I've been trying to use a great script from the Gallery:
https://gallery.technet.microsoft.com/scriptcenter/Remotely-log-users-off-377c848d

It works great for me but I'm a Domain Admin.  I'm trying to enable my ERP admin as well as our help desk folks to manage user sessions.  We just want them to be able to send a message or log off a user(s).

Server Manager doesn't work because they get Access Denied on all of the hosts.

I understand the security but this defeats the purpose of having help desk staff when sys admins have to manage all facets of the RDS system.

Am I missing a setting or is this just not possible?

have the same problem..
2012r2 RDS management going to make me crazy.

Tech support of ERP should have same ability to manage users as with 2008 R2 server.. that is brilliant solution that only admins of RD farm are able to manage/see users sessions and log off them (again 1 by 1, where you unable to log off many users at once..)......

which engineer proposed such solution for MS?????

• Edited by vinnikovsa Thursday, November 20, 2014 8:14 AM

I've been trying to use a great script from the Gallery:
https://gallery.technet.microsoft.com/scriptcenter/Remotely-log-users-off-377c848d

It works great for me but I'm a Domain Admin.  I'm trying to enable my ERP admin as well as our help desk folks to manage user sessions.  We just want them to be able to send a message or log off a user(s).

Server Manager doesn't work because they get Access Denied on all of the hosts.

I understand the security but this defeats the purpose of having help desk staff when sys admins have to manage all facets of the RDS system.

Am I missing a setting or is this just not possible?

If you will not find any other solution, i solved such task in other way

1) Add feature Remote Assitance

2) Add Helpdesk support group to Remote Assistants (local group on the RDSH servers)

3) place batch file on helpdesks desktops with such simple string inside

"msra /offerra ts1.bla.bla"

The only thing that create a problem, when you have a farm of TS servers.. ) Then you have to add additional scripting, or simply create several Batch for every TS server.

For now, as i can see, that is only alternative for remote management/connection to user session is adding helpdesk to local admins on RD-Broker servers (by the way you dont need to give administrator access on TS servers itself).

Hi,

Please tell me more about your environment.  For example, some questions:

• how many RDSH servers
• how many collections
• how many users
• how many support or helpdesk users
• do you only need support users to be able to log off/send messages, or do you need/want other functions as well

Thanks.

-TP

Hi,

Please tell me more about your environment.  For example, some questions:

• how many RDSH servers
• how many collections
• how many users
• how many support or helpdesk users
• do you only need support users to be able to log off/send messages, or do you need/want other functions as well

Thanks.

-TP

About my case, planned usage:

5 RDSH + 2 RD HA Broker (including web, TSGW on each server)

up to 300-400 users, near 10 remote techs, 2 admins.

Functions: Log off/Remote control. Send message also preferred but less critical.

One more details, i planned 1 collection for now. And as i understand with 1 RD Broker (even with HA) can be only one collection, right? Because we have to modify for redirection on broker such string (correct me if i am wrong):

HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\ClusterSettings
DefaultTsvUrl  tsv://VMResource.1.Virtualpool1

Hi vinnikovsa,

The normal methods for connecting to a 2012 R2 RDS environment are to use RD Web Access, or Remote Resources, or RemoteApp and Desktop Connections or any other custom technique that uses the web feed.  This way the users will use rdp files that have the target collection embedded within them, be digitally signed using your certificate, and contain the latest settings you have configured for the deployment and collection.  You could also manually download the .rdp files from RD Web Access using a non-IE browser and distribute them to your users, but then if you make a change you will need to re-distribute the files.

This allows you to have a more dynamic environment whereby you can add/remove collections, publish/unpublish RemoteApps and Desktop as needed, change deployment and collection settings, etc., and the changes will be reflected automatically for your users.  For example, if you publish a new RemoteApp a couple of months from now it will automatically show up on each user's iPad or Mac or Android or Windows PC without additional work from the user.

An alternative to the above is to have users connect manually to the published FQDN for your brokers using Remote Desktop Connection.  To support this case you must have a default collection specified in the registry on each broker (as you referred to).  The downside is there can only be one default collection and it is more work when you want to make changes.

-TP

• Proposed as answer by Dharmesh SMicrosoft contingent staff, Moderator Friday, November 21, 2014 4:56 AM
• Marked as answer by Dharmesh SMicrosoft contingent staff, Moderator Monday, December 01, 2014 7:43 AM
• Unmarked as answer by mbrowncbg Monday, December 01, 2014 12:55 PM

Hello TP,

thanks for comments, now I think I've got the main idea for future planning.

Sometimes it is just not so easy to use only published applications (when user require set of applications from RD server). I need to prepare our users/top management to this idea.

Can you please comment initial question, how to allow helpdesk users control of remote sessions/log offing other users/sending messages...?

P.S. My method is not a best option (usage of remote assistance), because when you have 5 servers, and 300 users, you have to check servers one by one (because user unable to tell you on which server he is working)

• Edited by vinnikovsa Friday, November 21, 2014 2:50 PM

Hi,

Please tell me more about your environment.  For example, some questions:

• how many RDSH servers - 23
• how many collections - 4
• how many users - 500+
• how many support or helpdesk users - 5
• do you only need support users to be able to log off/send messages, or do you need/want other functions as well - Log Off / Send messages

Thanks.

-TP

Love how that an answer that has nothing to do with my OP is marked as the answer.  I need to know how to give less privileged accounts access to be able to log off users from 2012 R2 RDS Session Hosts.

I haven't been able to find a way to delegate permissions either. However I'm thinking of doing something similar to the script you posted. I'm planning on building a simple interface for common help desk tasks and have the script run under a privileged service account. So the service account will be a farm administrator and have access to do what needs to be done, but because I'm using a custom interface, only certain helpdesk-centric functions will be exposed to the user. I haven't started yet, but that's the plan.

I haven't been able to find a way to delegate permissions either. However I'm thinking of doing something similar to the script you posted. I'm planning on building a simple interface for common help desk tasks and have the script run under a privileged service account. So the service account will be a farm administrator and have access to do what needs to be done, but because I'm using a custom interface, only certain helpdesk-centric functions will be exposed to the user. I haven't started yet, but that's the plan.

As we have no other option, we make executable that will make something like RunAs of such script (under another account, that is local admin on RD Broker and RDSH), that allow any user that has this executable to support our RDFARM. We will keep login/pass and script itself inside compiled application.

I am not a programmer, so our programmers prepare such simple application for our helpdesk team.

As this application is useless for others, i can attach only prepared script with 4 most used operations in our case (you can add additional choices for other variants), may be will be useful for somebody.

Details about usage:

Can be run from any farm member.

Simply type any of your RD brokers when it will ask , and it will get and proceed all necessary information about users from all farm members

https://www.dropbox.com/s/53fycptn8u6alzz/user-mngmt.ps1?dl=0

.............................

do {
Write-Host "=================================================="
Write-Host ""
Write-Host "        Script for RDS 2012r2 user management     "
Write-Host ""
Write-Host "=================================================="
Write-Host ""
Write-Host "1. List user sessions"
Write-Host "2. Log off ALL disconnected users"
Write-Host "3. Log off selected user"
Write-Host "4. Remote Control selected user"
Write-Host "5. Exit"
$choice = Read-Host "Select option"

Switch ($choice)
{
"1" {
$brokerID = Read-Host 'Please enter the name of remote RDS server (FQDN please)'
Get-RDUserSession -ConnectionBroker $brokerID
Read-Host "<<Press any key to continue>>"

}
"2" {
$brokerID = Read-Host 'Please enter the name of remote RDS server (FQDN please)'
$RDSessions = Get-RDUserSession -ConnectionBroker $brokerID | Where {$_.SessionState -eq "STATE_DISCONNECTED"}

If(!$RDSessions) { Write-Host "No Disconnected users on this farm"
Read-Host "<<Press any key to continue>>"

}
Else
{ #Start Loop
Foreach ($RDSession in $RDSessions)
{
Invoke-RDUserLogoff -UnifiedSessionID $RDSession.SessionID -HostServer $RDSession.HostServer -Force
Write-Host "The user" $RDSession.UserName "was disconnected from" $RDSession.hostServer "server"
Read-Host "<<Press any key to continue>>"

} #End Loop
} #End if
} 

"3" {
$brokerID = Read-Host 'Please enter the name of remote RDS server (FQDN please)'
Get-RDUserSession -ConnectionBroker $brokerID
$UserName = Read-Host 'Type UserName that you want to logoff'
$userID_kill = Get-RDUserSession -ConnectionBroker $brokerID | Where {$_.UserName -eq $UserName}
If(!$UserID_kill)  {Write-Host "No such user on the servers"
Read-Host "<<Press any key to continue>>"

}
Invoke-RDUserLogoff -UnifiedSessionID $userID_kill.SessionID -HostServer $userID_kill.HostServer -Force
#Write-Host "The user" $user.UserName "was disconnected from" $user.hostServer "server"
#}

}
"4" {
$brokerID = Read-Host 'Please enter the name of remote RDS server (FQDN please)'
Get-RDUserSession -ConnectionBroker $brokerID
$UserName = Read-Host 'Type UserName that you want to CONTROL'
$userID_control = Get-RDUserSession -ConnectionBroker $brokerID | Where {$_.UserName -eq $UserName}
Write-Host "Building remote control connection"
Write-Host "Server name" $userID_control.ServerName
Write-Host "UserName" $userID_control.UserName
Write-Host "SessionID" $userID_control.SessionID
mstsc /v:($userID_control.ServerName) /shadow:($userID_control.SessionId) /control
Read-Host "<<Press any key to continue>>"
}
"5" {Exit}
}
$repeat = Read-Host "Press 1 to repeat and any other key for EXIT"
}
while ($repeat -eq "1")

• Edited by vinnikovsa Wednesday, December 03, 2014 3:51 PM

Hi,

I have a tool for this currently in development.  If you or anyone else would like to help with testing and provide feedback, please send an email to rdshelpdeskbeta@gmail.com and you will be contacted when the first public build is available.

Thanks.

-TP

I haven't been able to find a way to delegate permissions either. However I'm thinking of doing something similar to the script you posted. I'm planning on building a simple interface for common help desk tasks and have the script run under a privileged service account. So the service account will be a farm administrator and have access to do what needs to be done, but because I'm using a custom interface, only certain helpdesk-centric functions will be exposed to the user. I haven't started yet, but that's the plan.

As we have no other option, we make executable that will make something like RunAs of such script (under another account, that is local admin on RD Broker and RDSH), that allow any user that has this executable to support our RDFARM. We will keep login/pass and script itself inside compiled application.

I am not a programmer, so our programmers prepare such simple application for our helpdesk team.

As this application is useless for others, i can attach only prepared script with 4 most used operations in our case (you can add additional choices for other variants), may be will be useful for somebody.

Details about usage:

Can be run from any farm member.

Simply type any of your RD brokers when it will ask , and it will get and proceed all necessary information about users from all farm members

https://www.dropbox.com/s/53fycptn8u6alzz/user-mngmt.ps1?dl=0

.............................

do {
Write-Host "=================================================="
Write-Host ""
Write-Host "        Script for RDS 2012r2 user management     "
Write-Host ""
Write-Host "=================================================="
Write-Host ""
Write-Host "1. List user sessions"
Write-Host "2. Log off ALL disconnected users"
Write-Host "3. Log off selected user"
Write-Host "4. Remote Control selected user"
Write-Host "5. Exit"
$choice = Read-Host "Select option"

Switch ($choice)
{
"1" {
$brokerID = Read-Host 'Please enter the name of remote RDS server (FQDN please)'
Get-RDUserSession -ConnectionBroker $brokerID
Read-Host "<<Press any key to continue>>"

}
"2" {
$brokerID = Read-Host 'Please enter the name of remote RDS server (FQDN please)'
$RDSessions = Get-RDUserSession -ConnectionBroker $brokerID | Where {$_.SessionState -eq "STATE_DISCONNECTED"}

If(!$RDSessions) { Write-Host "No Disconnected users on this farm"
Read-Host "<<Press any key to continue>>"

}
Else
{ #Start Loop
Foreach ($RDSession in $RDSessions)
{
Invoke-RDUserLogoff -UnifiedSessionID $RDSession.SessionID -HostServer $RDSession.HostServer -Force
Write-Host "The user" $RDSession.UserName "was disconnected from" $RDSession.hostServer "server"
Read-Host "<<Press any key to continue>>"

} #End Loop
} #End if
} 

"3" {
$brokerID = Read-Host 'Please enter the name of remote RDS server (FQDN please)'
Get-RDUserSession -ConnectionBroker $brokerID
$UserName = Read-Host 'Type UserName that you want to logoff'
$userID_kill = Get-RDUserSession -ConnectionBroker $brokerID | Where {$_.UserName -eq $UserName}
If(!$UserID_kill)  {Write-Host "No such user on the servers"
Read-Host "<<Press any key to continue>>"

}
Invoke-RDUserLogoff -UnifiedSessionID $userID_kill.SessionID -HostServer $userID_kill.HostServer -Force
#Write-Host "The user" $user.UserName "was disconnected from" $user.hostServer "server"
#}

}
"4" {
$brokerID = Read-Host 'Please enter the name of remote RDS server (FQDN please)'
Get-RDUserSession -ConnectionBroker $brokerID
$UserName = Read-Host 'Type UserName that you want to CONTROL'
$userID_control = Get-RDUserSession -ConnectionBroker $brokerID | Where {$_.UserName -eq $UserName}
Write-Host "Building remote control connection"
Write-Host "Server name" $userID_control.ServerName
Write-Host "UserName" $userID_control.UserName
Write-Host "SessionID" $userID_control.SessionID
mstsc /v:($userID_control.ServerName) /shadow:($userID_control.SessionId) /control
Read-Host "<<Press any key to continue>>"
}
"5" {Exit}
}
$repeat = Read-Host "Press 1 to repeat and any other key for EXIT"
}
while ($repeat -eq "1")

Have an update

Found another way that work for me

1) Download this utility (runas with encryption)

_ttp://www.robotronic.de/guidance.html

2) Place this utility + powersheel + script on some network share, where your helpdesk has only RO access.

3) Open RunAs utility from network share and create .spc file with path to proposed script/and powershell (all should be placed on this network share)

4) create batch file like this

"path to utility"\runasspc.exe /cryptfile:"path to crypt file" /quiet

 and place it on public desktop or somewhere else on TS farm members (if you don't limit access to share only for helpdesk, then don't forget to setup read permissions only to this file for HELPDESK team :) )

Don't forget to adjust Set-ExecutionPolicy, as we are running script from network share, it will ask more questions

• Edited by vinnikovsa Friday, December 05, 2014 11:52 AM
• Proposed as answer by Sergii Vinnikov 23 minutes ago

Hi,

I haven't tested yet but assume we should be able to have a Helpdesk group, assign this group to the RDP-tcp security tab under the session host RDP-Tcp configuration with the required Logoff and Remote Control rights selected.  Let me know if this works for you!

Regards,

Simon

• Proposed as answer by S1m0nB 3 hours 19 minutes ago

Hello S1m0nB

first, in 2012R2 there is no such tab.. it is possible to work only via powershell with this settings.

and second - we tested, for all our operations it will not help from management or permission perspective (for example as you have to have ADMIN access on RDCB)

...

Write-Host "1. List user sessions"
Write-Host "2. Log off ALL disconnected users"
Write-Host "3. Log off selected user"
Write-Host "4. Remote Control selected user"

...

Anyway thanks for proposal, but it will not work.

Regards,

Sergii Vinnikov