Wednesday, May 27, 2009

[THIN] Re: Trying to script rdp-tcp permissions

Hi Magnus,

You can use the win32_tspermissionssetting Class to achieve this. Here
is a script I use to set both ICA and RDP permissions.

Cheers,
Jeremy.

----------------Script below-------------------------------------

' This script will set the required ICA and/or RDP listener permissions.
If blnDomainAccount
' is set to false, it will create a local Group if one does not already
exist.

' Usage Notes:
' For a Domain set blnDomainAccount to True, strDomain to your
domain, and strGroup to
' the group you wish to add.
' For a workgroup (non-Domain) set blnDomainAccount to False,
strGroup to the group you
' wish to add, and strGroupDescription to the description of the
group.

' Release 2.0 on 1st April 2009
' Written by Jeremy@jhouseconsulting.com 8th January 2009.

Option Explicit

Dim blnDomainAccount, strDomain, wshnetwork, strGroup,
strGroupDescription

blnDomainAccount = True

If blnDomainAccount Then
strDomain = "MYDOMAIN"
Else
Set wshnetwork = WScript.CreateObject("wscript.network")
strDomain = wshnetwork.ComputerName
Set wshnetwork = Nothing
End If

strGroup = "Shadowers"

If NOT blnDomainAccount Then
strGroupDescription = "Helpdesk Users"
Call CreateLocalGroup(strDomain,strGroup,strGroupDescription)
End If

Call ListenerPerms("ICA-TCP",strDomain,strGroup)

wscript.quit(0)

Sub ListenerPerms(strListener,strDomain,strGroup)
Dim strComputer, objWMIService, colitems, i, errResult, objitem, itm,
intQuery
Dim intLogoff, intShadow, intLogon, intMsg, intConnect, intDisconnect,
intSet
Dim intVirtual, intReset

Const GUEST_ACCESS = 0

strDomain = ucase(strDomain)
strComputer = "."

Set objWMIService = GetObject("winmgmts:" &
"{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
set colitems = objwmiservice.execquery("select * from
win32_tspermissionssetting where terminalname='" & strListener & "'")

' Add the account and give it Guest access by default.
for each i in colitems
on error resume next
errResult = i.addaccount(strDomain & "\" & strGroup,GUEST_ACCESS)
' Note that if the variables strDomain and/or strGroup are invalid, the
subroutine will exit.
if err.number <> 0 Then
err.clear
on error goto 0
Set objWMIService = Nothing
set colitems = Nothing
Exit Sub
End If
next

' Add the required permissions to the account.
set objitem = objwmiservice.execquery("select * from win32_tsaccount
where AccountName ='" & strDomain & "\\" & strGroup & "'")
for each itm in objitem
intQuery = itm.modifypermissions(0,True)
' intSet = itm.modifypermissions(1,True)
intLogoff = itm.modifypermissions(2,True)
' intVirtual = itm.modifypermissions(3,True)
intShadow = itm.modifypermissions(4,True)
intLogon = itm.modifypermissions(5,True)
' intReset = itm.modifypermissions(6,True)
intMsg = itm.modifypermissions(7,True)
intConnect = itm.modifypermissions(8,True)
intDisconnect = itm.modifypermissions(9,True)
next

Set objWMIService = Nothing
set colitems = Nothing
set objitem = Nothing

End Sub

Sub CreateLocalGroup(strComputer,strGroup,strGroupDescription)
Dim wshnetwork, blnGroupExists, colGroups, objGroup

Set colGroups = GetObject("WinNT://" & strComputer & "")
colGroups.Filter = Array("group")
For Each objGroup In colGroups
If ucase(objGroup.Name)=ucase(strGroup) Then
blnGroupExists=True
End If
Next

If blnGroupExists=False Then
Set objGroup = colGroups.Create("group",strGroup)
Else
Set objGroup = GetObject("WinNT://" & strComputer & "/" & strGroup &
",group")
End If

objGroup.Description = strGroupDescription
objGroup.SetInfo

Set colGroups = Nothing
Set objGroup = Nothing
End Sub


-----Original Message-----
From: thin-bounce@freelists.org [mailto:thin-bounce@freelists.org] On
Behalf Of Magnus Hjorleifsson
Sent: Thursday, May 28, 2009 6:15 AM
To: thin@freelists.org
Subject: [THIN] Trying to script rdp-tcp permissions

Hi all,
I am trying to script permissions to only allow 2 active directory
domain accounts to login via rdp. Does anyone know where this is in
the registry? Or is there an existing policy that does this?

Thank you on advance
Magnus

Sent from my iPhone
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************
#####################################################################################
Confidentiality and Privilege Notice
This document is intended solely for the named addressee. The information contained in the pages is confidential and contains legally privileged information. If you are not the addressee indicated in this message (or responsible for delivery of the message to such person), you may not copy or deliver this message to anyone, and you should destroy this message and kindly notify the sender by reply email. Confidentiality and legal privilege are not waived or lost by reason of mistaken delivery to you.
#####################################################################################
************************************************
For Archives, RSS, to Unsubscribe, Subscribe or
set Digest or Vacation mode use the below link:
http://www.freelists.org/list/thin
Follow ThinList on Twitter
http://twitter.com/thinlist
Thin List discussion is now available in blog format at:
http://thinmaillist.blogspot.com
Thinlist MOBILE Feed
http://thinlist.net/mobile
************************************************

No comments: