RE: [ActiveDir] adding a group to the RDP permissions

[Creamer, Mark]

Title: Message

Thanks joe (theoretically) ;-)   <mc> -----Original Message----- From: joe [mailto:listmail@joeware.net] Sent: Thursday, May 27, 2004 6:23 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] adding a group to the RDP permissions   Hmmm theoretically <eg>, the permissions are probably stored in the registry....  The most likely place would be someplace say like   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp   possibly in the Security value.   Now theoretically if you used a domain group or a built-in group with a specific SID that doesn't change machine to machine (like I wouldn't recommend using a local group on a server) you could theoretically take that value from one machine and copy to another and have those permissions applied to that other machine. Theoretically you could make this even part of a server build process or have it in some setup script...   Also theoretically it may or may not require a reboot to make it kick in.   Just chatting theoretically of course.   If I was to chat some more theoretically someone looking to write some code to muck with that may theoretically fine that that binary format is a type of standard security definition format.        joe     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, May 26, 2004 1:03 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] adding a group to the RDP permissions Thanks Ken! Even if I can’t use this on the 2K machines, it’ll help a bunch in a couple of months. Many of our TS machines are about to be upgraded and/or installed. I appreciate it…   <mc> -----Original Message----- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 26, 2004 12:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] adding a group to the RDP permissions   Here's some Perl WMI code for adding a local group to the RDP security. However, if memory serves, W2K doesn't support WMI TS stuff - only 2k3   Anyway, maybe it will work...   sub TerminalServerSecurity {    my $host = shift;  my $RemoteGroup = shift;    my $wmi = Win32::OLE->GetObject("winmgmts:{impersonationLevel=impersonate}!\\\\$host\\root\\cimv2")   or die "WMI error: $^E";    my $accounts = $wmi->ExecQuery("Select * from Win32_TSPermissionsSetting" )   or die "WMI GetObject: " . WmiError("Win32_TSPermissionsSetting");   # Add local group giving full control    foreach my $a (in $accounts ) {   print "Adding access to ", $a->TerminalName, "\n";   $a->AddAccount("$host\\$RemoteGroup", 2);  }     -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Creamer, Mark Sent: Wednesday, May 26, 2004 9:20 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] adding a group to the RDP permissions Anybody know a good way to add a group programmatically (or GPO, etc.) to the RDP properties visible when you go to Terminal Services Configuration/Connections/RDP-Tcp [Properties]. I have a bunch of Win2K remote administration mode servers that I want to add a group of night operators to. Thanks…   Mark Creamer Systems Engineer Cintas Corporation Honesty and Integrity in Everything We Do