[THIN] Re: XA 4.5 ICA permissions windows 2003
- From: "Jeremy Saunders" <Jeremy.Saunders@xxxxxxxxxxxxxx>
- To: <thin@xxxxxxxxxxxxx>
- Date: Wed, 1 Apr 2009 22:44:20 +1100
Hi Doug,
I tested it again today and it worked like a charm. Maybe there were
some odd characters copied from the e-mail, so I've posted it here :
http://www.jhouseconsulting.com/downloads/ModifyListenerPerms.txt
Cheers,
Jeremy.
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Stratton, Doug ISMC:EX
Sent: Tuesday, March 31, 2009 5:29 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003
Thank you for taking another stab at it.
Unfortuantely I am getting the same results except that it fails.
Now I get
line 84
char 8
error Invalid operation
code 80041016
Source SWbemObjectEx
Line 84 is this:
intQuery = itm.modifypermissions(0,True)
I end up with the account added but just guest permissions.
Regards,
Doug Stratton, Shared Service BC
Service Desk Email: 77000@xxxxxxxxx
Service Desk Tel: (250)387-7000
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeremy Saunders
Sent: March 27, 2009 7:56 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003
Sorry Doug. It was an extract from a working script, so was missing some
bits and pieces. I have now tested the subroutine and got it working
nicely for you. All you need to do is set the strDomain and strGroup
variables, and away it goes. Just comment out the permissions that you
don't want to add.
Cheers,
Jeremy.
Option Explicit
Dim blnDomainAccount, strDomain, wshnetwork, strGroup
blnDomainAccount = True
If blnDomainAccount Then
strDomain = "MYDOMAIN"
Else
Set wshnetwork = WScript.CreateObject("wscript.network")
strDomain = wshnetwork.ComputerName
Set wshnetwork = Nothing
End If
strGroup = "MyGroup"
Call ListenerPerms("ICA-TCP",strDomain,strGroup)
wscript.quit(0)
Sub ListenerPerms(strListener,strDomain,strGroup)
Dim strComputer, objWMIService, colitems, i, errResult, objitem, itm,
intQuery
Dim intLogoff, intShadow, intLogon, intMsg, intConnect, intDisconnect,
intSet
Dim intVirtual, intReset
Const GUEST_ACCESS = 0
strDomain = ucase(strDomain)
strComputer = "."
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
set colitems = objwmiservice.execquery("select * from
win32_tspermissionssetting where terminalname='" & strListener & "'")
' Add the account and give it Guest access by default.
for each i in colitems
errResult = i.addaccount(strDomain & "\" & strGroup,GUEST_ACCESS)
next
' Add the required permissions to the account.
set objitem = objwmiservice.execquery("select * from win32_tsaccount
where AccountName ='" & strDomain & "\\" & strGroup & "'")
for each itm in objitem
intQuery = itm.modifypermissions(0,True)
' intSet = itm.modifypermissions(1,True)
intLogoff = itm.modifypermissions(2,True)
' intVirtual = itm.modifypermissions(3,True)
intShadow = itm.modifypermissions(4,True)
intLogon = itm.modifypermissions(5,True)
' intReset = itm.modifypermissions(6,True)
intMsg = itm.modifypermissions(7,True)
intConnect = itm.modifypermissions(8,True)
intDisconnect = itm.modifypermissions(9,True)
next
Set objWMIService = Nothing
set colitems = Nothing
set objitem = Nothing
End Sub
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Stratton, Doug ISMC:EX
Sent: Saturday, March 28, 2009 5:38 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003
Thanks for the script. I am having a bit of a problem with it and was
hoping you could help.
When I run it it adds the group I identified to the listener but only
give it guest rights with logon. Not of the other settings get set.
(Query, Logoff....)
Regards,
Doug Stratton, Shared Service BC
Service Desk Email: 77000@xxxxxxxxx
Service Desk Tel: (250)387-7000
________________________________
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Jeremy Saunders
Sent: March 26, 2009 7:21 PM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003
Yep, me too.
With TSConSec the Reset does not show in the GUI. However, if it's not
set, then the Logoff permission will not be selected. This can be quite
frustrating to work out, so be careful.
But you can also use the win32_tspermissionssetting WMI Class...
Here is an extract from one of my scripts...
-------start of script-------
Call ListenerPerms("ICA-TCP","Shadowers")
wscript.quit(0)
Sub ListenerPerms(strListener,strGroup)
Dim wshnetwork, strComputer, objWMIService, colitems, i, errResult,
objitem, itm, intQuery, intLogoff, intShadow, intLogon, intMsg,
intConnect, intDisconnect
Set wshnetwork = WScript.CreateObject("wscript.network")
strComputer = wshnetwork.ComputerName
Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
set colitems = objwmiservice.execquery("select * from
win32_tspermissionssetting where terminalname='" & strListener & "'")
for each i in colitems
errResult = i.addaccount(lcase(strGroup),0)
next
' Note that we must use the actual computer name and not a "."
set objitem = objwmiservice.execquery("select * from win32_tsaccount
where AccountName ='" & strComputer & "\\" & strGroup & "'")
for each itm in objitem
intQuery = itm.modifypermissions(0,True)
intLogoff = itm.modifypermissions(2,True)
intShadow = itm.modifypermissions(4,True)
intLogon = itm.modifypermissions(5,True)
intMsg = itm.modifypermissions(7,True)
intConnect = itm.modifypermissions(8,True)
intDisconnect = itm.modifypermissions(9,True)
next
Set wshnetwork = Nothing
Set objWMIService = Nothing
set colitems = Nothing
set objitem = Nothing
end sub
-------end of script-------
This runs in my build scripts, but you can run it afterwards using
PSEXEC. It will also probably work as a Startup script too.
I hope that helps.
Cheers,
Jeremy.
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Andrew Wood
Sent: Friday, March 27, 2009 8:59 AM
To: thin@xxxxxxxxxxxxx
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003
I've always scripted this as part of the unattended install using
tsconsec.exe - I think because the values are stored in a binary key
rather than being permission on a registry setting
e.g. run tsconsec command on the server as part of the build:
TSConSec.exe /t:ica /a:Helpdesk /p:RS /q
Would set the helpdesk group to be able to reset and shadow on ica
sessions.
If you wanted to do a farm download psexec and run a for command
Create a list of your servers - put that in servers.txt
for /f "skip=3" %i in (servers.txt) do psexec \\% tsconsec.exe
<http://www.brianmadden.com/forum/file:/%25%20tsconsec.exe/> /t:ICA
/a:YourGroup /p:Flags /Q
http://portal.loginconsultants.nl/forum/attachments/TsConSec1201.zip
hth
From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx] On
Behalf Of Stratton, Doug ISMC:EX
Sent: 26 March 2009 22:19
To: thin@xxxxxxxxxxxxx
Subject: [THIN] XA 4.5 ICA permissions windows 2003
Hi,
Just wondering if anyone knows how to set the sercurity permissions on
the ICA-TCP listener with policy (ms gp or citrix).
At this point we have to set it on each server manually and wondering if
it can be done otherwise?
We do now have GP Preferences.
Regards,
Doug Stratton, Shared Service BC
Service Desk Email: 77000@xxxxxxxxx
Service Desk Tel: (250)387-7000
________________________________
Confidentiality and Privilege Notice
This document is intended solely for the named addressee. The
information contained in the pages is confidential and contains legally
privileged information. If you are not the addressee indicated in this
message (or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone, and you should destroy
this message and kindly notify the sender by reply email.
Confidentiality and legal privilege are not waived or lost by reason of
mistaken delivery to you.
________________________________
________________________________
Confidentiality and Privilege Notice
This document is intended solely for the named addressee. The
information contained in the pages is confidential and contains legally
privileged information. If you are not the addressee indicated in this
message (or responsible for delivery of the message to such person), you
may not copy or deliver this message to anyone, and you should destroy
this message and kindly notify the sender by reply email.
Confidentiality and legal privilege are not waived or lost by reason of
mistaken delivery to you.
________________________________
#####################################################################################
Confidentiality and Privilege Notice
This document is intended solely for the named addressee. The information
contained in the pages is confidential and contains legally privileged
information. If you are not the addressee indicated in this message (or
responsible for delivery of the message to such person), you may not copy or
deliver this message to anyone, and you should destroy this message and kindly
notify the sender by reply email. Confidentiality and legal privilege are not
waived or lost by reason of mistaken delivery to you.
#####################################################################################
Other related posts:
