Tag Archives: Terminal Server

Allow non admins to manage RDS connection

I had a server 2016 RDS server using a combination of Terminal Servers and remoteapps, and we had a user that wanted the ability to log users off.  The user in question was not a local admin on the server, so I created an AD group, added her and ran the following command from an elevated prompt on the RDS Server:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “anonit\USR-SEC-AllowRDSLogoff”,2

Where anonit\USR-SEC_AllowRDSLogoff is the group that would have permission to logoff users.

 

This ONLY takes affect once the accounts have logged in.  eg:  User1 is the kicker and User2 is the kickee.  Once I’ve modified the server, User1 doesn’t have permission to log User2 out until User2 has initiated a new logon session.

 

References:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753032(v=ws.11)?redirectedfrom=MSDN

https://social.technet.microsoft.com/Forums/en-US/0d119172-1100-4f9d-accd-e2504e5f4908/rds-2012-configure-permissions-for-remote-desktop-services-connections?forum=winserverTS

https://docs.microsoft.com/en-us/troubleshoot/windows-server/remote/add-user-services-rdp-permissions

https://docs.microsoft.com/en-us/windows/win32/termserv/win32-tspermissionssetting

https://docs.microsoft.com/en-us/windows/win32/termserv/win32-tspermissionssetting-addaccount (explains the magic number 2)