[THIN] Re: Trying to script rdp-tcp permissions
- From: "Jeremy Saunders" <Jeremy.Saunders@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Thu, 28 May 2009 09:15:51 +1000
Hi Magnus,
You can use the win32_tspermissionssetting Class to achieve this. Here
is a script I use to set both ICA and RDP permissions.
Cheers,
Jeremy.
----------------Script below-------------------------------------
' This script will set the required ICA and/or RDP listener permissions.
If blnDomainAccount
' is set to false, it will create a local Group if one does not already
exist.
' Usage Notes:
' For a Domain set blnDomainAccount to True, strDomain to your
domain, and strGroup to
' the group you wish to add.
' For a workgroup (non-Domain) set blnDomainAccount to False,
strGroup to the group you
' wish to add, and strGroupDescription to the description of the
group.
' Release 2.0 on 1st April 2009
' Written by Jeremy@xxxxxxxxxxxxxxxxxxxx 8th January 2009.
Option Explicit
Dim blnDomainAccount, strDomain, wshnetwork, strGroup,
strGroupDescription
blnDomainAccount = True
If blnDomainAccount Then
strDomain = "MYDOMAIN"
Else
Set wshnetwork = WScript.CreateObject("wscript.network")
strDomain = wshnetwork.ComputerName
Set wshnetwork = Nothing
End If
strGroup = "Shadowers"
If NOT blnDomainAccount Then
strGroupDescription = "Helpdesk Users"
Call CreateLocalGroup(strDomain,strGroup,strGroupDescription)
End If
Call ListenerPerms("ICA-TCP",strDomain,strGroup)
wscript.quit(0)
Sub ListenerPerms(strListener,strDomain,strGroup)
Dim strComputer, objWMIService, colitems, i, errResult, objitem, itm,
intQuery
Dim intLogoff, intShadow, intLogon, intMsg, intConnect, intDisconnect,
intSet
Dim intVirtual, intReset
Const GUEST_ACCESS = 0
strDomain = ucase(strDomain)
strComputer = "."
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
set colitems = objwmiservice.execquery("select * from
win32_tspermissionssetting where terminalname='" & strListener & "'")
' Add the account and give it Guest access by default.
for each i in colitems
on error resume next
errResult = i.addaccount(strDomain & "\" & strGroup,GUEST_ACCESS)
' Note that if the variables strDomain and/or strGroup are invalid, the
subroutine will exit.
if err.number <> 0 Then
err.clear
on error goto 0
Set objWMIService = Nothing
set colitems = Nothing
Exit Sub
End If
next
' Add the required permissions to the account.
set objitem = objwmiservice.execquery("select * from win32_tsaccount
where AccountName ='" & strDomain & "\\" & strGroup & "'")
for each itm in objitem
intQuery = itm.modifypermissions(0,True)
' intSet = itm.modifypermissions(1,True)
intLogoff = itm.modifypermissions(2,True)
' intVirtual = itm.modifypermissions(3,True)
intShadow = itm.modifypermissions(4,True)
intLogon = itm.modifypermissions(5,True)
' intReset = itm.modifypermissions(6,True)
intMsg = itm.modifypermissions(7,True)
intConnect = itm.modifypermissions(8,True)
intDisconnect = itm.modifypermissions(9,True)
next
Set objWMIService = Nothing
set colitems = Nothing
set objitem = Nothing
End Sub
Sub CreateLocalGroup(strComputer,strGroup,strGroupDescription)
Dim wshnetwork, blnGroupExists, colGroups, objGroup
Set colGroups = GetObject("WinNT://" & strComputer & "")
colGroups.Filter = Array("group")
For Each objGroup In colGroups
If ucase(objGroup.Name)=ucase(strGroup) Then
blnGroupExists=True
End If
Next
If blnGroupExists=False Then
Set objGroup = colGroups.Create("group",strGroup)
Else
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup &
",group")
End If
objGroup.Description = strGroupDescription
objGroup.SetInfo
Set colGroups = Nothing
Set objGroup = Nothing
End Sub
-----Original Message-----
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Magnus Hjorleifsson
Sent: Thursday, May 28, 2009 6:15 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Trying to script rdp-tcp permissions
Hi all,
I am trying to script permissions to only allow 2 active directory
domain accounts to login via rdp. Does anyone know where this is in
the registry? Or is there an existing policy that does this?
Thank you on advance
Magnus
Sent from my iPhone
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************
#####################################################################################
Confidentiality and Privilege Notice
This document is intended solely for the named addressee. The information
contained in the pages is confidential and contains legally privileged
information. If you are not the addressee indicated in this message (or
responsible for delivery of the message to such person), you may not copy or
deliver this message to anyone, and you should destroy this message and kindly
notify the sender by reply email. Confidentiality and legal privilege are not
waived or lost by reason of mistaken delivery to you.
#####################################################################################
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************
Other related posts: