Allow non-admin user to log off terminal sessions

Hi,

I have a 2008 environment and I want to give some users rights to log of users from the terminal servers without giving them admin rights.

I found an article that stated the following solutions:
"To grant the user right to finish sessions for terminal server. You have to open Terminal Server configurations - Connections - Select RSP-TCP - Rigth Click - Properties - Security and modify the security as you require."

I can't seem to find this setting, nor do i know if this is an actual solution to my problem.

Any way to do this from group policy?
intuitivesolutionsAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

RizzleCommented:
Hi,

There sounds like a risk involved with this, if a user genuinely is working and then a user remotes on and then choses to log them off whilst working that shows a potential risk. Also why do you want to implement this?
0
RizzleCommented:
If you want to implement this due to the lack of TS Cal licenses you have available I would strongly recommend a purchase of licenses rather than implement something like this as this is not best practice in any environment.
0
intuitivesolutionsAuthor Commented:
Roshan, sorry I don't think you understand my questions.  

Its not a security issue, because I want certain users to have the ability to log off users for technical purposes.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

RizzleCommented:
If its for Technical Purposes then thats fine. Does this help at all?  
http://technet.microsoft.com/en-us/library/cc755252.aspx
0
intuitivesolutionsAuthor Commented:
Roshan,

Sorry, but that doesn't help. Please ready my question again. I'm not asking how to log off a users, I'm asking how to give non-admin users RIGHTS to log off users.
0
RizzleCommented:
Right okay got it now.

You can use the commands Query session y logoff to finish sessions in command line.

As you said above:
"To grant the user right to finish sessions for terminal server. You have to open Terminal Server configurations - Connections - Select RSP-TCP - RightClick - Properties - Security and modify the security as you require."

You can only give the user the right to log off sessions in advanced button.

I believe Terminal Server configurations means Remote Desktop Session Manager.

To grant a group Full Control to the RDP-Tcp listener on a Server 2012 RDSH server you may open an administrator command prompt and enter the following command:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "domain\group",2
Alternatively if you have a Server 2008 R2 server you may use RD Session Host Configuration (tsconfig.msc) to connect to your Server 2012 RDSH server and modify the RDP-Tcp listener permissions that way.

After making a permission change you should log off any users that will be the target of a log off so that the change will take effect.  I have not tested to make sure that a non-admin user with Full Control still has the ability to log off other users under Server 2012 like they could under Server 2008 R2 and earlier.

Currently replicating this in my test lab now to ensure the correct result. Could you try it for me in the meantime?
0
RizzleCommented:
Right,

attached is the screenshot of the above solution in my environment.

you open RDS Host Config then right click on RDP-TCP and you will get the below box you then click Security and then the advanced tab as stated above then you set the respective permissions in there.
RDSLab
0
intuitivesolutionsAuthor Commented:
Hi Roshan,

Thank You for that screen shot. I got to that screen and added my user and gave them full permissions. When that user logs in and tries to log of another user it still says 'Access Denied.'
0
RizzleCommented:
Can you post a screenshot of that permissions screen for me? Have you verified the permissions were whilst being logged in as a Domain Admin?
0
intuitivesolutionsAuthor Commented:
Attached the screenshot
0
RizzleCommented:
Where is the screenshot?
0
intuitivesolutionsAuthor Commented:
0
intuitivesolutionsAuthor Commented:
Roshan, did you get my attachment?
0
RizzleCommented:
Yes got it now, the user you;re trying to log off is it an admin? also is the user HD1 who needs to be able to log off sessions?
0
intuitivesolutionsAuthor Commented:
HD1 is just a test user i created and I was trying to log of a non admin user.
0
RizzleCommented:
Try giving HD1 just log off permissions.
0
RizzleCommented:
One thing i've found is once you applied the permissions to the test account HD1, sessions created after that should be able to be logged by HD1

For example you apply the log off/full control permission to HD1 via the RDP-TCP Listener, you then log onto the server as HD2 and HD4, once HD1 attempts the connection HD1 should be able to log off one of those sessions.

this link should be able to explain in detail: https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5b57372-c815-4423-91ed-769261058326/logoff-other-tsusers-without-being-an-admin-in-w2k8-r2?forum=winserverTS
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
intuitivesolutionsAuthor Commented:
That work, I guess it only applies to new users.

Thank You soo much for all the info
0
RizzleCommented:
No problem my friend :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.