result. Could you try it for me in the meantime?
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40374188
Right,

attached is the screenshot of the above solution in my environment.

you open RDS Host Config then right click on RDP-TCP and you will get the below box you then click Security and then the advanced tab as stated above then you set the respective permissions in there.
RDSLab
0
 

Author Comment

by:intuitivesolutions
ID: 40377152
Hi Roshan,

Thank You for that screen shot. I got to that screen and added my user and gave them full permissions. When that user logs in and tries to log of another user it still says 'Access Denied.'
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377175
Can you post a screenshot of that permissions screen for me? Have you verified the permissions were whilst being logged in as a Domain Admin?
0
 

Author Comment

by:intuitivesolutions
ID: 40377194
Attached the screenshot
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377250
Where is the screenshot?
0
 

Author Comment

by:intuitivesolutions
ID: 40377537
Roshan, did you get my attachment?
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377712
Yes got it now, the user you;re trying to log off is it an admin? also is the user HD1 who needs to be able to log off sessions?
0
 

Author Comment

by:intuitivesolutions
ID: 40377716
HD1 is just a test user i created and I was trying to log of a non admin user.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40378041
Try giving HD1 just log off permissions.
0
 
LVL 13

Accepted Solution

by:
Rizzle earned 2000 total points
ID: 40378134
One thing i've found is once you applied the permissions to the test account HD1, sessions created after that should be able to be logged by HD1

For example you apply the log off/full control permission to HD1 via the RDP-TCP Listener, you then log onto the server as HD2 and HD4, once HD1 attempts the connection HD1 should be able to log off one of those sessions.

this link should be able to explain in detail: https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5b57372-c815-4423-91ed-769261058326/logoff-other-tsusers-without-being-an-admin-in-w2k8-r2?forum=winserverTS
0
 

Author Comment

by:intuitivesolutions
ID: 40378228
That work, I guess it only applies to new users.

Thank You soo much for all the info
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40378233
No problem my friend :)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses
Course of the Month13 days, 13 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question