Skip to content

Enterprise Mobility + Security


 

How to enable/disable TS connections remotely

 

Hello, my name is Soo Kuan Teo, I work on the Terminal Services Team. I would like to take this opportunity to begin sharing configuration features in TS.

TS is about remotability. It allows users and administrators to access their computer resources remotely, just as if those computer resources are available locally. TS has a WMI provider with a rich set of class templates that allows TS to be configured remotely or locally.

Please note that in Win2k3/XP, the TS WMI provider is grouped in root/cimv2 namespace. In Vista, it is grouped in root/cimv2/TerminalServices namespace. WMI security impersonation level wbemImpersonationLevelImpersonate and security authentication level wbemAuthenticationLevelPktPrivacy settings are also required for Vista. Please visit here for more info on Terminal Services WMI provider. Here is a good place to start if you want to learn more about WMI in general.

To check the TS Connections setting, you can use the read-only property AllowTSConnections in class template Win32_TerminalServiceSetting

To change the TS Connections setting, you can use the Method SetAllowTSConnections in class template Win32_TerminalServiceSetting.

There are several ways to use TS WMI, the easy way is through scripting. For example, in vbs,

First we get the wbemService object:

Set Service = GetObject(“winmgmts:{authenticationLevel=PktPrivacy}!rootcimv2TerminalServices”)

Then we get the instance of class template Win32_TerminalServiceSetting

Set objSet=Service.ExecQuery(“select * from  Win32_TerminalServiceSetting”)

Now we can use the instance of Win32_TerminalServiceSetting to query/set setting:

for each obj in objSet
     wscript.echo “Remote Desktop is ” & obj.AllowTSConnections
     ‘ toggle setting
     obj.SetAllowTSConnections 1-obj.AllowTSConnections
     obj.refresh_
     wscript.echo “New Remote Desktop setting is ” & obj.AllowTSConnections

next

 

The complete vbs script for changing TS connections locally is:

Set Service = GetObject(“winmgmts:{authenticationLevel=PktPrivacy}!rootcimv2TerminalServices”)

set objSet=Service.ExecQuery(“select * from  Win32_TerminalServiceSetting”)

for each obj in objSet

         wscript.echo “Remote Desktop is ” & obj.AllowTSConnections
         ‘ toggle setting
         obj.SetAllowTSConnections 1-obj.AllowTSConnections
         obj.refresh_
         wscript.echo “New Remote Desktop setting is ” & obj.AllowTSConnections
next

 

Similarly, we can use the wmi moniker feature to simplify the remote case:

Set Service = GetObject(“WinMgmts:{impersonationLevel=impersonate, authenticationLevel=PktPrivacy}” _
& “!\RemoteServerrootcimv2/TerminalServices”)

set objSet=Service.ExecQuery(“select * from  Win32_TerminalServiceSetting”)
for each obj in objSet
         wscript.echo “Remote Desktop is ” & obj.AllowTSConnections
         ‘ toggle setting
         obj.SetAllowTSConnections 1-obj.AllowTSConnections
         obj.refresh_
         wscript.echo “New Remote Desktop setting is ” & obj.AllowTSConnections
next

 

I also  attached a sample script that  allows you to use different Admin user credentials than the user account that runs the script. Please run cscript LHEnableRemoteDesktop.vbs /? for more info.
The attached sample script works in Vista only. If you want to make it work in Win2k3/XP, all you need to update is its namespace from “root/cimv2/TerminalServices” to “root/cimv2“.

 

Another easier way to access WMI providers is through the use of WMIC
To query TS Connections setting:

wmic RDToggle get AllowTSConnections

 

To set Terminal Services connections setting:

wmic RDToggle where servername=”ServerName” call SetAllowTSConnections 1

 

We can use the WMIC global switches for the remote case:

To query the TS connections setting:

wmic /node:”RemoteServer” /user:”domainAdminUser” /password:”password” RDToggle where servername=”RemoteServer” get AllowTSConnections

 

To enable Terminal Services connections:

wmic /node:”RemoteServer” /user:”domainAdminUser” /password:”password” RDToggle where servername=”RemoteServer” call SetAllowTSConnections 1

 

As a side note, in general for WMI to work properly, you need to:
                For Vista and win2k3/XP, set Windows Firewall exceptions for Windows Management Instrumentation (WMI)

                For Vista, run script and wmic in elevated command shell

Next: Configure the TS session limit remotely

 DISCLAIMER: This posting is provided “AS IS” with no warranties, and confers no rights.  Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm

 

EnableRemoteDesktop.zip