RDP-TCP Permissions in Server 2012 R2

I know that there is no MMC for RDSH in Server 2012 R2 Standard, and that I can issue permissions for non-admin users in the Help Desk group in the DISNEY domain to log off users from an RDP session by issuing this command on the RD server from an administrative command prompt:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "DISNEY\Help Desk",2

Open in new window

... and then rebooting the server to kill all existing sessions and update the permissions, but it does not work.

Are there any other ways I can get the Help Desk group the ability to end another user's RDP session?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Phil DavidsonCommented:
Can you modify the Active Directory OU for the Help Desk group?  Could you set a short timeout for users?  Or does the solution need to be manual by the Help Desk?
highdellAuthor Commented:
Good idea, but no; the Help Desk group must be able to sign a user off his RDS session on demand.

I could modify an OU to delegate the ability for Help Desk users to log people off, yes, but I'm not sure how to do that or if it's even possible. They do have delegated access to reset passwords, but I've not seen logoff as a delegated right.
Phil DavidsonCommented:
Can the HelpDesk people use this?

Find the session number with this (where DNSname is the name of the server):
QWINSTA /server:DNSname

Open in new window

Force the user off with this (where sessionID is the number found above):
LOGOFF sessionID /server:DNSname

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
highdellAuthor Commented:
Well, it's not the best way to do it like you could in Server 2008, but I guess we have Microsoft to thank for that.

I got a little 3-step process down using the logoff command you suggested, which does the job perfectly.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.