Scripting for Server Based Computing: Part 2 – Terminal Services Server and Connection Settings

If you would like to read the other articles in the series please go here:

Introduction

In part 1 of this series, we explored how VBScript and WMI could be leveraged for the modification of Active Directory User Object terminal services specific Attributes. In this article we will take a look at the terminal services settings for a server itself. In other words, we are going to learn what we can change on the server’s terminal services settings and how to change those settings. Again, we will be assuming that the reader of this article is executing these scripts on a Windows Server 2003 terminal server and has sufficient knowledge of both terminal services and scripting along with the requisite rights and permissions to modify the settings in question. Additionally, we will look (where applicable) only at Remote Desktop (not ICA) scripting settings for connections. We will review ICA Connection Settings in future articles in this series. However, as far as connection settings go, the material covered is equally attributable to both RDP and ICA. To that end, please note that the sample scripts provided here will modify BOTH RDP and ICA settings on your target server with the same end results. Please test the sample scripts in a lab environment prior to executing on your production servers.

Typically, we as administrators will modify the terminal services settings either by editing the configuration by hand and/or leveraging Group Policy Objects to configure the settings centrally. While I am a HUGE fan of Group Policy, not all settings that are available in the GUI are available as definable policy elements inside of a GPO. Moreover, not every terminal services administrator has the luxury of being able to edit (or even use) Group Policy Objects. There are still more than a few NT-based domains in production that haven’t migrated to Active Directory. Thus, scripting these settings provides several benefits. From a consistency standpoint, someone could “accidentally” make changes to the terminal services settings on a server in our production environments. This change could take a GREAT deal of time to track down (or even reveal itself in a large load-balanced environment). In this case, a script that sets the terminal services settings to the “corporate” standard would be a useful first step in troubleshooting and could even be used in a preventative fashion by being executed as part of a regular server reboot cycle. For those that aren’t fortunate enough to have Active Directory’s Group Policy Objects to aid in managing your terminal servers (or the ability to edit such GPO’s if you do), a script like this could be an excellent tool to maintain setting consistency for server builds. And the best reasons of all… it is faster and more consistent (especially in larger server farms). And truly best of all is that there are some scriptable settings for which there is NO GUI equivalent!

So, without further ado, let us turn our attentions to the different options that are available through the GUI. The primary tool for editing the Terminal Services Server and Connection Settings is the Terminal Services Configuration tool located in the Administrative Tools folder in your server’s start menu. (For the Citrix group, we know this best as the Citrix Connection Configuration tool.) Since we will be looking at Citrix-specific settings in later articles, we will spend most of our time in the Microsoft tool. Please reference Figure 1 below for a look at the two sections of configuration, Server and Connection Settings.


Figure 1: Terminal Services Server Settings

Nearly all of the various settings for the Server and the separate Connections can be configured via WMI scripts. The Server Settings section has six basic settings that can be edited. Please reference Table 1 for the setting name and its corresponding WMI Attribute and possible values.

GUI Setting

Attribute Value

Value for Script

Delete temporary folders on exit

SetPolicyPropertyName(“DeleteTempFolders”, X)

X=0,1

Use temporary folders per session

SetPolicyPropertyName(“UseTempFolders”, X)

X=0,1

Licensing*

LicensingType

0,1,2,4

Active Desktop

ActiveDesktop

0,1

Permission Compatibility

UserPermission

X=0,1

Restrict each user to one session

SetSingleSession(X)

X=0,1

Table 1: Terminal Services Server Settings WMI Value

* Read-Only, should be changed through Add/Remove Programs

In reviewing the table Server Settings, there are a few that should be discussed in greater detail. Licensing mode can only be changed through Add/Remove Programs. If your server is in Remote Administration mode, you will need to change it to Terminal Services mode to all for further scripting of options. Many of the settings we can configure through script are ONLY available to TRUE Terminal Servers. Once the server is converted, Licensing can be “changed” from Per Device to Per User via script, otherwise this Attribute is read only. The various values listed for licensing deserve another listing of their own.

Value

Meaning

0

Personal Terminal Server – For Windows XP only

1

Remote Desktop for Administration

2

Per Device – Only available for true Terminal Servers

4

Per User – Only available for true Terminal Servers

Table 2: LicensingType Values

Additionally, there are several settings that are available for scripting that are NOT available in the GUI, but many of which do appear in Group Policy. Home Folder, Profile Folder and Fallback Printer driver, just to name a few, are Terminal Services WMI addressable attributes. For more information on these specific settings, please reference Microsoft’s WMI reference for Terminal Services at http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/win32_terminalservicesetting.asp.

Later we will see how to integrate the Server Settings into a usable WMI script. For now, let’s review the Connection Settings and the settings available there. The Connections folder in the Terminal Services Configuration tool allows us to modify the attributes of the Connections (or Winstations) that our users use as transports to connect to the terminal servers. At a minimum, you will have RDP-Tcp as a valid connection and may have more depending on the presence of Citrix Presentation Server (aka MetaFrame). Figure 2 illustrates the relationship of “connections”.


Figure 2: Terminal Services Connections Settings

Looking directly at the properties of a given connection reveals the WEALTH of setting options available. For the purposes of this article, we will review the RDP-Tcp properties and NEARLY every setting that can be changed for the given tab. In looking at Figure 3, we will manipulate the settings in great detail of every tab; save PERMISSIONS… the API (and subsequently, the METHODS open to WMI) is limited in this area. One could speculate that this was intentionally made so for security reasons. We wouldn’t want rogue WMI scripts that give the “everyone” group the rights to logon to our terminal services enabled servers now would we?


Figure 3: RDP-TCP Settings

Table 3 below, gives us a more detailed breakdown of the various tabs and the types of information that can be configured. As a matter of practical usability, I would recommend that you “hand configure” a server the way you want it, then write down those settings to allow for the easy creation (or substitution into the aforementioned sample script in this article).

GUI Setting

Attribute Value

Value for Script

—GENERAL TAB

Win32_TSGeneralSetting

Comment

Comment

String

Encryption Level

SetEncryptionLevel

1,2,3,4

Use standard Windows Authentication

WindowsAuthentication

0,1

—LOGON SETTINGS TAB

Win32_TSLogonSetting

Always prompt for password

SetPromptForPassword

0,1

Always use the following logon information

ExplicitLogon(X, Y, Z)

X=User, Y=Domain, Z=Password

—SESSIONS TAB

Win32_TSSessionSetting

Override User Settings (Time)

TimeLimitPolicy

0,1

When session limit is reached…

BrokenConnectionPolicy

0,1

Allow Reconnection…

ReconnectionPolicy

0,1

—ENVIRONMENT TAB

Win32_TSEnvironmentSetting

Override user settings…

InitialProgramPolicy

0,1

—REMOTE CONTROL TAB

Win32_TSRemoteControlSetting

 

RemoteControlPolicy = X

RemoteControl(Y)

X=0,1

Y=0-4

0 = Disable

1 = EnableInputNotify

2 = EnableInputNoNotify

3 = EnableNoInputNotify

4 = EnableNoInputNoNotify

 

—CLIENT SETTINGS TAB

Win32_TSClientSetting

Connection (Use connection settings…)

ConnectionPolicy

ConnectionSettings(A, B, C)

0,1

A=Drive 0,1

B=Printer 0,1

C=Default Printer 0,1

(C Depends on B Setting)

Limit Maximum Color Depth SetColorDepthPolicy(X)SetColorDepth(Y)

X=0,1

Y=1,2,3,4

Disable the following

SetClientProperty(“AudioMapping”, X) SetClientProperty(“COMPortMapping”, X) SetClientProperty(“LPTPortMapping”, X) SetClientProperty(“ClipboardMapping”, X) SetClientProperty(“WindowsPrinterMapping”, X)

X=0,1

Table 3: RDP-TCP Settings WMI Value

Well, with that information behind us, let us now turn our attentions to an actual fully functional sample script that takes all that we have discussed to this point and merges it into a single usable tool. As a final word of caution, please do not use this sample script on your production equipment. The script can be copied into any text editor and saved as a .VBS file for easy use. Explanation of the attributes and its values has been inserted into the script using the standard ‘COMMENT sections for VBScript. Please note as you are “testing” this script and refining the settings the way you want them, some of the combinations of script settings will result in a failing script. Before you write me a letter, I would encourage you to attempt to “configure” the same settings in the GUI Tool. To bring this point clearly home, you can’t DISABLE the CLIENT DRIVE virtual channel and expect the script to be able to enable the “Connect client drives a logon…” Remember, if it is a combination that won’t work in the GUI, it won’t work via script.

strComputer = “.”
Set objWMIService = GetObject(“winmgmts:{impersonationLevel=impersonate}\\” & strComputer & “\root\cimv2”)

‘*********************************
‘TERMINAL SERVICES SERVER SETTINGS
‘*********************************

Set colItems = objWMIService.ExecQuery(“Select * from Win32_TerminalServiceSetting”)

For Each objItem in colItems
    objItem.ActiveDesktop = 1 ‘ENABLE Active Desktop
    objItem.UserPermission = 1 ‘ENABLE Relaxed Security
    errResult = objItem.SetSingleSession(1) ‘DISABLE Restrict each user to one session
    errResult = objItem.SetPolicyPropertyName(“DeleteTempFolders”,1) ‘DISABLE Delete temporary folders
    errResult = objItem.SetPolicyPropertyName(“UseTempFolders”,1) ‘DISABLE Use temporary folders
    objItem.Put_
Next






‘*************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS GENERAL TAB
‘*************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSGeneralSetting”)


For Each objItem in colItems
    objItem.Comment = “Script Modified Connection” ‘Edits the Comment value
    errResult = objItem.SetEncryptionLevel(2) ‘Sets Required Encryption to CLIENT COMPATIBLE
    objItem.WindowsAuthentication = 0 ‘DISABLES Use of Standard Windows Authentication
    objItem.Put_
Next




‘*************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS LOGON TAB
‘*************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSLogonSetting”)


For Each objItem in colItems
    errResult = objItem.SetPromptForPassword(1) ‘ENABLES Always prompt for password
    objItem.ClientLogonInfoPolicy = 0 ‘DISABLES Use-client Provided Login information
    objItem.Put_
    errResult = objItem.ExplicitLogon(“UserName”,”Domain”,”Password”) ‘Sets Login Information
Next




‘*************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS LOGON TAB
‘*************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSSessionSetting”)


For Each objItem in colItems
    objItem.TimeLimitPolicy = 0 ‘ENABLES Connection Override for Time Settings
    objItem.Put_ ‘Commits the override so other settings will go through without error
    errResult = objItem.TimeLimit(“DisconnectedSessionLimit”, 60000) ‘Disconnected for 1 Min
    errResult = objItem.TimeLimit(“ActiveSessionLimit”, 3600000) ‘Active for 1 Hour
    errResult = objItem.TimeLimit(“IdleSessionLimit”, 600000) ‘Idle for 10 mins
    objItem.BrokenConnectionPolicy = 0 ‘ENABLES Connection Override for Broken Connections
    errResult = objItem.BrokenConnection(1) ‘ENDS Broken Connections
    objItem.ReconnectionPolicy = 0 ‘ENABLES Connectin Override for Reconnecting Sessions
    objItem.Put_
Next









‘*****************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS ENVIRONMENT TAB
‘*****************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSEnvironmentSetting”)


For Each objItem in colItems
    objItem.InitialProgramPolicy = 0 ‘ENABLES Connection Override
    objItem.Put_
    errResult = objItem.InitialProgram(“%systemroot%\notepad.exe”,”%homedir%”) ‘SETS Executable and working directory
Next



‘********************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS REMOTE CONTROL TAB
‘********************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSRemoteControlSetting”)


For Each objItem in colItems
    objItem.RemoteControlPolicy = 0 ‘ENABLES Connection Override
    objItem.Put_
    errResult = objItem.RemoteControl(2) ‘ALLOWS REMOTE INPUT and NO USER NOTIFICATION
Next



‘*********************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS CLIENT SETTINGS TAB
‘*********************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSClientSetting”)


For Each objItem in colItems
    objItem.ConnectionPolicy = 0 ‘ENABLES Connection Override
    objItem.Put_
    errResult = objItem.ConnectionSettings(0,0,0) ‘DISABLES Drive, Printer, Default Printer (as per order)


    objItem.SetColorDepthPolicy(0) ‘ENABLES Connection Override
    objItem.Put_
    objItem.SetColorDepth(3) ‘SETS Color Depth to 16Bit (1=8Bit,2=15Bit,3=16Bit,4=32Bit)

    errResult = objItem.SetClientProperty(“AudioMapping”, 1) ‘DISABLES Audio
    errResult = objItem.SetClientProperty(“COMPortMapping”, 1) ‘DISABLES COM
    errResult = objItem.SetClientProperty(“LPTPortMapping”, 0) ‘ALLOWS LPT
    errResult = objItem.SetClientProperty(“ClipboardMapping”, 0) ‘ALLOWS Clipboard
    errResult = objItem.SetClientProperty(“WindowsPrinterMapping”, 0) ‘ALLOWS Windows Printers 
    errResult = objItem.SetClientProperty(“DriveMapping”, 1) ‘DISABLES Drives
Next





‘**********************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS NETWORK ADAPTERS TAB
‘**********************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSNetworkAdapterSetting”)


For Each objItem in colItems
    objItem.MaximumConnections = 30 ‘ENABLES MAX Number of Connections -1=UNLIMITED
    objItem.Put_
Next


‘*****************************************************
‘TERMINAL SERVICES CONNECTION SETTINGS PERMISSIONS TAB

‘This section has no sample code for security reasones
‘and limitations of the current WMI provider

‘However, the one REALLY useful feature is the ability
‘to reset the Connection Permission to factory default
‘as illustrated below
‘*****************************************************
Set colItems = objWMIService.ExecQuery(“Select * from Win32_TSPermissionsSetting”)









For Each objItem in colItems
    errResult = objItem.RestoreDefaults()
Next

Wscript.echo “Terminal Services Server and Connection Settings Optimized”

Conclusion

Again, we have uncovered more of the power of scripting for Terminal Services. This sample script and article was written to give you a TASTE of the power, similar to those little tiny spoons at your neighborhood ice cream parlor. Just enough of an idea to know what you like and just enough to get you hooked to buying a gallon! In the next installment, we will look at scripting specifically for Presentation Servers (Citrix that is!). While, we have explored the WMI capabilities for Terminal Services Server and Connection Settings to a great degree in this article, we truly have only scratched the surface of what WMI can provide. For further information, please consult Microsoft’s online knowledge base concerning WMI Scripting for Terminal Services at http://www.microsoft.com/technet/scriptcenter/scripts/ts/default.mspx and http://msdn.microsoft.com/library/default.asp?url=/library/en-us/termserv/termserv/terminal_services_wmi_provider_classes.asp.

If you would like to read the other articles in the series please go here:

Leave a Comment

Your email address will not be published.

Scroll to Top