9

We've built a rather large RemoteApp environment on 2012 R2, fully patched. Everything is working fine, so now comes the time to offshore and delegate tasks to the first line team.

We would like to be able to have our first line guys manage the sessions. If, for example, a session would hang (lost connection to the profile drive). They should be able to log off the session.

I've tried setting permissions like this on all servers:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "ADMIN\MyGroupWithPeopleManagingTheTS",2

But to no avail, they can't open Server Manager > Remote Desktop Services, because they can't connect to the RD Connection Brokers.

If they open up task manager and try logging off users there, they don't have the appropriate rights. This option is also not the best because it would require them to go and look on each server if the user is logged on there (auto load balanced across multiple servers and regions).

So, basically: How can members of a certain group log users off, without giving them admin permissions on the machine?

This is how I would do it on 2008, but the tools are no longer available: https://technet.microsoft.com/en-us/library/cc753032.aspx

Bart De Vos
  • 17,761
  • 6
  • 62
  • 81
  • 2
    I'll be watching this as we never could figure it out. Giving users/groups permissions to remote-control/logoff/reset works fine on a per-server basis, but we could never get them to retrieve from broker. – pauska Jun 15 '15 at 10:06
  • This might be mad rumblings, Could you use something along these lines? http://blogs.technet.com/b/askds/archive/2012/08/02/windows-powershell-remoting-and-delegating-user-credentials.aspx and then use the get-rdusersession -connectionbroker and then use Invoke-RDUserLogoff once you have the details from the first command – Drifter104 Jun 19 '15 at 16:55

2 Answers2

0

Just an idea that needs more work:

What if you use a (power)shell script, run every n minutes as a scheduled task with admin privileges, to which you pass (for example using a text file put in a protected folder) the users to disconnect?

Or, more in general, a process, run with elevated privileges, with the only purpose of logging users off, which receives the users to disconnect as a parameter AND a way for members of a selected group to pass those parameter.

Silvio Massina
  • 476
  • 2
  • 5
0

So, I actually got someone from MS involved with this. This was the response they gave me.

Hi Bart – the most probable way to support this scenario is to build powershell over the TS Cmdline tools and provide fine grained access to log off sessions etc using WMI.

  1. For specific list of Cmdline tools that can be used – see here: • https://technet.microsoft.com/en-us/library/cc753032.aspx
  2. For using WMI to grant persmissions, see here : https://msdn.microsoft.com/en-us/library/aa383773(v=vs.85).aspx

So basically, it's not possible, run your own.

If I ever get round to finishing this, I'll update here.

Bart De Vos
  • 17,761
  • 6
  • 62
  • 81