Tag: Windows Server

Delegate “logoff” permission RDS 2012

Recently I had a challenge with delegating the permission to logoff sessions to a group of users on a RDS solution based on 2012 R2, but without giving them local administrator permissions. Microsoft has removed the RDSH console in Windows Server 2012, which means we have no place to set permissions for the sessions on a RDSH based on 2012 or later. After a quite bit a research I found a solution.

Step 1: Assign permissions

Some googling led me here where I found this command which does the job if you replace “domain\group”with correct values.

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName =”RDP-Tcp”) CALL AddAccount “domain\group”,2

However if you have an existing 2008 R2 server you can install the RSAT for RDSH and connect to the 2012 R2 session host and set the needed permissions there.


Step 2: Enable logoff

Now when the users have permission to logoff sessions, they still can’t use task manager because the options there are very limited when you’re not an administrator:


And Powershell can’t query the RDS deployment without administrator rights, so for once I couldn’t user Powershell to save the day.

However we have command line tools to get the job done. To make this more user friendly I made a batch-file and put it on the desktop for the delegated users. Here the user can list all sessions on the server and select which one to logoff. It boils down to a combination of “query session” and “logoff” commands. This is the batch file, feel free to use if needed.

@echo off
REM List sessions and log off users
REM Written by Per-Torben Sørensen
ECHO ………………………………………..
ECHO PRESS 1 or 2 to select your task, or 3 to EXIT.
ECHO ………………………………………..
ECHO 1 – List current sessions only
ECHO 2 – List and log off a session
SET /P T=”Type 1, 2, or 3 then press ENTER: ”
query session
query session
SET /P ID=”Type the ID of the session to log off, or C to cancel: ”
logoff %ID%


IPconfig is blank (Windows IP Configuration)

Recently I found that a server lost it’s IP configuration, or so it looked like.

When runnin the ipconfig command the only output is this line:
Windows IP Configuration

All info about IP adresses, netmask, gateways, dns servers and all other info are gone.

I fixed this problem by restarting the TCP/IP Netbios Helper service.

In other blogs I have found that the same problem can be fixed by runnin the command:
netsh int ip reset
This command had no effect on mye problem, but might help others.

Since this problem where reoccuring on my server I created a scheduled task for restarting the service once pr day. This completly mends this problem (at least so far).

Java security settings

Java 7u51 has been a headache so far with security settings, especially on a terminalserver. I needed to adjust the security setting for Java for all users on the terminalserver and add a website (example.com) to the exception site list in Java.

The solution was to create 3 text files and place them all in the folder C:\Windows\Sun\Java\Deployment

filename: Deployment.config


filename: deployment.properties


filename: exception.sites


After these 3 textfiles are created, the new java settings till take effect at next logon, and you can verify it by looking at the security tab in java control panel.

Delete old files from commandline

To quickly run a command (like delete) on files older than X days in commandprompt:

forfiles -p “C:\folder\Subfolder” -s -m *.* -d (Number of days) -c “cmd /c (command) @PATH”

Number of days has to be negative for days in the past (for example -30 for 30 days old). Replace “command” with the command you want to run (like del or echo)  

Create a custom event with powershell

To create an event without eventcreate.exe, which is limited to EventID below 1000, you can use powershell. { } indicates what you have to customize and then just run everything as admin from powershell.

$evt=new-object System.Diagnostics.Eventlog(“{Application/System/etc..}”)


$evtNumber={EVENT ID}

$evtDescription=”{write a description}”



How to find locked out users by using PowerShell

To retrive a list of locked user in Active Directory use these PowerShell commands:

1. start powershell on one of your domain controllers
2. import AD module: “Import-Module ActiveDirectory”
3. search for locket users: “Search-ADAccount -LockedOut | select name”
4. unlock users: “Search-ADAccount -LockedOut | Unlock-ADAccount -Confirm”

If number 4 fails, unlock users manualy from ADUC.


AD: Get lists of users and computers that is not in use

Here i have listed some powershell commands to get lists of users that have never logged in to your domain and one line to get a list of computers that never has logged in within an time span of 365 days.

I run these powershell commands in Windows PowerShell ISE that is a nice little program thats included in Windows Server (add feature), when you use PowerShell ISE you need to import Active Directory cmdlets by running “Import-Module ActiveDirectory”

# Import the ActiveDirectory cmdlets
Import-Module ActiveDirectory

#List Active Directory users that have never logged
#in including built-in users using PowerShell
get-aduser -f {-not ( lastlogontimestamp -like “*”) -and (enabled -eq $true)} | select name

#List Active Directory Computers that have never logged
#in within time span (-TimeSpan 365.00:00:00, this is 365 days)
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 35.00:00:00 | select name | sort-object name

Resize disk in windows server 2003

To extend a disk in windows 2003 use diskpart.

To use Diskpart.exe, follow these steps:

  1. Open a command prompt by going to Start | Run.
  2. Enter diskpart in the Open text box, and press [Enter].
  3. At the DISKPART prompt, enter list volumeListing A provides an example of the results.
  4. Enter select volume x, where x is the volume number listed that you want to expand.
  5. Enter extend, and press [Enter].

When you’re finished, use the Disk Management snap-in to check out your new volume. It should now take up the rest of the available space on the device.

Install Nagios NPRE client on Windows

download the client from: http://nsclient.org/nscp/downloads (choose the *.zip file) and extract it to c:program files%foldername%

Install the service from cmd:

c:program filesnsclient++-0.3.9-x64nsclient++.exe /install

Service NSClientpp installed…
NSClient++.cpp(233) Service installed!

then start the service with net start from cmd:

net start nsclientpp

The NSClientpp (Nagios) 2011-07-04 x64 service is starting.
The NSClientpp (Nagios) 2011-07-04 x64 service was started successfully.