Compartilhar via

Checking and enabling Remote Desktop with PowerShell

  • Artigo

A couple of posts back I mentioned that I was working on a configuration library for Server 2008 R2 Core and Hyper-V Server R2 and this includes checking and setting the configuration for remote desktop.

It turns out that this is controlled from just 2 registry entries – hence it is controlled by the SCRegEdit script. One turns is fDenyTSConnections under  'HKLM:\System\CurrentControlSet\Control\Terminal Server' and the other is UserAuthentication  under 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp. So if the Values exist they appear as Item property in PowerShell and can be set, otherwise it can be created. I’ve found the safest way is to try to set  the value and trap the error which occurs if it doesn’t exist then create it specifying that it is a DWORD. So my function enables RemoteDesktop UNLESS –Disable is specified , and -lowSecurity is a boolean which tells it whether to demand user stronger authentication.

 

 Function Set-RemoteDesktopConfig 

{Param ([switch]$LowSecurity, [switch]$disable) 
 if ($Disable) {
       set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server'`
                        -name "fDenyTSConnections" -Value 1 -erroraction silentlycontinue 
       if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
                                      -name "fDenyTSConnections"  -Value 1 -PropertyType dword }
       set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' `
                        -name "UserAuthentication" -Value 1 -erroraction silentlycontinue
      if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' 
                                      -name "UserAuthentication" -Value 1 -PropertyType dword} 
     } 
else {
       set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
                        -name "fDenyTSConnections" -Value 0 -erroraction silentlycontinue
        if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' `
                                      -name "fDenyTSConnections" -Value 0 -PropertyType dword } 
       if ($LowSecurity) {
           set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'`
                                               -name "UserAuthentication" -Value 0 -erroraction silentlycontinue 
        if (-not $?) {new-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp'`
                                          -name "UserAuthentication" -Value 0 -PropertyType dword}
          }

      } 

}

Finding out what the settings are is even easier.

 Function Get-RemoteDesktopConfig
{if ((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server').fDenyTSConnections -eq 1)

          {"Connections not allowed"}

 elseif ((Get-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp').UserAuthentication -eq 1)
         {"Only Secure Connections allowed"} 

 else     {"All Connections allowed"}

}

The next part of the configurator to share will be for checking and setting firewall rules.

Comments

  • Anonymous
    January 01, 2003
    PingBack from http://feeds.bscopes.com/2009/02/01/blog-james-oneills-blog/

  • Anonymous
    January 01, 2003
    Thanks , I'll go and have another look at it.

  • Anonymous
    January 01, 2003
    Hi Marty. Actually I stole these from ScRegedit on server core, they take immediate effect (no reboot) and win32_terminalServiceSetting is only for machines running full terminal services (not remote desktop) - it's not present otherwise.

  • Anonymous
    January 01, 2003
    OK, so you can test the state (Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace rootcimv2terminalservices).AllowTsConnections and set it (Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace rootcimv2terminalservices).SetAllowTsConnections(1) For authentication (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace rootcimv2terminalservices -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired and (Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace rootcimv2terminalservices -Filter "TerminalName='RDP-tcp'").SetUserAuthenticationRequired(1) 0 or 1 in the Set turns it on and off.

  • Anonymous
    February 11, 2009
    Instead of changing the registry I suggest using the documented and supported interface that Microsoft has provided :)  It's WMI class "Win32_TerminalServiceSetting".  Also, changes made via WMI take effect without requiring a reboot. http://www.google.com/search?q=Win32_TerminalServiceSetting

  • Anonymous
    February 13, 2009
    Win32_TerminalServiceSetting is not just for terminal server, it's also present for remote desktop, both servers and workstations.  Maybe you missed it because the WMI namespace is different depending on OS version: Windows Vista and Windows Server 2008 rootCIMV2TerminalServices Windows XP and Windows Server 2003 rootCIMV2