Recently I had a challenge with delegating the permission to logoff sessions to a group of users on a RDS solution based on 2012 R2, but without giving them local administrator permissions. Microsoft has removed the RDSH console in Windows Server 2012, which means we have no place to set permissions for the sessions on a RDSH based on 2012 or later. After a quite bit a research I found a solution.
Step 1: Assign permissions
Some googling led me here where I found this command which does the job if you replace “domain\group”with correct values.
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName =”RDP-Tcp”) CALL AddAccount “domain\group”,2
However if you have an existing 2008 R2 server you can install the RSAT for RDSH and connect to the 2012 R2 session host and set the needed permissions there.
Step 2: Enable logoff
Now when the users have permission to logoff sessions, they still can’t use task manager because the options there are very limited when you’re not an administrator:
And Powershell can’t query the RDS deployment without administrator rights, so for once I couldn’t user Powershell to save the day.
However we have command line tools to get the job done. To make this more user friendly I made a batch-file and put it on the desktop for the delegated users. Here the user can list all sessions on the server and select which one to logoff. It boils down to a combination of “query session” and “logoff” commands. This is the batch file, feel free to use if needed.
REM List sessions and log off users
REM Written by Per-Torben Sørensen
ECHO PRESS 1 or 2 to select your task, or 3 to EXIT.
ECHO 1 – List current sessions only
ECHO 2 – List and log off a session
ECHO 3 – EXIT
SET /P T=”Type 1, 2, or 3 then press ENTER: ”
IF %T%==1 GOTO LIST
IF %T%==2 GOTO LOGOFF
IF %T%==3 GOTO EOF
SET /P ID=”Type the ID of the session to log off, or C to cancel: ”
IF %ID%==C GOTO MENU