Otdfbt

Unconventional Opposites

How can I grammatically understand "Wir über uns"?

Show sparse matrices like chessboards

Can you please explain this joke: "I'm going bananas is what I tell my bananas before I leave the house"?

Will TSA allow me to carry a Continuous Positive Airway Pressure (CPAP) device?

What does it mean by "d-ism of Leibniz" and "dotage of Newton" in simple English?

Beginner's snake game using PyGame

Why does MS SQL allow you to create an illegal column?

You've spoiled/damaged the card

Get value of the passed argument to script importing variables from another script

Computing the differentials in the Adams spectral sequence

Pros and cons of writing a book review?

When leasing/renting out an owned property, is there a standard ratio between monthly rent and the mortgage?

Is it a problem that pull requests are approved without any comments

Did thousands of women die every year due to illegal abortions before Roe v. Wade?

What's the most polite way to tell a manager "shut up and let me work"?

Did Darth Vader wear the same suit for 20+ years?

Movie where a boy is transported into the future by an alien spaceship

How can Iron Man's suit withstand this?

Anyone teach web development? How do you assess it?

Is there a rule that prohibits us from using 2 possessives in a row?

Why was it possible to cause an Apple //e to shut down with SHIFT and paddle button 2?

What is a simple, physical situation where complex numbers emerge naturally?

Is it OK to bring delicacies from hometown as tokens of gratitude for an out-of-town interview?

Delegate session management on RemoteApp 2012

Limit administrator RDP session to single instance instead of default 2 simultaneous?RDS, RDWeb, and RemoteApp: How to use public certificate for launching apps on session host?How to configure a Remoteapp server to increase stabilityUser Profile Disks with RemoteApp 2012 R2 LockedWS2012R2 RemoteApp Server refuses to remember passwordHow to make Remote Desktop Services Deployment visible in Windows 2012R2 server manager when logging with a different user?RDS 2012 R2 some users are not able to logon after changed date and time on Connection BrokersDefault browser on Windows Server 2016 Remote Desktop Session HostUser cannot connect to 2012 R2 session deployment, session with no name created and stuckMicrosoft RemoteApp via TS Gateway initial connection load very long (over 2 minutes)

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

8

2

We've built a rather large RemoteApp environment on 2012 R2, fully patched. Everything is working fine, so now comes the time to offshore and delegate tasks to the first line team.

We would like to be able to have our first line guys manage the sessions. If, for example, a session would hang (lost connection to the profile drive). They should be able to log off the session.

I've tried setting permissions like this on all servers:

wmic /namespace:\rootCIMV2TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "ADMINMyGroupWithPeopleManagingTheTS",2

But to no avail, they can't open Server Manager > Remote Desktop Services, because they can't connect to the RD Connection Brokers.

If they open up task manager and try logging off users there, they don't have the appropriate rights. This option is also not the best because it would require them to go and look on each server if the user is logged on there (auto load balanced across multiple servers and regions).

So, basically: How can members of a certain group log users off, without giving them admin permissions on the machine?

This is how I would do it on 2008, but the tools are no longer available:
https://technet.microsoft.com/en-us/library/cc753032.aspx

remote-desktop windows-server-2012-r2 remoteapp

share|improve this question

asked Jun 15 '15 at 10:01

Bart De VosBart De Vos

16.2k45377

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  I'll be watching this as we never could figure it out. Giving users/groups permissions to remote-control/logoff/reset works fine on a per-server basis, but we could never get them to retrieve from broker.
  
  – pauska
  Jun 15 '15 at 10:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This might be mad rumblings, Could you use something along these lines? blogs.technet.com/b/askds/archive/2012/08/02/… and then use the get-rdusersession -connectionbroker and then use Invoke-RDUserLogoff once you have the details from the first command
  
  – Drifter104
  Jun 19 '15 at 16:55
  
  

  
  
  
  

add a comment | 

8

2

We've built a rather large RemoteApp environment on 2012 R2, fully patched. Everything is working fine, so now comes the time to offshore and delegate tasks to the first line team.

We would like to be able to have our first line guys manage the sessions. If, for example, a session would hang (lost connection to the profile drive). They should be able to log off the session.

I've tried setting permissions like this on all servers:

wmic /namespace:\rootCIMV2TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "ADMINMyGroupWithPeopleManagingTheTS",2

But to no avail, they can't open Server Manager > Remote Desktop Services, because they can't connect to the RD Connection Brokers.

If they open up task manager and try logging off users there, they don't have the appropriate rights. This option is also not the best because it would require them to go and look on each server if the user is logged on there (auto load balanced across multiple servers and regions).

So, basically: How can members of a certain group log users off, without giving them admin permissions on the machine?

This is how I would do it on 2008, but the tools are no longer available:
https://technet.microsoft.com/en-us/library/cc753032.aspx

remote-desktop windows-server-2012-r2 remoteapp

share|improve this question

asked Jun 15 '15 at 10:01

Bart De VosBart De Vos

16.2k45377

• 
  
  
  

  
  2
  

  
  
  
  
  
  

  
  
  I'll be watching this as we never could figure it out. Giving users/groups permissions to remote-control/logoff/reset works fine on a per-server basis, but we could never get them to retrieve from broker.
  
  – pauska
  Jun 15 '15 at 10:06
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  This might be mad rumblings, Could you use something along these lines? blogs.technet.com/b/askds/archive/2012/08/02/… and then use the get-rdusersession -connectionbroker and then use Invoke-RDUserLogoff once you have the details from the first command
  
  – Drifter104
  Jun 19 '15 at 16:55
  
  

  
  
  
  

add a comment | 

We've built a rather large RemoteApp environment on 2012 R2, fully patched. Everything is working fine, so now comes the time to offshore and delegate tasks to the first line team.

We would like to be able to have our first line guys manage the sessions. If, for example, a session would hang (lost connection to the profile drive). They should be able to log off the session.

I've tried setting permissions like this on all servers:

wmic /namespace:\rootCIMV2TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "ADMINMyGroupWithPeopleManagingTheTS",2

But to no avail, they can't open Server Manager > Remote Desktop Services, because they can't connect to the RD Connection Brokers.

If they open up task manager and try logging off users there, they don't have the appropriate rights. This option is also not the best because it would require them to go and look on each server if the user is logged on there (auto load balanced across multiple servers and regions).

So, basically: How can members of a certain group log users off, without giving them admin permissions on the machine?

This is how I would do it on 2008, but the tools are no longer available:
https://technet.microsoft.com/en-us/library/cc753032.aspx

remote-desktop windows-server-2012-r2 remoteapp

share|improve this question

asked Jun 15 '15 at 10:01

Bart De VosBart De Vos

16.2k45377

wmic /namespace:\rootCIMV2TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "ADMINMyGroupWithPeopleManagingTheTS",2

share|improve this question

asked Jun 15 '15 at 10:01

Bart De VosBart De Vos

16.2k45377

share|improve this question

asked Jun 15 '15 at 10:01

Bart De VosBart De Vos

16.2k45377

asked Jun 15 '15 at 10:01

Bart De VosBart De Vos

16.2k45377

asked Jun 15 '15 at 10:01

Bart De VosBart De Vos

16.2k45377

2 Answers
2

active

oldest

votes

0

Just an idea that needs more work:

What if you use a (power)shell script, run every n minutes as a scheduled task with admin privileges, to which you pass (for example using a text file put in a protected folder) the users to disconnect?

Or, more in general, a process, run with elevated privileges, with the only purpose of logging users off, which receives the users to disconnect as a parameter AND a way for members of a selected group to pass those parameter.

share|improve this answer

edited Jun 18 '15 at 21:32

answered Jun 18 '15 at 20:05

Silvio MassinaSilvio Massina

47623

add a comment | 

0

So, I actually got someone from MS involved with this. This was the response they gave me.

Hi Bart – the most probable way to support this scenario is to build
powershell over the TS Cmdline tools and provide fine grained access
to log off sessions etc using WMI.

1. For specific list of Cmdline tools that can be used – see here: • https://technet.microsoft.com/en-us/library/cc753032.aspx


2. For using WMI to grant persmissions, see here : https://msdn.microsoft.com/en-us/library/aa383773(v=vs.85).aspx
   

So basically, it's not possible, run your own.

If I ever get round to finishing this, I'll update here.

share|improve this answer

answered Sep 12 '15 at 22:07

Bart De VosBart De Vos

16.2k45377

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f699070%2fdelegate-session-management-on-remoteapp-2012%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

Just an idea that needs more work:

What if you use a (power)shell script, run every n minutes as a scheduled task with admin privileges, to which you pass (for example using a text file put in a protected folder) the users to disconnect?

Or, more in general, a process, run with elevated privileges, with the only purpose of logging users off, which receives the users to disconnect as a parameter AND a way for members of a selected group to pass those parameter.

share|improve this answer

edited Jun 18 '15 at 21:32

answered Jun 18 '15 at 20:05

Silvio MassinaSilvio Massina

47623

add a comment | 

0

Just an idea that needs more work:

What if you use a (power)shell script, run every n minutes as a scheduled task with admin privileges, to which you pass (for example using a text file put in a protected folder) the users to disconnect?

Or, more in general, a process, run with elevated privileges, with the only purpose of logging users off, which receives the users to disconnect as a parameter AND a way for members of a selected group to pass those parameter.

share|improve this answer

edited Jun 18 '15 at 21:32

answered Jun 18 '15 at 20:05

Silvio MassinaSilvio Massina

47623

add a comment | 

Just an idea that needs more work:

What if you use a (power)shell script, run every n minutes as a scheduled task with admin privileges, to which you pass (for example using a text file put in a protected folder) the users to disconnect?

Or, more in general, a process, run with elevated privileges, with the only purpose of logging users off, which receives the users to disconnect as a parameter AND a way for members of a selected group to pass those parameter.

share|improve this answer

edited Jun 18 '15 at 21:32

answered Jun 18 '15 at 20:05

Silvio MassinaSilvio Massina

47623

share|improve this answer

edited Jun 18 '15 at 21:32

answered Jun 18 '15 at 20:05

Silvio MassinaSilvio Massina

47623

answered Jun 18 '15 at 20:05

Silvio MassinaSilvio Massina

47623

answered Jun 18 '15 at 20:05

Silvio MassinaSilvio Massina

47623

0

So, I actually got someone from MS involved with this. This was the response they gave me.

Hi Bart – the most probable way to support this scenario is to build
powershell over the TS Cmdline tools and provide fine grained access
to log off sessions etc using WMI.

1. For specific list of Cmdline tools that can be used – see here: • https://technet.microsoft.com/en-us/library/cc753032.aspx


2. For using WMI to grant persmissions, see here : https://msdn.microsoft.com/en-us/library/aa383773(v=vs.85).aspx
   

So basically, it's not possible, run your own.

If I ever get round to finishing this, I'll update here.

share|improve this answer

answered Sep 12 '15 at 22:07

Bart De VosBart De Vos

16.2k45377

add a comment | 

0

So, I actually got someone from MS involved with this. This was the response they gave me.

Hi Bart – the most probable way to support this scenario is to build
powershell over the TS Cmdline tools and provide fine grained access
to log off sessions etc using WMI.

1. For specific list of Cmdline tools that can be used – see here: • https://technet.microsoft.com/en-us/library/cc753032.aspx


2. For using WMI to grant persmissions, see here : https://msdn.microsoft.com/en-us/library/aa383773(v=vs.85).aspx
   

So basically, it's not possible, run your own.

If I ever get round to finishing this, I'll update here.

share|improve this answer

answered Sep 12 '15 at 22:07

Bart De VosBart De Vos

16.2k45377

add a comment | 

So, I actually got someone from MS involved with this. This was the response they gave me.

Hi Bart – the most probable way to support this scenario is to build
powershell over the TS Cmdline tools and provide fine grained access
to log off sessions etc using WMI.

1. For specific list of Cmdline tools that can be used – see here: • https://technet.microsoft.com/en-us/library/cc753032.aspx


2. For using WMI to grant persmissions, see here : https://msdn.microsoft.com/en-us/library/aa383773(v=vs.85).aspx
   

So basically, it's not possible, run your own.

If I ever get round to finishing this, I'll update here.

share|improve this answer

answered Sep 12 '15 at 22:07

Bart De VosBart De Vos

16.2k45377

share|improve this answer

answered Sep 12 '15 at 22:07

Bart De VosBart De Vos

16.2k45377

answered Sep 12 '15 at 22:07

Bart De VosBart De Vos

16.2k45377

answered Sep 12 '15 at 22:07

Bart De VosBart De Vos

16.2k45377