Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Allow non-admin user to log off terminal sessions

Posted on 2014-10-10
19
773 Views
Last Modified: 2014-10-13
Hi,

I have a 2008 environment and I want to give some users rights to log of users from the terminal servers without giving them admin rights.

I found an article that stated the following solutions:
"To grant the user right to finish sessions for terminal server. You have to open Terminal Server configurations - Connections - Select RSP-TCP - Rigth Click - Properties - Security and modify the security as you require."

I can't seem to find this setting, nor do i know if this is an actual solution to my problem.

Any way to do this from group policy?
0
Comment
Question by:intuitivesolutions
  • 11
  • 8
19 Comments
 
LVL 13

Expert Comment

by:Rizzle
ID: 40373851
Hi,

There sounds like a risk involved with this, if a user genuinely is working and then a user remotes on and then choses to log them off whilst working that shows a potential risk. Also why do you want to implement this?
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40374032
If you want to implement this due to the lack of TS Cal licenses you have available I would strongly recommend a purchase of licenses rather than implement something like this as this is not best practice in any environment.
0
 

Author Comment

by:intuitivesolutions
ID: 40374084
Roshan, sorry I don't think you understand my questions.  

Its not a security issue, because I want certain users to have the ability to log off users for technical purposes.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 13

Expert Comment

by:Rizzle
ID: 40374100
If its for Technical Purposes then thats fine. Does this help at all?  
http://technet.microsoft.com/en-us/library/cc755252.aspx
0
 

Author Comment

by:intuitivesolutions
ID: 40374119
Roshan,

Sorry, but that doesn't help. Please ready my question again. I'm not asking how to log off a users, I'm asking how to give non-admin users RIGHTS to log off users.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40374135
Right okay got it now.

You can use the commands Query session y logoff to finish sessions in command line.

As you said above:
"To grant the user right to finish sessions for terminal server. You have to open Terminal Server configurations - Connections - Select RSP-TCP - RightClick - Properties - Security and modify the security as you require."

You can only give the user the right to log off sessions in advanced button.

I believe Terminal Server configurations means Remote Desktop Session Manager.

To grant a group Full Control to the RDP-Tcp listener on a Server 2012 RDSH server you may open an administrator command prompt and enter the following command:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "domain\group",2
Alternatively if you have a Server 2008 R2 server you may use RD Session Host Configuration (tsconfig.msc) to connect to your Server 2012 RDSH server and modify the RDP-Tcp listener permissions that way.

After making a permission change you should log off any users that will be the target of a log off so that the change will take effect.  I have not tested to make sure that a non-admin user with Full Control still has the ability to log off other users under Server 2012 like they could under Server 2008 R2 and earlier.

Currently replicating this in my test lab now to ensure the correct result. Could you try it for me in the meantime?
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40374188
Right,

attached is the screenshot of the above solution in my environment.

you open RDS Host Config then right click on RDP-TCP and you will get the below box you then click Security and then the advanced tab as stated above then you set the respective permissions in there.
RDSLab
0
 

Author Comment

by:intuitivesolutions
ID: 40377152
Hi Roshan,

Thank You for that screen shot. I got to that screen and added my user and gave them full permissions. When that user logs in and tries to log of another user it still says 'Access Denied.'
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377175
Can you post a screenshot of that permissions screen for me? Have you verified the permissions were whilst being logged in as a Domain Admin?
0
 

Author Comment

by:intuitivesolutions
ID: 40377194
Attached the screenshot
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377250
Where is the screenshot?
0
 

Author Comment

by:intuitivesolutions
ID: 40377258
0
 

Author Comment

by:intuitivesolutions
ID: 40377537
Roshan, did you get my attachment?
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40377712
Yes got it now, the user you;re trying to log off is it an admin? also is the user HD1 who needs to be able to log off sessions?
0
 

Author Comment

by:intuitivesolutions
ID: 40377716
HD1 is just a test user i created and I was trying to log of a non admin user.
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40378041
Try giving HD1 just log off permissions.
0
 
LVL 13

Accepted Solution

by:
Rizzle earned 500 total points
ID: 40378134
One thing i've found is once you applied the permissions to the test account HD1, sessions created after that should be able to be logged by HD1

For example you apply the log off/full control permission to HD1 via the RDP-TCP Listener, you then log onto the server as HD2 and HD4, once HD1 attempts the connection HD1 should be able to log off one of those sessions.

this link should be able to explain in detail: https://social.technet.microsoft.com/Forums/windowsserver/en-US/c5b57372-c815-4423-91ed-769261058326/logoff-other-tsusers-without-being-an-admin-in-w2k8-r2?forum=winserverTS
0
 

Author Comment

by:intuitivesolutions
ID: 40378228
That work, I guess it only applies to new users.

Thank You soo much for all the info
0
 
LVL 13

Expert Comment

by:Rizzle
ID: 40378233
No problem my friend :)
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

789 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question