Freigeben über


How to get the Terminal Service Account settings and Client Settings from the Terminal Server

You can use Win32_TSAccount And Win32_TSClientSetting WMI class to get the information but these classes returns some information in bit-wise operator and that needs to be convert in simple terms which are easily understandable to the user. Most of such scripts are used by the administrators in big organization and its really tough for them to interpret the bit-wise operator.

For example if I use Win32_TSAccount WMI class the direct output would be as follows

Terminal name: RDP-Tcp

Account name: BUILTIN\Administrators

Permissions allowed: 983999

I have written the script code to convert the bit-wise operator so that we can easily understand  the output. The output using the script would be as given below. (currently the script will output the same information into a file located on c: drive that takes the form of:
c:\ComputerInformation_23-3-2012-14-40-56.txt

********* Terminal Service Account settings **********

Terminal name: RDP-Tcp
Account name: NT AUTHORITY\SYSTEM
Permissions Mask ( Hexadecimal ): F03BF
Allowed:Full Control

Terminal name: RDP-Tcp
Account name: NT AUTHORITY\LOCAL SERVICE
Permissions Mask ( Hexadecimal ): F0089
Allowed:Virtual Channel + Special Permissions = Query Information + Message

Terminal name: RDP-Tcp
Account name: NT AUTHORITY\NETWORK SERVICE
Permissions Mask ( Hexadecimal ): 81
Allowed:Special Permissions = Query Information + Message

Terminal name: RDP-Tcp
Account name: BR549ROOT\FordP2
Permissions Mask ( Hexadecimal ): F03BF
Allowed:Full Control

Terminal name: RDP-Tcp
Account name: BR549ROOT\QI
Permissions Mask ( Hexadecimal ): 1
Allowed:Special Permissions = Query Information

Terminal name: RDP-Tcp
Account name: BR549ROOT\SI
Permissions Mask ( Hexadecimal ): 2
Allowed:Special Permissions = Set Information

Terminal name: RDP-Tcp
Account name: BR549ROOT\RC
Permissions Mask ( Hexadecimal ): 10
Allowed:Special Permissions = Remote Control

Terminal name: RDP-Tcp
Account name: BR549ROOT\LON
Permissions Mask ( Hexadecimal ): 20
Allowed:Guest Access

Terminal name: RDP-Tcp
Account name: BR549ROOT\LOFF
Permissions Mask ( Hexadecimal ): 4
Allowed:Special Permissions = Logoff

Terminal name: RDP-Tcp
Account name: BR549ROOT\msg
Permissions Mask ( Hexadecimal ): 80
Allowed:Special Permissions = Message

Terminal name: RDP-Tcp
Account name: BR549ROOT\con
Permissions Mask ( Hexadecimal ): 100
Allowed:Special Permissions = Connect

Terminal name: RDP-Tcp
Account name: BR549ROOT\discon
Permissions Mask ( Hexadecimal ): 200
Allowed:Special Permissions = Disconnect

Terminal name: RDP-Tcp
Account name: BR549ROOT\VC
Permissions Mask ( Hexadecimal ): F0008
Allowed:Virtual Channel

Terminal name: RDP-Tcp
Account name: BR549ROOT\useraccess
Permissions Mask ( Hexadecimal ): 121
Allowed:User Access & Guest Access

Terminal name: RDP-Tcp
Account name: BR549ROOT\GuestAccess
Permissions Mask ( Hexadecimal ): 20
Allowed:Guest Access

Terminal name: RDP-Tcp
Account name: BUILTIN\Administrators
Permissions Mask ( Hexadecimal ): F03BF
Allowed:Full Control

Terminal name: RDP-Tcp
Account name: BUILTIN\Remote Desktop Users
Permissions Mask ( Hexadecimal ): 121
Allowed:User Access & Guest Access

Terminal name: RDP-Tcp
Account name: NT AUTHORITY\INTERACTIVE
Permissions Mask ( Hexadecimal ): 1
Allowed:Special Permissions = Query Information

********* Client Settings from the Terminal server*************
0 - Enabled  1 - Disabled
For Default Client Printer 0 -Diabled 1 - Enabled

Drive mapping: 0
Windows printer mapping: 0
LPT port mapping: 0
COM port mapping: 0
Clipboard mapping: 0
Audio mapping: 1
Default to client printer: 1
*********************************

Script.

 '
 ' Permissions Constants
 '
 const FULL_CONTROL = &HF03BF        ' Full Control
 const USER_ACCESS = &H121           ' User Access ( includes Guest Access )
 const GUEST_ACCESS = &H20           ' Guest Access
 const WINSTATION_QUERY = 1          ' Query Informaiton
 const WINSTATION_SET = 2            ' Set Information
 const WINSTATION_LOGOFF = 4         ' Logoff
 const WINSTATION_SHADOW = &H10      ' Remote Control
 const WINSTATION_LOGON = &H20       ' Logon
 const WINSTATION_RESET = &H40       ' Reset, no an individual setting.
 const WINSTATION_MSG = &H80         ' Message
 const WINSTATION_CONNECT = &H100    ' Connect
 const WINSTATION_DISCONNECT = &H200 ' Disconnect
 const WINSTATION_VIRTUAL = &HF0008  ' Virtual Channel -  WINSTATION_VIRTUAL | STANDARD_RIGHTS_REQUIRED
 '==================================================
 ' Main script code.
 ' Helper functions are below
 '
 ' The Perms varialbe will be a dicitionary asscociating the permissions flags
 '  with a human readable string.  LoadPerms initializes the Perms colleciton.
 '
 dim Perms : set Perms = CreateObject("Scripting.Dictionary")
 Dim iOffset        'used for display only (left justifying displayed values)
 iOffset        = 20
 
 Dim fso,oFile,OutputFile,dateTime, objFolder,strFolder  
 Set dateTime = CreateObject("WbemScripting.SWbemDateTime")
 LoadPerms
 '
 ' Create the output file name, put it on drive C:\
 ' with a format simliar to the following path name:
 ' c:\ComputerInformation_23-3-2012-14-40-56.txt
 '
 strFolder="C:\"
 OutputFile="\" & "ComputerInformation_" & Day(Now()) & "-" & Month(Now()) & "-" & Year(Now()) & "-" & Hour(Now()) & "-" & Minute(Now()) & "-" & Second(Now()) & "." & "txt"
 '
 ' Get an FSO object
 '
 Set FSO = CreateObject("Scripting.FileSystemObject")
 Set oFile = FSO.CreateTextFile(strFolder & OutputFile, True)
 
 strComputer = "."
 '
 'For Server 2008 R2 use the following wmi namespace
 ' the namespace is different for 2003
 '
 Set objWMIService = GetObject("winmgmts:{authenticationLevel=pktPrivacy}!Root\CIMv2\TerminalServices")
 '
 'For server 2003
 'Set objWMIService = GetObject("winmgmts:" _
 '    & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
 '   
 Set colItems = objWMIService.ExecQuery("Select * from Win32_TSGeneralSetting")
 oFile.WriteLine("********* Terminal Service Account settings **********")
 oFile.WriteLine("")
 '
 ' Retreive all of the RDP accounts that are either, allowed or 
 ' denied access to this machine
 '
 Set colItems = objWMIService.ExecQuery("Select * from Win32_TSAccount")
 For Each objItem in colItems
    '
    ' Excluse the console sessions
    ' 
    If(objItem.TerminalName<>"Console") Then
      oFile.WriteLine "Terminal name: " & objItem.TerminalName
      ConvertToNTFSPerm objItem.PermissionsAllowed, oFile ,objItem.AccountName, TRUE
      ConvertToNTFSPerm objItem.PermissionsDenied, oFile ,objItem.AccountName, FALSE
    End If 
 Next
 oFile.WriteLine("********* Client Settings from the Terminal server*************")
 oFile.WriteLine ("0 - Enabled  1 - Disabled")
 oFile.WriteLine("For Default Client Printer 0 -Diabled 1 - Enabled")
 oFile.WriteLine("")
 set colItems = objWMIService.ExecQuery("Select * from Win32_TSClientSetting")
 For Each objItem in colItems 
     oFile.WriteLine "Drive mapping: " & objItem.DriveMapping 
     oFile.WriteLine "Windows printer mapping: " & objItem.WindowsPrinterMapping
     oFile.WriteLine "LPT port mapping: " & objItem.LPTPortMapping
     oFile.WriteLine "COM port mapping: " & objItem.COMPortMapping
     oFile.WriteLine "Clipboard mapping: " & objItem.ClipboardMapping
     oFile.WriteLine "Audio mapping: " & objItem.AudioMapping
     oFile.WriteLine "Default to client printer: " & objItem.DefaultToClientPrinter
     oFile.WriteLine("*********************************")    
 Next
 oFile.WriteLine("")
 oFile.Close()
 '
 '------------------------------------------------------------
 ' Function Definitions
 '------------------------------------------------------------
 '
 Function ConvertToNTFSPerm (inputPerm,oFile, AccountName, bAllow)
    strPerm = ""
    if( inputPerm = 0 ) then exit function
    IsSpecailPermission = False
    '
    ' Check for exact match for 
    '    Full Control
    '    User Access
    '    and 
    '    Guest Access
    '
    select case inputperm
      case FULL_CONTROL
         strPerm = "Full Control"
      case USER_ACCESS
         strPerm = "User Access & Guest Access"
      case GUEST_ACCESS
         strPerm = "Guest Access"
      case WINSTATION_VIRTUAL:
         strPerm = "Virtual Channel"
      case else
         strPerm = ""
    end select
    '
    ' If we have a string in strPerm
    ' Then the permissions could be a combination
    ' of User Access and special or Guest Access and special.
    ' First, check for User Access and Special case
    '
    dim strip : strip = 0
    if( strPerm = "" ) then
        if((inputPerm AND WINSTATION_VIRTUAL) = WINSTATION_VIRTUAL) then
           '
           ' Have a matcho for Virtual Channel and other bits
           '
           strip = inputPerm xOR WINSTATION_VIRTUAL
           strPerm = "Virtual Channel + Special Permissions = " & GetPermString( strip )
        end if
        if((strPerm = "") and (( inputPerm and USER_ACCESS ) = USER_ACCESS )) then
           '
           ' Have a match for User Access, lets find out what other bits are present
           '
           strip = inputPerm xor USER_ACCESS 
           strPerm = "User Access + Guest Access + Special Permissions = " + GetPermString( strip )
        end if
        if((strPerm = "" ) and (( inputPerm and GUEST_ACCESS ) = GUEST_ACCESS ) )then
           '
           ' Have a match for User Access, lets find out what other bits are present
           '
           strip = inputPerm xor GUEST_ACCESS 
           strPerm = "Guest Access + Special Permissions = " & GetPermString(strip)
        end if
        '
        ' Nothing matched up so far, this must be some kind of
        ' special permission
        '
        if( strPerm = "" ) then
           strPerm = "Special Permissions = " & GetPermString( inputPerm )
        end if
    end if
    if( strPerm <> "" ) then
        oFile.WriteLine "Account name: " & AccountName
        oFile.WriteLine "Permissions Mask ( Hexidecimal ): " & hex(inputPerm)
        if( bAllow ) then
           oFile.WriteLine "Allowed:" & strPerm
        else
           oFile.WriteLine "Denied: " & strPerm
        end if
        oFile.WriteLine("")
    end if
 End Function
 
 '
 ' LoadPerms - sets up the dictionary with the strings and their
 '    values.
 '
 sub LoadPerms
    Perms.Add WINSTATION_QUERY, "Query Information"
    perms.Add WINSTATION_SET, "Set Information"
    Perms.Add WINSTATION_LOGOFF, "Logoff"
    Perms.Add WINSTATION_SHADOW, "Remote Control"
    Perms.Add WINSTATION_LOGON, "Logon"
    Perms.Add WINSTATION_RESET, "Reset"
    Perms.Add WINSTATION_MSG, "Message"
    Perms.Add WINSTATION_CONNECT, "Connect"
    Perms.Add WINSTATION_DISCONNECT, "Disconnect"
 end sub
 '
 ' GetPermString - builds a string that contains the 
 '    bits strings for the permissions constants using
 '    the dictionary from LoadPerms
 '
 function GetPermString( inVal )
    GetPermString = ""
    dim pkeys : pkeys = Perms.Keys
    dim bFirst : bFirst = true
    for each pk in pkeys
       if(( inVal and pk ) = pk) then
          if( bFirst ) then 
             GetPermString = GetPermsString & Perms.Item(pk)
             bFirst = false
          else
             GetPermString = GetPermString & " + " &  perms.Item(pk)
          end if
 
       end if
    next
 end function

Content developed by: Irfan Ahmed
Content reviewed by: Max Vaughn

Comments

  • Anonymous
    July 30, 2014
    Absolutely great script.  Question.  for remote computers ( strComputer = "ComputerName" ) works on remote 2003 Computers.  I can not get it to connect to 2008 computers properly no matter where I insert strComputer,   Set objWMIService = GetObject("winmgmts:{authenticationLevel=pktPrivacy}!RootCIMv2TerminalServices") Can you advise please and respond via email???  Many thanks for assisting