How To Grant Users Rights To Manage Services In Windows Server 2012

Windows Server 2012 Shadowing – Delegating Rights To Not-Admins

UPDATE: This script is at present included in the free Remote Desktop Commander Lite utility. Click here for more details.

Ahh, zippo like the upheaval of how Windows Server 2012 shadowing works to put more than grey in every RDS administrator's hair. Read this article on my corporate blog if you lot want to know all the sordid details, including how RDS shadowing was completely dropped in Windows Server 2012, only to be added dorsum in Windows Server 2012 R2.

Most medium to larger shops running Microsoft Remote Desktop Services want the ability to delegate shadowing permissions to help desk technicians with out granting those folks full admin rights. There are two ways (I know of, at least) to practise this:

You can dispense a WMI object programmatically on each Remote Desktop Session host with a PowerShell script
For even more granular adjustments, you can load an quondam copy of the Remote Desktop Session Host Configuration Tool (tsconfig.msc) on a Windows Server 2008 system joined to the aforementioned domain, and then connect to a Windows Server 2012 R2 system running the Remote Desktop Services part.

Approach 1 – Using PowerShell To Delegate Windows Server 2012 Shadowing Rights To Non-Admins

Here's the script I've written to perform this adjustment on Windows Server 2012 R2 Session Hosts. I've seen some examples on other blogs that reference how to exercise this for a specific domain group on a single session host, but I've expanded that concept so you lot tin can now pass a comma-delimited listing of calculator names (each one being a Server 2012 Session Host), and the script will walk the WMI object on each computer proper name and set the permissions for either a user account or grouping business relationship that you supply when the script runs.

Server 2012 R2 Shadow Permissions Script Code

AddShadowingPerms.ps1 – Click to Download

param( [string]$RDServers ) $RDSArray = $RDServers -split ',' $AccountToAdd = Read-Host("Please enter the user proper noun or group name who needs permission to shadow users" + "`r`due north" + "(Format:  DOMAIN\User or DOMAIN\Group)") foreach ($RDS in $RDSArray) {     $TempRDS = $RDS.replace("`"","")     if($TempRDS)     {                  $WMIHandles = Get-WmiObject -Form "Win32_TSPermissionsSetting" -Namespace "root\CIMV2\terminalservices" -ComputerName $TempRDS -Hallmark PacketPrivacy -Impersonation Impersonate         foreach($WMIHandle in $WMIHandles)         {             if($WMIHandle.TerminalName -eq "RDP-Tcp")             {                 $retVal = $WMIHandle.AddAccount($AccountToAdd, two)                 $opstatus = "succeeded"                 if($retVal.ReturnValue -eq 0)                 {                     $opstatus = "succeeded"                 }                 else                 {                     $opstatus = "failed"                 }                 Write-Host("The functioning to grant shadowing permissions to " + $AccountToAdd + " on " + $TempRDS + " " + $opstatus + "`r`n")             }         }              } }

Approach 2 – Using TSConfig.msc To Granularly Delegate Windows Server 2012 Shadowing Rights To Non-Admins

The one downside of using the above script is that information technology grants the account in question Full rights across all operations on the Remote Desktop Session Host server. This utilise (or group) can effectively logon, logoff, connect, disconnect, send messages, shadow users, query session information on the server, and set/configure RDP information on that server.

However, if we load TSConfig.msc on a Windows Server 2008 organization, and then connect to a Windows Server 2012 R2 RDSH box, we can apply a scalpel instead of a butter pocketknife to delegate shadowing and other rights to help desk-bound users. In fact, we tin Just requite a user or group the right to shadow a session, with no other powers. Here's a series of screenshots that show how to exercise this:

1.) Open up TSConfig.msc on a Windows 2008 server, and connect to your Windows Server 2012 R2 RDSH box.

1.) Open up up TSConfig.msc on a Windows 2008 server, and connect to your Windows Server 2012 R2 RDSH box.

2.) Enter in the name of your Windows Server 2012 R2 box, and click 'OK' to connect to it.

3.) Find the RDP-Tcp entry, right mouse click to show Properties, and then click Properties to bring up all configuration options.

3.) Discover the RDP-Tcp entry, right mouse click to show Properties, and then click Properties to bring up all configuration options.

4.) Click on the Security tab to view the DACL (Discretionary Access Control List) for RDP-Tcp. Click the Advanced button.

4.) Click on the Security tab to view the DACL (Discretionary Access Command Listing) for RDP-Tcp. Click the Advanced button.

5.) Add the user/group you want to add granular permissions for. Click 'Edit' to view the detailed permissions you can grant in the DACL. For shadowing, only the 'Remote Control' permission is required.

five.) Add together the user/grouping you want to add granular permissions for. Click 'Edit' to change the granular permission set in the DACL. For shadowing, only the 'Remote Command' permission is required.

Finally, whether or non you run the PowerShell script or TSConfig.msc to accommodate permissions, you may need to restart the Remote Desktop Session Hosts later on so that these new permissions will accept effect.

Andy Milford is the CEO and Founder of RDPSoft, and is a Microsoft MVP in the Enterprise Mobility / Remote Desktop Services area. Prior to starting RDPSoft, Andy was the CEO and Founder of Dorian Software, a log direction visitor acquired by Ipswitch in late 2009. He loves creating easy-to-utilize nevertheless powerful software solutions for SMBs and emerging enterprise companies.