4

I have a Remote Desktop services running on Server 2012 R2. My timeout settings have been set to end a session 60 minute after disconnection. This is good for all the users except one: That user's session has to be ended as soon as he is disconnected. I can't create another collection because I don't have a second session host.

I decided to create a super simple batch file that will force the user to log off such as this:

@ECHO off
logoff f

This, for some reason requires admin privileges and brings up the elevation prompt. So it's out of question at this point.

Then I created a powershell script such as this: 

If (-NOT ([Security.Principal.WindowsPrincipal][Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator"))

{   
$arguments = "& '" + $myinvocation.mycommand.definition + "'"
Start-Process powershell -Verb runAs -ArgumentList $arguments
Break
}
import-module RemoteDesktop
$name = [Environment]::Username
$session = get-rdusersession | Where-Object -Filter {$_.username -eq $name}
Invoke-RDUserLogoff -UnifiedSessionID $session.SessionID -HostServer $session.HostServer -Force

Again, this requires administrator rights and will not work too. It works for admins but nor for regular users.

Does anybody have an idea how I can accomplish this?

Colyn1337
  • 2,387
  • 2
  • 22
  • 38
user2629636
  • 752
  • 5
  • 19
  • 38

2 Answers2

2

It turned out to be a lot simpler than I thought. Simply using and publishing "logoff.exe" under sys32 does the exact same job without the complexity of permissions.

user2629636
  • 752
  • 5
  • 19
  • 38
1

Couldn't you add this to the task scheduler with elevated privileges and then execute it when needed? Use an event id that is triggered when the user disconnects from Term services to run your script. That should execute after they disconnect and because you can provide admin credentials to the task, it should run without triggering a UAC prompt..

Not sure what that event ID is, but I am sure there is something in the logs that records it, but you might have to enable logging..

MikeAWood
  • 2,566
  • 1
  • 12
  • 13
  • Event ID won't be specific to that user. – user2629636 Jan 16 '15 at 15:03
  • 1
    Wow, ok downvote awesome. Let me try to explain it again. The user isn't necessary in the Event Log for my method. Simply filter your Get-RDSession command to filter for the user you want to logoff, and for the session to be disconnected {$_.SessionState -eq 'STATE_DISCONNECTED'}. Even if the trigger fires when normal users log off, the Powershell would ignore active sessions. It is same script you have now, only add a filter for disconnected so if the user is logged in a second time or if they are connected, it doesn't log the disconnected session off. – MikeAWood Jan 16 '15 at 21:00
  • Sorry I did not want to downvote. I just can't take it back now. Also, running this as a scheduled job is simply a bad idea, sorry. – user2629636 Jan 17 '15 at 19:45
  • 2
    Well, it isn't a scheduled task, but rather an eventid driven task. Keep in mind the task scheduler can do things that aren't just timed, but rather triggered from other events. (Like logon, pc startup, events in the event log etc). So if you wanted to do something after they are disconnected, you'd need a trigger to do that. This is one way to make that happen. Most people overlook the power of Scheduled tasks and assume it can only do things based on time. – MikeAWood Jan 18 '15 at 19:59
  • @user2629636 you can take it back. Just click the down vote button again. – Colyn1337 Jan 23 '15 at 21:49