We've built a rather large RemoteApp environment on 2012 R2, fully patched. Everything is working fine, so now comes the time to offshore and delegate tasks to the first line team.
We would like to be able to have our first line guys manage the sessions. If, for example, a session would hang (lost connection to the profile drive). They should be able to log off the session.
I've tried setting permissions like this on all servers:
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "ADMIN\MyGroupWithPeopleManagingTheTS",2
But to no avail, they can't open Server Manager > Remote Desktop Services, because they can't connect to the RD Connection Brokers.
If they open up task manager and try logging off users there, they don't have the appropriate rights. This option is also not the best because it would require them to go and look on each server if the user is logged on there (auto load balanced across multiple servers and regions).
So, basically: How can members of a certain group log users off, without giving them admin permissions on the machine?
This is how I would do it on 2008, but the tools are no longer available: https://technet.microsoft.com/en-us/library/cc753032.aspx
Just an idea that needs more work:
What if you use a (power)shell script, run every n minutes as a scheduled task with admin privileges, to which you pass (for example using a text file put in a protected folder) the users to disconnect?
Or, more in general, a process, run with elevated privileges, with the only purpose of logging users off, which receives the users to disconnect as a parameter AND a way for members of a selected group to pass those parameter.
So, I actually got someone from MS involved with this. This was the response they gave me.
So basically, it's not possible, run your own.
If I ever get round to finishing this, I'll update here.