If you would like to read the other articles in the series please go here:
- Scripting for Server Based Computing: Part 1 – Terminal Services Attributes for Active Directory User Objects
- Scripting for Server Based Computing: Part 3 – Citrix Presentation Server Scripting
Introduction
In part 1 of this series, we explored how VBScript and WMI could be leveraged for the modification of Active Directory User Object terminal services specific Attributes. In this article we will take a look at the terminal services settings for a server itself. In other words, we are going to learn what we can change on the server’s terminal services settings and how to change those settings. Again, we will be assuming that the reader of this article is executing these scripts on a Windows Server 2003 terminal server and has sufficient knowledge of both terminal services and scripting along with the requisite rights and permissions to modify the settings in question. Additionally, we will look (where applicable) only at Remote Desktop (not ICA) scripting settings for connections. We will review ICA Connection Settings in future articles in this series. However, as far as connection settings go, the material covered is equally attributable to both RDP and ICA. To that end, please note that the sample scripts provided here will modify BOTH RDP and ICA settings on your target server with the same end results. Please test the sample scripts in a lab environment prior to executing on your production servers.
Typically, we as administrators will modify the terminal services settings either by editing the configuration by hand and/or leveraging Group Policy Objects to configure the settings centrally. While I am a HUGE fan of Group Policy, not all settings that are available in the GUI are available as definable policy elements inside of a GPO. Moreover, not every terminal services administrator has the luxury of being able to edit (or even use) Group Policy Objects. There are still more than a few NT-based domains in production that haven’t migrated to Active Directory. Thus, scripting these settings provides several benefits. From a consistency standpoint, someone could “accidentally” make changes to the terminal services settings on a server in our production environments. This change could take a GREAT deal of time to track down (or even reveal itself in a large load-balanced environment). In this case, a script that sets the terminal services settings to the “corporate” standard would be a useful first step in troubleshooting and could even be used in a preventative fashion by being executed as part of a regular server reboot cycle. For those that aren’t fortunate enough to have Active Directory’s Group Policy Objects to aid in managing your terminal servers (or the ability to edit such GPO’s if you do), a script like this could be an excellent tool to maintain setting consistency for server builds. And the best reasons of all… it is faster and more consistent (especially in larger server farms). And truly best of all is that there are some scriptable settings for which there is NO GUI equivalent!
So, without further ado, let us turn our attentions to the different options that are available through the GUI. The primary tool for editing the Terminal Services Server and Connection Settings is the Terminal Services Configuration tool located in the Administrative Tools folder in your server’s start menu. (For the Citrix group, we know this best as the Citrix Connection Configuration tool.) Since we will be looking at Citrix-specific settings in later articles, we will spend most of our time in the Microsoft tool. Please reference Figure 1 below for a look at the two sections of configuration, Server and Connection Settings.
Figure 1: Terminal Services Server Settings
Nearly all of the various settings for the Server and the separate Connections can be configured via WMI scripts. The Server Settings section has six basic settings that can be edited. Please reference Table 1 for the setting name and its corresponding WMI Attribute and possible values.
GUI Setting
Attribute Value
Value for Script
Delete temporary folders on exit
SetPolicyPropertyName(“DeleteTempFolders”, X)
X=0,1
Use temporary folders per session
SetPolicyPropertyName(“UseTempFolders”, X)
X=0,1
Licensing*
LicensingType
0,1,2,4
Active Desktop
ActiveDesktop
0,1
Permission Compatibility
UserPermission
X=0,1
Restrict each user to one session
SetSingleSession(X)
X=0,1
Table 1: Terminal Services Server Settings WMI Value
* Read-Only, should be changed through Add/Remove Programs
In reviewing the table Server Settings, there are a few that should be discussed in greater detail. Licensing mode can only be changed through Add/Remove Programs. If your server is in Remote Administration mode, you will need to change it to Terminal Services mode to all for further scripting of options. Many of the settings we can configure through script are ONLY available to TRUE Terminal Servers. Once the server is converted, Licensing can be “changed” from Per Device to Per User via script, otherwise this Attribute is read only. The various values listed for licensing deserve another listing of their own.
Value
Meaning
0
Personal Terminal Server – For Windows XP only
1
Remote Desktop for Administration
2
Per Device – Only available for true Terminal Servers
4
Per User – Only available for true Terminal Servers
Table 2: LicensingType Values
Additionally, there are several settings that are available for scripting that are NOT available in the GUI, but many of which do appear in Group Policy. Home Folder, Profile Folder and Fallback Printer driver, just to name a few, are Terminal Services WMI addressable attributes. For more information on these specific settings, please reference Microsoft’s WMI reference for Terminal Services at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/win32_terminalservicesetting.asp.
Later we will see how to integrate the Server Settings into a usable WMI script. For now, let’s review the Connection Settings and the settings available there. The Connections folder in the Terminal Services Configuration tool allows us to modify the attributes of the Connections (or Winstations) that our users use as transports to connect to the terminal servers. At a minimum, you will have RDP-Tcp as a valid connection and may have more depending on the presence of Citrix Presentation Server (aka MetaFrame). Figure 2 illustrates the relationship of “connections”.
Figure 2: Terminal Services Connections Settings
Looking directly at the properties of a given connection reveals the WEALTH of setting options available. For the purposes of this article, we will review the RDP-Tcp properties and NEARLY every setting that can be changed for the given tab. In looking at Figure 3, we will manipulate the settings in great detail of every tab; save PERMISSIONS… the API (and subsequently, the METHODS open to WMI) is limited in this area. One could speculate that this was intentionally made so for security reasons. We wouldn’t want rogue WMI scripts that give the “everyone” group the rights to logon to our terminal services enabled servers now would we?
Figure 3: RDP-TCP Settings
Table 3 below, gives us a more detailed breakdown of the various tabs and the types of information that can be configured. As a matter of practical usability, I would recommend that you “hand configure” a server the way you want it, then write down those settings to allow for the easy creation (or substitution into the aforementioned sample script in this article).
GUI Setting
Attribute Value
Value for Script
—GENERAL TAB
Win32_TSGeneralSetting
Comment
Comment
String
Encryption Level
SetEncryptionLevel
1,2,3,4
Use standard Windows Authentication
WindowsAuthentication
0,1
—LOGON SETTINGS TAB
Win32_TSLogonSetting
Always prompt for password
SetPromptForPassword
0,1
Always use the following logon information
ExplicitLogon(X, Y, Z)
X=User, Y=Domain, Z=Password
—SESSIONS TAB
Win32_TSSessionSetting
Override User Settings (Time)
TimeLimitPolicy
0,1
When session limit is reached…
BrokenConnectionPolicy
0,1
Allow Reconnection…
ReconnectionPolicy
0,1
—ENVIRONMENT TAB
Win32_TSEnvironmentSetting
Override user settings…
InitialProgramPolicy
0,1
—REMOTE CONTROL TAB
Win32_TSRemoteControlSetting
RemoteControlPolicy = X
RemoteControl(Y)
X=0,1
Y=0-4
0 = Disable
1 = EnableInputNotify
2 = EnableInputNoNotify
3 = EnableNoInputNotify
4 = EnableNoInputNoNotify
—CLIENT SETTINGS TAB
Win32_TSClientSetting
Connection (Use connection settings…)
ConnectionPolicy
ConnectionSettings(A, B, C)
0,1
A=Drive 0,1
B=Printer 0,1
C=Default Printer 0,1
(C Depends on B Setting)
Limit Maximum Color Depth SetColorDepthPolicy(X)SetColorDepth(Y) X=0,1
Y=1,2,3,4
Disable the following
SetClientProperty(“AudioMapping”, X) SetClientProperty(“COMPortMapping”, X) SetClientProperty(“LPTPortMapping”, X) SetClientProperty(“ClipboardMapping”, X) SetClientProperty(“WindowsPrinterMapping”, X)
X=0,1
Table 3: RDP-TCP Settings WMI Value
Well, with that information behind us, let us now turn our attentions to an actual fully functional sample script that takes all that we have discussed to this point and merges it into a single usable tool. As a final word of caution, please do not use this sample script on your production equipment. The script can be copied into any text editor and saved as a .VBS file for easy use. Explanation of the attributes and its values has been inserted into the script using the standard ‘COMMENT sections for VBScript. Please note as you are “testing” this script and refining the settings the way you want them, some of the combinations of script settings will result in a failing script. Before you write me a letter, I would encourage you to attempt to “configure” the same settings in the GUI Tool. To bring this point clearly home, you can’t DISABLE the CLIENT DRIVE virtual channel and expect the script to be able to enable the “Connect client drives a logon…” Remember, if it is a combination that won’t work in the GUI, it won’t work via script.
strComputer = “.”
Set objWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}\\” & strComputer & “\root\cimv2”)‘*********************************
‘TERMINAL SERVICES SERVER SETTINGS
‘*********************************Set colItems = objWMIService.ExecQuery(“Select * from Win32_TerminalServiceSetting”)
For Each objItem in colItems
objItem.ActiveDesktop = 1 ‘ENABLE Active Desktop
objItem.UserPermission = 1 ‘ENABLE Relaxed Security
errResult = objItem.SetSingleSession(1) ‘DISABLE Restrict each user to one session
errResult = objItem.SetPolicyPropertyName(“DeleteTempFolders”,1) ‘DISABLE Delete temporary folders
errResult = objItem.SetPolicyPropertyName(“UseTempFolders”,1) ‘DISABLE Use temporary folders
objItem.Put_
Next‘*************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS GENERAL TAB
‘*************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSGeneralSetting”)For Each objItem in colItems
objItem.Comment = “Script Modified Connection” ‘Edits the Comment value
errResult = objItem.SetEncryptionLevel(2) ‘Sets Required Encryption to CLIENT COMPATIBLE
objItem.WindowsAuthentication = 0 ‘DISABLES Use of Standard Windows Authentication
objItem.Put_
Next‘*************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS LOGON TAB
‘*************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSLogonSetting”)For Each objItem in colItems
errResult = objItem.SetPromptForPassword(1) ‘ENABLES Always prompt for password
objItem.ClientLogonInfoPolicy = 0 ‘DISABLES Use-client Provided Login information
objItem.Put_
errResult = objItem.ExplicitLogon(“UserName”,”Domain”,”Password”) ‘Sets Login Information
Next‘*************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS LOGON TAB
‘*************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSSessionSetting”)For Each objItem in colItems
objItem.TimeLimitPolicy = 0 ‘ENABLES Connection Override for Time Settings
objItem.Put_ ‘Commits the override so other settings will go through without error
errResult = objItem.TimeLimit(“DisconnectedSessionLimit”, 60000) ‘Disconnected for 1 Min
errResult = objItem.TimeLimit(“ActiveSessionLimit”, 3600000) ‘Active for 1 Hour
errResult = objItem.TimeLimit(“IdleSessionLimit”, 600000) ‘Idle for 10 mins
objItem.BrokenConnectionPolicy = 0 ‘ENABLES Connection Override for Broken Connections
errResult = objItem.BrokenConnection(1) ‘ENDS Broken Connections
objItem.ReconnectionPolicy = 0 ‘ENABLES Connectin Override for Reconnecting Sessions
objItem.Put_
Next‘*****************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS ENVIRONMENT TAB
‘*****************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSEnvironmentSetting”)For Each objItem in colItems
objItem.InitialProgramPolicy = 0 ‘ENABLES Connection Override
objItem.Put_
errResult = objItem.InitialProgram(“%systemroot%\notepad.exe”,”%homedir%”) ‘SETS Executable and working directory
Next‘********************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS REMOTE CONTROL TAB
‘********************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSRemoteControlSetting”)For Each objItem in colItems
objItem.RemoteControlPolicy = 0 ‘ENABLES Connection Override
objItem.Put_
errResult = objItem.RemoteControl(2) ‘ALLOWS REMOTE INPUT and NO USER NOTIFICATION
Next‘*********************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS CLIENT SETTINGS TAB
‘*********************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSClientSetting”)For Each objItem in colItems
objItem.ConnectionPolicy = 0 ‘ENABLES Connection Override
objItem.Put_
errResult = objItem.ConnectionSettings(0,0,0) ‘DISABLES Drive, Printer, Default Printer (as per order)objItem.SetColorDepthPolicy(0) ‘ENABLES Connection Override
objItem.Put_
objItem.SetColorDepth(3) ‘SETS Color Depth to 16Bit (1=8Bit,2=15Bit,3=16Bit,4=32Bit)errResult = objItem.SetClientProperty(“AudioMapping”, 1) ‘DISABLES Audio
errResult = objItem.SetClientProperty(“COMPortMapping”, 1) ‘DISABLES COM
errResult = objItem.SetClientProperty(“LPTPortMapping”, 0) ‘ALLOWS LPT
errResult = objItem.SetClientProperty(“ClipboardMapping”, 0) ‘ALLOWS Clipboard
errResult = objItem.SetClientProperty(“WindowsPrinterMapping”, 0) ‘ALLOWS Windows Printers
errResult = objItem.SetClientProperty(“DriveMapping”, 1) ‘DISABLES Drives
Next‘**********************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS NETWORK ADAPTERS TAB
‘**********************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSNetworkAdapterSetting”)For Each objItem in colItems
objItem.MaximumConnections = 30 ‘ENABLES MAX Number of Connections -1=UNLIMITED
objItem.Put_
Next‘*****************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS PERMISSIONS TAB
‘
‘This section has no sample code for security reasones
‘and limitations of the current WMI provider
‘
‘However, the one REALLY useful feature is the ability
‘to reset the Connection Permission to factory default
‘as illustrated below
‘*****************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSPermissionsSetting”)For Each objItem in colItems
errResult = objItem.RestoreDefaults()
NextWscript.echo “Terminal Services Server and Connection Settings Optimized”
Conclusion
Again, we have uncovered more of the power of scripting for Terminal Services. This sample script and article was written to give you a TASTE of the power, similar to those little tiny spoons at your neighborhood ice cream parlor. Just enough of an idea to know what you like and just enough to get you hooked to buying a gallon! In the next installment, we will look at scripting specifically for Presentation Servers (Citrix that is!). While, we have explored the WMI capabilities for Terminal Services Server and Connection Settings to a great degree in this article, we truly have only scratched the surface of what WMI can provide. For further information, please consult Microsoft’s online knowledge base concerning WMI Scripting for Terminal Services at http://www.microsoft.com/technet/scriptcenter/scripts/ts/default.mspx and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/terminal_services_wmi_provider_classes.asp.
If you would like to read the other articles in the series please go here: