diff --git a/deploy/crds/vms-crd.yaml b/deploy/crds/vms-crd.yaml
index 9d7bbb8..7b46dc7 100644
--- a/deploy/crds/vms-crd.yaml
+++ b/deploy/crds/vms-crd.yaml
@@ -994,6 +994,10 @@ spec:
                   type: array
                   description: >-
                     Defines permissions for accessing and manipulating the VM.
+                    The meaning of most permissions should be obvious. The
+                    difference between "accessConsole" and "takeConsole" is
+                    that "takeConsole" allows the user to take control of
+                    the console even if it is already in use by another user.
                   items:
                     type: object
                     description: >-
@@ -1017,6 +1021,7 @@ spec:
                           - stop
                           - reset
                           - accessConsole
+                          - takeConsole
                           - "*"
                         default: []
                 pools:
diff --git a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
index da639f4..f577d28 100644
--- a/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
+++ b/org.jdrupes.vmoperator.common/src/org/jdrupes/vmoperator/common/VmDefinition.java
@@ -65,7 +65,7 @@ public class VmDefinition {
      */
     public enum Permission {
         START("start"), STOP("stop"), RESET("reset"),
-        ACCESS_CONSOLE("accessConsole");
+        ACCESS_CONSOLE("accessConsole"), TAKE_CONSOLE("takeConsole");
 
         @SuppressWarnings("PMD.UseConcurrentHashMap")
         private static Map<String, Permission> reprs = new HashMap<>();
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
index 6305a4b..8f4051e 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n.properties
@@ -5,4 +5,5 @@ okayLabel = Apply and Close
 confirmResetTitle = Confirm reset
 confirmResetMsg = Resetting the VM may cause loss of data. \
   Please confirm to continue.
+consoleTakenNotification = Console access is locked by another user.
 poolEmptyNotification = No VM available. Please consult your administrator.
diff --git a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
index dbd3b11..e51eb5e 100644
--- a/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
+++ b/org.jdrupes.vmoperator.vmaccess/resources/org/jdrupes/vmoperator/vmaccess/l10n_de.properties
@@ -11,6 +11,7 @@ Open\ console = Konsole anzeigen
 confirmResetTitle = Zurücksetzen bestätigen
 confirmResetMsg = Zurücksetzen der VM kann zu Datenverlust führen. \
   Bitte bestätigen um fortzufahren.
+consoleTakenNotification = Die Konsole wird von einem anderen Benutzer verwendet.
 poolEmptyNotification = Keine VM verfügbar. Wenden Sie sich bitte an den \
   Systemadministrator.
   
\ No newline at end of file
diff --git a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
index 5c72309..5f2d747 100644
--- a/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
+++ b/org.jdrupes.vmoperator.vmaccess/src/org/jdrupes/vmoperator/vmaccess/VmAccess.java
@@ -779,9 +779,19 @@ public class VmAccess extends FreeMarkerConlet<VmAccess.ResourceModel> {
             }
             break;
         case "openConsole":
-            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)) {
-                var user = WebConsoleUtils.userFromSession(channel.session())
-                    .map(ConsoleUser::getName).orElse("");
+            var user = WebConsoleUtils.userFromSession(channel.session())
+                .map(ConsoleUser::getName).orElse("");
+            if (vmDef.conditionStatus("ConsoleConnected").orElse(false)
+                && vmDef.consoleUser().map(cu -> !cu.equals(user)
+                    && !perms.contains(VmDefinition.Permission.TAKE_CONSOLE))
+                    .orElse(false)) {
+                channel.respond(new DisplayNotification(
+                    resourceBundle.getString("consoleTakenNotification"),
+                    Map.of("autoClose", 5_000, "type", "Warning")));
+                return;
+            }
+            if (perms.contains(VmDefinition.Permission.ACCESS_CONSOLE)
+                || perms.contains(VmDefinition.Permission.TAKE_CONSOLE)) {
                 var pwQuery
                     = Event.onCompletion(new GetDisplayPassword(vmDef, user),
                         e -> openConsole(vmDef, channel, model,