Regards,
Doug Stratton, Shared Service BC
Service Desk Email: 77000@gov.bc.ca
Service Desk Tel: (250)387-7000
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Jeremy Saunders
Sent: March 27, 2009 7:56 PM
To: thin@freelists.org
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003
Sorry Doug. It was an extract from a working script, so was missing some bits and pieces. I have now tested the subroutine and got it working nicely for you. All you need to do is set the strDomain and strGroup variables, and away it goes. Just comment out the permissions that you don’t want to add.
Cheers,
Jeremy.
Option Explicit
Dim blnDomainAccount, strDomain, wshnetwork, strGroup
blnDomainAccount = True
If blnDomainAccount Then
strDomain = "MYDOMAIN"
Else
Set wshnetwork = WScript.CreateObject("wscript.network")
strDomain = wshnetwork.ComputerName
Set wshnetwork = Nothing
End If
strGroup = "MyGroup"
Call ListenerPerms("ICA-TCP",strDomain,strGroup)
wscript.quit(0)
Sub ListenerPerms(strListener,strDomain,strGroup)
Dim strComputer, objWMIService, colitems, i, errResult, objitem, itm, intQuery
Dim intLogoff, intShadow, intLogon, intMsg, intConnect, intDisconnect, intSet
Dim intVirtual, intReset
Const GUEST_ACCESS = 0
strDomain = ucase(strDomain)
strComputer = "."
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_tspermissionssetting where terminalname='" & strListener & "'")
' Add the account and give it Guest access by default.
for each i in colitems
errResult = i.addaccount(strDomain & "\" & strGroup,GUEST_ACCESS)
next
' Add the required permissions to the account.
set objitem = objwmiservice.execquery("select * from win32_tsaccount where AccountName ='" & strDomain & "\\" & strGroup & "'")
for each itm in objitem
intQuery = itm.modifypermissions(0,True)
' intSet = itm.modifypermissions(1,True)
intLogoff = itm.modifypermissions(2,True)
' intVirtual = itm.modifypermissions(3,True)
intShadow = itm.modifypermissions(4,True)
intLogon = itm.modifypermissions(5,True)
' intReset = itm.modifypermissions(6,True)
intMsg = itm.modifypermissions(7,True)
intConnect = itm.modifypermissions(8,True)
intDisconnect = itm.modifypermissions(9,True)
next
Set objWMIService = Nothing
set colitems = Nothing
set objitem = Nothing
End Sub
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Stratton, Doug ISMC:EX
Sent: Saturday, March 28, 2009 5:38 AM
To: thin@freelists.org
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003
Thanks for the script. I am having a bit of a problem with it and was hoping you could help.
When I run it it adds the group I identified to the listener but only give it guest rights with logon. Not of the other settings get set. (Query, Logoff....)
Regards,
Doug Stratton, Shared Service BC
Service Desk Email: 77000@gov.bc.ca
Service Desk Tel: (250)387-7000
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Jeremy Saunders
Sent: March 26, 2009 7:21 PM
To: thin@freelists.org
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003
Yep, me too.
With TSConSec the Reset does not show in the GUI. However, if it's not set, then the Logoff permission will not be selected. This can be quite frustrating to work out, so be careful.
But you can also use the win32_tspermissionssetting WMI Class…
Here is an extract from one of my scripts…
-------start of script-------
Call ListenerPerms("ICA-TCP","Shadowers")
wscript.quit(0)
Sub ListenerPerms(strListener,strGroup)
Dim wshnetwork, strComputer, objWMIService, colitems, i, errResult, objitem, itm, intQuery, intLogoff, intShadow, intLogon, intMsg, intConnect, intDisconnect
Set wshnetwork = WScript.CreateObject("wscript.network")
strComputer = wshnetwork.ComputerName
Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
set colitems = objwmiservice.execquery("select * from win32_tspermissionssetting where terminalname='" & strListener & "'")
for each i in colitems
errResult = i.addaccount(lcase(strGroup),0)
next
' Note that we must use the actual computer name and not a "."
set objitem = objwmiservice.execquery("select * from win32_tsaccount where AccountName ='" & strComputer & "\\" & strGroup & "'")
for each itm in objitem
intQuery = itm.modifypermissions(0,True)
intLogoff = itm.modifypermissions(2,True)
intShadow = itm.modifypermissions(4,True)
intLogon = itm.modifypermissions(5,True)
intMsg = itm.modifypermissions(7,True)
intConnect = itm.modifypermissions(8,True)
intDisconnect = itm.modifypermissions(9,True)
next
Set wshnetwork = Nothing
Set objWMIService = Nothing
set colitems = Nothing
set objitem = Nothing
end sub
-------end of script-------
This runs in my build scripts, but you can run it afterwards using PSEXEC. It will also probably work as a Startup script too.
I hope that helps.
Cheers,
Jeremy.
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Andrew Wood
Sent: Friday, March 27, 2009 8:59 AM
To: thin@freelists.org
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003
I’ve always scripted this as part of the unattended install using tsconsec.exe – I think because the values are stored in a binary key rather than being permission on a registry setting
e.g. run tsconsec command on the server as part of the build:
TSConSec.exe /t:ica /a:Helpdesk /p:RS /q
Would set the helpdesk group to be able to reset and shadow on ica sessions.
If you wanted to do a farm download psexec and run a for command
Create a list of your servers – put that in servers.txt
for /f "skip=3" %i in (servers.txt) do psexec \\% tsconsec.exe /t:ICA /a:YourGroup /p:Flags /Q
http://portal.loginconsultants.nl/forum/attachments/TsConSec1201.zip
hth
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Stratton, Doug ISMC:EX
Sent: 26 March 2009 22:19
To: thin@freelists.org
Subject: [THIN] XA 4.5 ICA permissions windows 2003
Hi,
Just wondering if anyone knows how to set the sercurity permissions on the ICA-TCP listener with policy (ms gp or citrix).
At this point we have to set it on each server manually and wondering if it can be done otherwise?
We do now have GP Preferences.
Regards,
Doug Stratton, Shared Service BC
Service Desk Email: 77000@gov.bc.ca
Service Desk Tel: (250)387-7000
Confidentiality and Privilege Notice
This document is intended solely for the named addressee. The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you.
This document is intended solely for the named addressee. The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you.
No comments:
Post a Comment