Set Terminal Services Permissions via Command line

Is there any command line tool available to set permissions on terminal services for Windows 2000?

RDP > Permissions in Terminal Services Configuration?
LVL 35
Nirmal SharmaSolution ArchitectAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Michael PfisterCommented:
A simple way (WMI) is available with Windows 2003. For Windows 2000 you must modify the registry. How to do it and a sample app is here:

http://support.microsoft.com/kb/259129/en-us

Hope it helps,

Michael

0
Nirmal SharmaSolution ArchitectAuthor Commented:
Which registry to modify for windows 2000?
0
Michael PfisterCommented:
The registry key and its settings are documented in the KB article I've linked. http://support.microsoft.com/kb/259129/en-us

"MORE INFORMATION
Warning Serious problems might occur if you modify the registry incorrectly by using Registry Editor or by using another method. These problems might require that you reinstall the operating system. Microsoft cannot guarantee that these problems can be solved. Modify the registry at your own risk.

The security descriptor is stored in self-relative format in the registry. To obtain or modify the security descriptor, you must convert it to absolute format. After you modify the security descriptor, you must convert it back to self-relative format, and then resave the change.

The default security settings are stored in the DefaultSecurity registry value under the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations
If you modify the security settings, they are stored in the Security value under the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
If you modify the default security descriptor and the Security value does not exist under the RDP-Tcp key, you must create the value."

0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

Nirmal SharmaSolution ArchitectAuthor Commented:
But how to modify them...

Do you think just modifying the value in the entry will make changes?
0
Michael PfisterCommented:
Sorry, I don't have a Win 2000 machine around to try ...
0
Michael PfisterCommented:
If you change the permissions via GUI it should be reflected in the registry. This may provide an example how to set it.
0
Nirmal SharmaSolution ArchitectAuthor Commented:
But what if I need to set it on more than 400 servers?
0
Michael PfisterCommented:
If you determine the settings on one machine you can create a script to add the required keys to the rest of the servers.

0
Nirmal SharmaSolution ArchitectAuthor Commented:
Registry keys doesn't work. I had tried to import registry keys but it doesn't refresh the registry. Only Add Group/User > and then Click Ok and Apply works great.

However, I have found the TsConSec.exe to set permissions on RDP-TCP. This exe sets the permissions on Windows 2000 RDP-TCP connection but it doesn't work either. Only removing and re-adding group/user works.
0
Michael PfisterCommented:

So this

TSConSec.exe /t:RDP /a:Users /p /Q

Doesn't work? What group do you want to add?

0
Michael PfisterCommented:
Have you used the one from this page? http://www.thincomputing.net/download.php?list.6

I'm still looking for a W2K machine to test...
0
Nirmal SharmaSolution ArchitectAuthor Commented:
Above command doesn't work actually.

When you see the property of RDP-TCP the group or user is added but it doesn't work. I mean when I try to connect using user in the group it still says: "You don't have access to logon to this session".

And then I go to property of RDP-TCP connection > Permissions Tab > Remove the Group/user from here > Re-add the group/user > Click on OK and then Apply and it works!!!

I don't know why it doesn't work using TsConSec.exe
0
Michael PfisterCommented:
Hm, maybe when applying the rights via mmc it "informs" the terminal services about the change. When done via TsConSec it doesn't. Have you tried to restart after applying the settings with TSConSec?
0
Nirmal SharmaSolution ArchitectAuthor Commented:
Restart is not a good option...

Any service can be restarted?
0
Michael PfisterCommented:
I'd guess "Terminal Services" is a good candiate.
0
Nirmal SharmaSolution ArchitectAuthor Commented:
Can you restart Terminal Services service?

Is it possible?
0
Michael PfisterCommented:
No, you're right, you can't ... no more ideas, sorry....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Michael PfisterCommented:
Thanks for the points. Were you able to test it on a machine if a reboot helps?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Server OS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.