[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 375
  • Last Modified:

command line Interface

Hi All,

Could someone tell me how to run a .cmd script to enable remote desktop?

I would like to enable "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure).  And Add administrator to the selected users list.

I'm using windows 7

Thanks in advance
0
Reyesrj
Asked:
Reyesrj
  • 4
  • 3
1 Solution
 
KimputerCommented:
Make a ts.reg file:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"UserAuthentication"=dword:00000001
"SecurityLayer"=dword:00000001
"fAllowSecProtocolNegotiation"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"RemoteDesktop-UserMode-In-TCP"="v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|"
"RemoteDesktop-UserMode-In-UDP"="v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28776|Desc=@FirewallAPI.dll,-28777|EmbedCtxt=@FirewallAPI.dll,-28752|"
"RemoteDesktop-Shadow-In-TCP"="v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|App=%SystemRoot%\\system32\\RdpSa.exe|Name=@FirewallAPI.dll,-28778|Desc=@FirewallAPI.dll,-28779|EmbedCtxt=@FirewallAPI.dll,-28752|Edge=TRUE|Defer=App|"

Open in new window



in the batch file (same folder as reg file):

regedit /s ts.reg
net localgroup "Remote Desktop Users" domain\user /add

Open in new window


Needless to say, only admins can execute this successfully.
0
 
ReyesrjAuthor Commented:
Thanks Kimputer,

Sorry I'm new at this.

How do I make a ts.reg file and where do I place it.

I am a member of the administrator group.  We don't use Active directory on our network.
0
 
KimputerCommented:
Open notepad, copy & paste the code from the code block. Save file as ts.reg (make sure you have control over the file extension, rename to ts.reg  when you find out it was saved as ts.reg.txt). Create batch file the same way.
Preferably save it at a same location where you will execute the batch file, so it could be anywhere.
0
Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

 
ReyesrjAuthor Commented:
THANKS!!!!!

That worked perfect!!!

One last thing, I hope you don't mind.  And it may not really matter because the above worked perfect.

But, I have seen a script where the script showed something like %host%\administrator.  How could I apply this in the above script.  We will be cloning workstations and the master workstation will run the script in the taskscheduler, one time, after the client workstations reboot.

Thanks
0
 
ReyesrjAuthor Commented:
I just noticed that the radio button next to, "Allow Connections only from computers running Remote Desktop with Network Level Authentication (more secure) is not marked.  Please see attachment.  The administrator is in the selected users list.

Please help.
0
 
KimputerCommented:
Slight change in ts.reg:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
"UserAuthentication"=dword:00000001
"SecurityLayer"=dword:00000001
"fAllowSecProtocolNegotiation"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"RemoteDesktop-UserMode-In-TCP"="v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28775|Desc=@FirewallAPI.dll,-28756|EmbedCtxt=@FirewallAPI.dll,-28752|"
"RemoteDesktop-UserMode-In-UDP"="v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=17|Profile=Domain|Profile=Private|LPort=3389|App=%SystemRoot%\\system32\\svchost.exe|Svc=termservice|Name=@FirewallAPI.dll,-28776|Desc=@FirewallAPI.dll,-28777|EmbedCtxt=@FirewallAPI.dll,-28752|"
"RemoteDesktop-Shadow-In-TCP"="v2.22|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Domain|Profile=Private|App=%SystemRoot%\\system32\\RdpSa.exe|Name=@FirewallAPI.dll,-28778|Desc=@FirewallAPI.dll,-28779|EmbedCtxt=@FirewallAPI.dll,-28752|Edge=TRUE|Defer=App|"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Remote Assistance]
"fAllowToGetHelp"=dword:00000001

Open in new window

0
 
ReyesrjAuthor Commented:
Thanks Kimputer!!!

I was able to figure out how to write to the registry and this is what was missing:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\"Terminal Server"\WinStations\RDP-Tcp]
"UserAuthentication"=dword:00000001

Perfect now, thanks to you!
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now