A customer today asked me whether it was possible to give a (who was not an Administrator) permission to send messages and log other users off a Terminal Services Server, without giving them full administrative rights.
Here’s how I enabled this.
Giving Permission to Send Message and Log Other Users Off A Terminal Services Server
To achieve this within an Active Directory environment (and in this case with a Windows 2003 Terminal Server, although it should work on earlier versions too) first create a new Security Group (imaginatively called “TerminalServicesAdmins” in this case) within the Active Directory Users and Computers Snap-In. Then add the user or users who you want to have the enhanced privileges to this group.
Next, open Terminal Services Configuration MMC. Select your RDP connection and right click it – then select Properties. Move to the Permissions tab and select your new Security Group.
Click Advanced to show more detailed Permissions. Select your new Security Group again and click Edit.
Finally give your group the additional “Logoff”, “Message” and “Disconnect” rights as shown in the screenshot here.
Be aware that these new permissions only take hold once the currently logged on users log off and back on – that includes users not being given any new rights, but who are trying to be logged off by the new demi-Administrators!
Further Reading of RDP Permissions
There’s a good overview of RDP Permissions at Microsoft’s page on Remote Desktop Services Permissions.
You Might Also Be Interested In
Richard Tubb is one of the best-known experts within the global IT Managed Service Provider (MSP) community. He launched and sold his own MSP business before creating a leading MSP media and consultancy practice. Richard helps IT business owner’s take back control by freeing up their time and building a business that can run without them. He’s the author of the book “The IT Business Owner’s Survival Guide” and writer of the award-winning blog www.tubblog.co.uk
All PostsYou might like:
Comments
8 thoughts on How to Giving users rights to log off other users in Terminal Services
MOHIB SHETH
11TH JUNE 2012 06:43:07
Thanks. This tip came in handy today!!
RICHARD TUBB
11TH JUNE 2012 11:54:13
Mohib - you're welcome, thanks for letting me know!
JOAO
5TH APRIL 2015 07:17:55
Hi, I'd like to accomplish this to several machines, so I was wondering how to do it via GPO. Thanks,
RICHARD TUBB
13TH APRIL 2015 15:38:39
Joao - that's a good question. Perhaps one of our readers might suggest an approach to deploying this via GPO?
MINEX PATEL
27TH JULY 2018 10:17:51
That last link for - "There’s a good overview of RDP Permissions at Microsoft’s Help and Support Site here." No longer works, gives error message 'Page not found'
RICHARD TUBB
3RD AUGUST 2018 10:56:45
Minex -- Thanks for the heads-up. I've now fixed that link. I appreciate the feedback!
DAVID P GOLDSTEIN HELPDESK ANALYST
24TH NOVEMBER 2021 16:54:03
How to Giving users rights to log off other users in Terminal Services. Will this work on 2016 or 2019 Terminal Servers? Working the helpdesk, the server Administrator gave me permissions to logout users on our old 2008R2 Terminal Server. He was unable to figure out away to give the help-desk team the same abilities on our 2016 and our new 2019 Terminal Server.
RICHARD TUBB
4TH DECEMBER 2021 08:16:15
David -- that's a good question. I'm unsure of the answer as I don't have access to a later version of Terminal Services to try this with. Perhaps you could let us know how you get on?