Solved

Set Terminal Services Permissions via Command line

Posted on 2007-04-04
18
1,997 Views
Last Modified: 2013-11-21
Is there any command line tool available to set permissions on terminal services for Windows 2000?

RDP > Permissions in Terminal Services Configuration?
0
Comment
Question by:Nirmal Sharma
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 11
  • 7
18 Comments
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 18849139
A simple way (WMI) is available with Windows 2003. For Windows 2000 you must modify the registry. How to do it and a sample app is here:

http://support.microsoft.com/kb/259129/en-us

Hope it helps,

Michael

0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 18849151
Which registry to modify for windows 2000?
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 18849476
The registry key and its settings are documented in the KB article I've linked. http://support.microsoft.com/kb/259129/en-us

"MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

The security descriptor is stored in self-relative format in the registry. To obtain or modify the security descriptor, you must convert it to absolute format. After you modify the security descriptor, you must convert it back to self-relative format, and then resave the change.

The default security settings are stored in the DefaultSecurity registry value under the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
If you modify the security settings, they are stored in the Security value under the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
If you modify the default security descriptor and the Security value does not exist under the RDP-Tcp key, you must create the value."

0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 18849574
But how to modify them...

Do you think just modifying the value in the entry will make changes?
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 18849937
Sorry, I don't have a Win 2000 machine around to try ...
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 18849944
If you change the permissions via GUI it should be reflected in the registry. This may provide an example how to set it.
0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 18850820
But what if I need to set it on more than 400 servers?
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 18880901
If you determine the settings on one machine you can create a script to add the required keys to the rest of the servers.

0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 18882508
Registry keys doesn't work. I had tried to import registry keys but it doesn't refresh the registry. Only Add Group/User > and then Click Ok and Apply works great.

However, I have found the TsConSec.exe to set permissions on RDP-TCP. This exe sets the permissions on Windows 2000 RDP-TCP connection but it doesn't work either. Only removing and re-adding group/user works.
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 18887953

So this

TSConSec.exe /t:RDP /a:Users /p /Q

Doesn't work? What group do you want to add?

0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 18888010
Have you used the one from this page? http://www.thincomputing.net/download.php?list.6

I'm still looking for a W2K machine to test...
0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 18890947
Above command doesn't work actually.

When you see the property of RDP-TCP the group or user is added but it doesn't work. I mean when I try to connect using user in the group it still says: "You don't have access to logon to this session".

And then I go to property of RDP-TCP connection > Permissions Tab > Remove the Group/user from here > Re-add the group/user > Click on OK and then Apply and it works!!!

I don't know why it doesn't work using TsConSec.exe
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 18904598
Hm, maybe when applying the rights via mmc it "informs" the terminal services about the change. When done via TsConSec it doesn't. Have you tried to restart after applying the settings with TSConSec?
0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 18904786
Restart is not a good option...

Any service can be restarted?
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 18916299
I'd guess "Terminal Services" is a good candiate.
0
 
LVL 35

Author Comment

by:Nirmal Sharma
ID: 18916560
Can you restart Terminal Services service?

Is it possible?
0
 
LVL 28

Accepted Solution

by:
Michael Pfister earned 500 total points
ID: 18916664
No, you're right, you can't ... no more ideas, sorry....
0
 
LVL 28

Expert Comment

by:Michael Pfister
ID: 18922931
Thanks for the points. Were you able to test it on a machine if a reboot helps?
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2012 R2 Server -- SERIVCES checklist ? 4 145
sccm client without collection 1 70
Sharepoint 2010 Audit Logs 11 148
Enterprise Mode 4 55
Welcome to my series of short tips on migrations. Whilst based on Microsoft migrations the same principles can be applied to any type of migration. My first tip is around source server preparation. No migration is an easy migration, there is a…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question