Ending user processes as a non-admin user

[Guest]

Hi

For out IT-department we would like the helpdesk guy to be able to end processes of users on our terminal servers. This can be done bij Terminal services manager and by adding the helpdesk account to the domain admins group

My problem is that the helpdesk guy is not allowed to be a domain admin anymore. Now he is unable to end the processes.

What specific right should I grant the helpdesk account to be able to end the processes again

I searched on the internet for a solution but I couldnt find one yet, maybe I searched the wrong way. I also posted this question on other newsgroup. Most responds are: "make the user domain admin". Like I said, this is no option

Help would be great. Maybe somebody knows refering documentation on the MS site

Kind Regards
Wozzi

 

[Vera Noest [MVP]]

This should help:

243554 - Explanation of RDP-TCP Permissions in Windows 2000
http://support.microsoft.com/?kbid=243554

 

[Guest]

Hi Vera

Done that allready. The helpdesk needs to be able to reset and logoff users and this can be aquired by specifying user rights on the permissions tab of the terminal server configuration. This is what you mean

This is not a solution for the problem but thanks anyway, offcourse I appreciate youre reply

Can you help me further

Regards
Wozzie

 

[Vera Noest [MVP]]

Can you explain why this isn't a solution to your problem?
If you give the helpdesk personnel the logoff and reset permission,
doesn't that fix your problem?

 

[Guest]

Sorry for the late response ! I was busy and I actually forgot to check youre reply. I hope you take one more look for my response, otherwise I am typing for no cause right now ;

Before I looked at the possability to end users processes, I wanted to make sure the helpdesk was able to logoff TS users. This is done by specifiyng permissions on the TS, like you said also.

I gave the helpdesk full controll

Now when I log on as the helpdesk. Through taskmanager there is no way to "show processes of all users" and through terminal services manager I do not see the user processes, only my own and from the system

Maybe you know some docs about this subject from Microsoft ? I searched on google etc but I cannot find the right stuff

Thanks again for youre attention so far

Greetz
Wozzi

 

[Vera Noest [MVP]]

No problem about the delay, I'm still here...
Yes, you have to be an administrator to see other users processes
in Task manager (it might be possible when you are Power User
also, can't check at the moment).
But do you want the helpdesk to kill individual processes that the
users are running withing their sessions, or do you want them to
be able to logoff the complete session? Can't they see the user
sessions in TS Manager, and log the sessions off when given Full
Control on the rdp connection? Will check this tomorrow and get
back here if I find something more that must be done.

 

[Guest]

Thanks for having you back ;

In Terminal Services Manager, on the right pane of the program window, there are 3 tabs; users, sessions, processes

I gave the helpdesk account the permissions on the terminal server to; query information, set information, reset, remote control, logon, logoff, message, connect, disconnect, virtual channels

On the users tab (in Terminal Services Manager) all users logged on the terminal server are visible for the helpdesk account. The helpdesk account is able to log of users, reset, remote control, etc

However, on the processes tab (in Terminal Services Manager), the running processes of the users are not visible. Only the processes of the helpdesk account itself and the system processes. (The helpdesk account does see the process userinit.exe getting started/killed when a user logs on log on

Ok, I could make the helpdesk account administrator but I dont want to. What I want is (are) specific right(s) to let a non-admin user end user processes on a terminal server.

I'll be waiting in patience on youre reply

Greetz
Wozzie

 

[Vera Noest [MVP]]

I can only confirm your findings. I thought that you wanted the
helpdesk to be able to reset and logof users. To see and kill
individual processes you need to be administrator. You might be able
to give your helpdesk a couple of specific permissions in the local
security policy, but then the effect will be more or less the same as
making them administrators to begin with.
Personally, I find that when a users has such severe problems within
their session that a process needs to be killed, I rather have them
restart the whole session (i.e I log them off or reset their
session). But your environment may differ.