Delegate permissions Server 2012 R2 RDS environment RRS feed

  • Question

  • Fellow IT Pro's

    I've been asked to give a certain user permissions to logoff sessions on the session host server, and I'm unable to find the procedure of delegating this (these) permission(s) to this user (group).

    I can't imagine this not being able to configure, but I just can't find it.

    Thanks in advance.

    Ronald van Ackooij

    Monday, May 5, 2014 10:59 PM


All replies

  • Hi Ronald,

    Thank you for posting in Windows Server Forum.

    You can configure the permission for Remote Desktop Users group, add the user in that and then assign appropriate permission to logoff or perform any other activity by users.

    You can provide Full access control to that group and they will get rights to perform the task you want. Please check below link for more information.
    Configure Permissions for Remote Desktop Services Connections (For reference)

    Hope it helps!


    Dharmesh Solanki

    Thursday, May 8, 2014 2:07 AM
  • Sorry for the late reply.

    I do not get the solution you are providing here. I'm specifically talking about a 2012 R2 server and I can't find the solution you are providing here. Even the Link you are providing is for 2008 R2 and the changes between the two platforms are huge.

    Please help me out some more detailed please.



    Monday, May 19, 2014 2:40 PM
  • since 2012 doesn't have that MMC console, this article is proposing to do it via WMI permission changes through Powershell:

    note that the article is for different permissions but the same concept applies for Logoff

    unfortunately there doesn't seem to be native Powershell commands for this which is odd, they all seem to be for collections

    we're all really missing that snap-in console...

    Tuesday, May 20, 2014 8:28 PM
  • Hi,

    You may use the below command in an administrator command prompt to grant a group full control (includes logoff) permissions to the RDP-Tcp listener:

    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName ="RDP-Tcp") CALL AddAccount "domain\group",2

    After making the above change you must log off / log on any target sessions that you wish the new permissions to apply to.  For example, if there are 10 users logged on when you make the change, only administrators will be able to log off the existing sessions.  Any new sessions that are created after making the change will be able to be logged off by the non-admin group you granted the rights to.


    Tuesday, May 20, 2014 8:39 PM
  • Hi Ronald,

    Any further update after TP and armin reply? 


    Dharmesh Solanki

    Wednesday, May 21, 2014 3:23 AM
  • I am looking for the same functionality.  The ability to delegate administrative tasks like Shadow, Log Off Sessions, Create Desktop Collections, Add Desktops to Collections.   I do not see this functionality.  Am I missing something?
    Thursday, May 29, 2014 2:40 PM