Remote Desktop permissions
Backstory
Up until Windows Server 2008 R2 the "Remote Desktop Session Host Configuration" was shipped with the O.S, this has been removed in later versions.
With this application you could delegate certain Remote Desktop permissions on a user or group base.
This was possible by opening the application, right click and select Properties on a connection, then going to the Security-tab, Advanced, selecting a permission, and Edit.
The following permissions are available:
| ID | Permission | Description |
|---|---|---|
| 0 | Query Information | Get information on any session |
| 1 | Set Information | ? |
| 4 | Remote Control | Shadow any session (behaviour depends on shadow settings) |
| 5 | Logon | Logon your session |
| 2 | Logoff | Logoff any session |
| 7 | Message | Send a message to any session |
| 8 | Connect | Take over any session (password still required) |
| 9 | Disconnect | Disconnect any session |
| 3 | Virtual Channels | Use outside-session features (e.g. clipbord or printer) |
- The Query and Virtual Channels permissions are allowed by default when unchecked.
- Logon also requires the user/group to be added to the Remote Desktop's User Rights Assignment (via Group Policy).
Doing this is still possible, whoever only with WMI commands via scripting.
An easy to use PowerShell menu script will be provided here, but individial commands will also be provided as an example.
You can download the PowerShell menu script at: https://pastebin.com/0w9Vq8aJ
This script must be run as an administrator, open PowerShell as an administrator and execute the script from there.
In this menu you get a clear overview of all the permissions, you can add a new user/group, edit or remove them, or reset all permissions back to default.
Note that deny permissions always overrule allow permissions, and when deleting a user/group it will remove both the allow and deny permissions entries.
Commands
Add
Permissions of a user or group can only be edited if they have been added to the permissions list first, by default a few local groups are present in this list.
The user/group has to be added to a connection (terminal), "Console" and "RDP-Tcp" are the default connections. When using Citrix for example more connections will be added.
foreach($object in (Get-WmiObject -Class "Win32_TSPermissionsSetting" -Namespace "root\cimv2\terminalservices"))
{
if($object.TerminalName -eq "RDP-Tcp")
{
Invoke-WmiMethod -InputObject $object -Name "AddAccount" -ArgumentList "Example-Group",3
}
}
We loop through the available connections and once we got the correct one, we can add the user/group to the permissions list.
The second argument of AddAccount represents a predefined set of permissions (0-2), but by using 3 which is undefined, we can add the user/group to the list but without any permissions.
Edit
To edit a user/group's permissions, we have to query the permissions list by searching for entries that match the given connection name and user/group name.
Please note that the user/group name has to include the hostname of the machine, and that the backslash (\) has to be double.
foreach($object in (Get-WmiObject -Namespace "root\cimv2\terminalservices" -Query "SELECT * FROM Win32_TSAccount WHERE TerminalName='RDP-Tcp' AND AccountName='LOCALHOST\\Example-Group'"))
{
$object.ModifyPermissions(7, 1)
}
The first argument of ModifyPermissions represent the ID of the permission (see table), the second argument represent allow (1) or deny (0).
Messaging
You might be interested in giving certain users the right to send messages to other users or the entire farm.
For more information on this please see the article "Remote Desktop messaging".
