Solved

Allow non-admin user to log off terminal sessions

Posted on 2014-10-10
19
596 Views
Last Modified: 2014-10-13
Hi,

I have a 2008 environment and I want to give some users rights to log of users from the terminal servers without giving them admin rights.

I found an article that stated the following solutions:
"To grant the user right to finish sessions for terminal server. You have to open Terminal Server configurations - Connections - Select RSP-TCP - Rigth Click - Properties - Security and modify the security as you require."

I can't seem to find this setting, nor do i know if this is an actual solution to my problem.

Any way to do this from group policy?
0
Comment
Question by:intuitivesolutions
  • 11
  • 8
19 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40373851
Hi,

There sounds like a risk involved with this, if a user genuinely is working and then a user remotes on and then choses to log them off whilst working that shows a potential risk. Also why do you want to implement this?
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40374032
If you want to implement this due to the lack of TS Cal licenses you have available I would strongly recommend a purchase of licenses rather than implement something like this as this is not best practice in any environment.
0
 

Author Comment

by:intuitivesolutions
ID: 40374084
Roshan, sorry I don't think you understand my questions.  

Its not a security issue, because I want certain users to have the ability to log off users for technical purposes.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40374100
If its for Technical Purposes then thats fine. Does this help at all?  
http://technet.microsoft.com/en-us/library/cc755252.aspx
0
 

Author Comment

by:intuitivesolutions
ID: 40374119
Roshan,

Sorry, but that doesn't help. Please ready my question again. I'm not asking how to log off a users, I'm asking how to give non-admin users RIGHTS to log off users.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40374135
Right okay got it now.

You can use the commands Query session y logoff to finish sessions in command line.

As you said above:
"To grant the user right to finish sessions for terminal server. You have to open Terminal Server configurations - Connections - Select RSP-TCP - RightClick - Properties - Security and modify the security as you require."

You can only give the user the right to log off sessions in advanced button.

I believe Terminal Server configurations means Remote Desktop Session Manager.

To grant a group Full Control to the RDP-Tcp listener on a Server 2012 RDSH server you may open an administrator command prompt and enter the following command:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "domain\group",2
Alternatively if you have a Server 2008 R2 server you may use RD Session Host Configuration (tsconfig.msc) to connect to your Server 2012 RDSH server and modify the RDP-Tcp listener permissions that way.

After making a permission change you should log off any users that will be the target of a log off so that the change will take effect.  I have not tested to make sure that a non-admin user with Full Control still has the ability to log off other users under Server 2012 like they could under Server 2008 R2 and earlier.

Currently replicating this in my test lab now to ensure the correct result. Could you try it for me in the meantime?
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40374188
Right,

attached is the screenshot of the above solution in my environment.

you open RDS Host Config then right click on RDP-TCP and you will get the below box you then click Security and then the advanced tab as stated above then you set the respective permissions in there.
RDSLab
0
 

Author Comment

by:intuitivesolutions
ID: 40377152
Hi Roshan,

Thank You for that screen shot. I got to that screen and added my user and gave them full permissions. When that user logs in and tries to log of another user it still says 'Access Denied.'
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377175
Can you post a screenshot of that permissions screen for me? Have you verified the permissions were whilst being logged in as a Domain Admin?
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:intuitivesolutions
ID: 40377194
Attached the screenshot
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377250
Where is the screenshot?
0
 

Author Comment

by:intuitivesolutions
ID: 40377258
0
 

Author Comment

by:intuitivesolutions
ID: 40377537
Roshan, did you get my attachment?
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377712
Yes got it now, the user you;re trying to log off is it an admin? also is the user HD1 who needs to be able to log off sessions?
0
 

Author Comment

by:intuitivesolutions
ID: 40377716
HD1 is just a test user i created and I was trying to log of a non admin user.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40378041
Try giving HD1 just log off permissions.
0
 
LVL 13

Accepted Solution

by:
Rizzle earned 500 total points
ID: 40378134
One thing i've found is once you applied the permissions to the test account HD1, sessions created after that should be able to be logged by HD1

For example you apply the log off/full control permission to HD1 via the RDP-TCP Listener, you then log onto the server as HD2 and HD4, once HD1 attempts the connection HD1 should be able to log off one of those sessions.

this link should be able to explain in detail: https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5b57372-c815-4423-91ed-769261058326/logoff-other-tsusers-without-being-an-admin-in-w2k8-r2?forum=winserverTS
0
 

Author Comment

by:intuitivesolutions
ID: 40378228
That work, I guess it only applies to new users.

Thank You soo much for all the info
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40378233
No problem my friend :)
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now