I had a server 2016 RDS server using a combination of Terminal Servers and remoteapps, and we had a user that wanted the ability to log users off. The user in question was not a local admin on the server, so I created an AD group, added her and ran the following command from an elevated prompt on the RDS Server:
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “anonit\USR-SEC-AllowRDSLogoff”,2
Where anonit\USR-SEC_AllowRDSLogoff is the group that would have permission to logoff users.
This ONLY takes affect once the accounts have logged in. eg: User1 is the kicker and User2 is the kickee. Once I’ve modified the server, User1 doesn’t have permission to log User2 out until User2 has initiated a new logon session.
https://docs.microsoft.com/en-us/windows/win32/termserv/win32-tspermissionssetting-addaccount (explains the magic number 2)