Terminal Services Admin only for specific users

Is there a way to allow a user access to tsadmin, but only to remote in on certain users? For example: The user is mgr of our billing department and has 3 team members in remote locations. I would like for her to be able to remote in the team member's sessions but no one else. Is this possible?


Solution 1:

There isn't granularity in the access control system to do what you're looking for in a way that would be configurable very easily.

Permission to perform "Remote Control" is granted based on permissions set on the "RDP Listener" object. You could create an RDP Listener with permissions as you describe (allowing "Remote Control" for certain groups) but, as far as I know, you would need to have one NIC per listener that you create (because multiple listeners can't be bound to the same NIC). It might be possible to have multiple listeners on the same NIC running on different TCP port numbers I'm not seeing a way in the stock user interface to do that.