Wednesday, April 1, 2009

[THIN] Re: XA 4.5 ICA permissions windows 2003

Hi Doug,

 

I tested it again today and it worked like a charm. Maybe there were some odd characters copied from the e-mail, so I’ve posted it here : http://www.jhouseconsulting.com/downloads/ModifyListenerPerms.txt

 

Cheers,

Jeremy.

 

From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Stratton, Doug ISMC:EX
Sent: Tuesday, March 31, 2009 5:29 AM
To: thin@freelists.org
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003

 

Thank you for taking another stab at it.

 

Unfortuantely I am getting the same results except that it fails.

 

Now I get

line 84

char 8

error Invalid operation

code 80041016

Source SWbemObjectEx

 

Line 84 is this:

 

intQuery = itm.modifypermissions(0,True)

 

I end up with the account added but just guest permissions.

 

Regards,
Doug Stratton, Shared Service BC
Service Desk Email: 77000@gov.bc.ca
Service Desk Tel: (250)387-7000

 

 

From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Jeremy Saunders
Sent: March 27, 2009 7:56 PM
To: thin@freelists.org
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003

Sorry Doug. It was an extract from a working script, so was missing some bits and pieces. I have now tested the subroutine and got it working nicely for you. All you need to do is set the strDomain and strGroup variables, and away it goes. Just comment out the permissions that you don’t want to add.

 

Cheers,

Jeremy.

 

 

Option Explicit

 

Dim blnDomainAccount, strDomain, wshnetwork, strGroup

 

blnDomainAccount = True

 

If blnDomainAccount Then

  strDomain = "MYDOMAIN"

Else

  Set wshnetwork = WScript.CreateObject("wscript.network")

  strDomain = wshnetwork.ComputerName

  Set wshnetwork = Nothing

End If

 

strGroup = "MyGroup"

 

Call ListenerPerms("ICA-TCP",strDomain,strGroup)

 

wscript.quit(0)

 

Sub ListenerPerms(strListener,strDomain,strGroup)

  Dim strComputer, objWMIService, colitems, i, errResult, objitem, itm, intQuery

  Dim intLogoff, intShadow, intLogon, intMsg, intConnect, intDisconnect, intSet

  Dim intVirtual, intReset

 

  Const GUEST_ACCESS = 0

 

  strDomain = ucase(strDomain)

  strComputer = "."

 

  Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

  set colitems = objwmiservice.execquery("select * from win32_tspermissionssetting where terminalname='" & strListener & "'")

 

' Add the account and give it Guest access by default.

  for each i in colitems

    errResult = i.addaccount(strDomain & "\" & strGroup,GUEST_ACCESS)

  next

 

' Add the required permissions to the account.

  set objitem = objwmiservice.execquery("select * from win32_tsaccount where AccountName ='" & strDomain & "\\" & strGroup & "'")

  for each itm in objitem

       intQuery = itm.modifypermissions(0,True)

'       intSet = itm.modifypermissions(1,True)

       intLogoff = itm.modifypermissions(2,True)

'       intVirtual = itm.modifypermissions(3,True)

       intShadow = itm.modifypermissions(4,True)

       intLogon = itm.modifypermissions(5,True)

'       intReset = itm.modifypermissions(6,True)

       intMsg = itm.modifypermissions(7,True)

       intConnect = itm.modifypermissions(8,True)

       intDisconnect = itm.modifypermissions(9,True)

  next

 

  Set objWMIService = Nothing

  set colitems = Nothing

  set objitem = Nothing

 

End Sub

 

 

From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Stratton, Doug ISMC:EX
Sent: Saturday, March 28, 2009 5:38 AM
To: thin@freelists.org
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003

 

Thanks for the script.  I am having a bit of a problem with it and was hoping you could help.

 

When I run it it adds the group I identified to the listener but only give it guest rights with logon.  Not of the other settings get set.  (Query, Logoff....)

 

Regards,
Doug Stratton, Shared Service BC
Service Desk Email: 77000@gov.bc.ca
Service Desk Tel: (250)387-7000

 

 

From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Jeremy Saunders
Sent: March 26, 2009 7:21 PM
To: thin@freelists.org
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003

Yep, me too.

 

With TSConSec the Reset does not show in the GUI. However, if it's not set, then the Logoff permission will not be selected. This can be quite frustrating to work out, so be careful.

 

But you can also use the win32_tspermissionssetting WMI Class…

 

Here is an extract from one of my scripts…

 

-------start of script-------

Call ListenerPerms("ICA-TCP","Shadowers")

 

wscript.quit(0)

 

Sub ListenerPerms(strListener,strGroup)

  Dim wshnetwork, strComputer, objWMIService, colitems, i, errResult, objitem, itm, intQuery, intLogoff, intShadow, intLogon, intMsg, intConnect, intDisconnect

 

  Set wshnetwork = WScript.CreateObject("wscript.network")

  strComputer = wshnetwork.ComputerName

 

  Set objWMIService = GetObject("winmgmts:" & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")

  set colitems = objwmiservice.execquery("select * from win32_tspermissionssetting where terminalname='" & strListener & "'")

 

  for each i in colitems

    errResult = i.addaccount(lcase(strGroup),0)

  next

 

' Note that we must use the actual computer name and not a "."

  set objitem = objwmiservice.execquery("select * from win32_tsaccount where AccountName ='" & strComputer & "\\" & strGroup & "'")

    for each itm in objitem

     intQuery = itm.modifypermissions(0,True)

     intLogoff = itm.modifypermissions(2,True)

     intShadow = itm.modifypermissions(4,True)

     intLogon = itm.modifypermissions(5,True)

     intMsg = itm.modifypermissions(7,True)

     intConnect = itm.modifypermissions(8,True)

     intDisconnect = itm.modifypermissions(9,True)

  next

 

  Set wshnetwork = Nothing

  Set objWMIService = Nothing

  set colitems = Nothing

  set objitem = Nothing

 

end sub

 

-------end of script-------

 

This runs in my build scripts, but you can run it afterwards using PSEXEC. It will also probably work as a Startup script too.

 

I hope that helps.

 

Cheers,

Jeremy.

 

From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Andrew Wood
Sent: Friday, March 27, 2009 8:59 AM
To: thin@freelists.org
Subject: [THIN] Re: XA 4.5 ICA permissions windows 2003

 

I’ve always scripted this as part of the unattended install using tsconsec.exe – I think because the values are stored in a binary key rather than being permission on a registry setting

 

e.g. run tsconsec command on the server as part of the build:

 

TSConSec.exe /t:ica /a:Helpdesk /p:RS /q

 

Would set the helpdesk group to be able to reset and shadow on ica sessions.

 

If you wanted to do a farm download psexec and run a for command

 

Create a list of your servers – put that in servers.txt

 

for /f "skip=3" %i in (servers.txt) do psexec \\% tsconsec.exe /t:ICA  /a:YourGroup /p:Flags /Q

 

http://portal.loginconsultants.nl/forum/attachments/TsConSec1201.zip

 

 

hth

 

From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On Behalf Of Stratton, Doug ISMC:EX
Sent: 26 March 2009 22:19
To: thin@freelists.org
Subject: [THIN] XA 4.5 ICA permissions windows 2003

 

Hi,
Just wondering if anyone knows how to set the sercurity permissions on the ICA-TCP listener with policy (ms gp or citrix).

At this point we have to set it on each server manually and wondering if it can be done otherwise?

We do now have GP Preferences.
Regards,
Doug Stratton, Shared Service BC
Service Desk Email: 77000@gov.bc.ca
Service Desk Tel: (250)387-7000

 

Confidentiality and Privilege Notice
This document is intended solely for the named addressee.  The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you.

Confidentiality and Privilege Notice
This document is intended solely for the named addressee.  The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you.
Confidentiality and Privilege Notice
This document is intended solely for the named addressee.  The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you.
Posted by thinlist at 7:44 AM

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)