How to get the Terminal Service Account settings and Client Settings from the Terminal Server
You can use Win32_TSAccount And Win32_TSClientSetting WMI class to get the information but these classes returns some information in bit-wise operator and that needs to be convert in simple terms which are easily understandable to the user. Most of such scripts are used by the administrators in big organization and its really tough for them to interpret the bit-wise operator.
For example if I use Win32_TSAccount WMI class the direct output would be as follows
Terminal name: RDP-Tcp
Account name: BUILTIN\Administrators
Permissions allowed: 983999
I have written the script code to convert the bit-wise operator so that we can easily understand the output. The output using the script would be as given below. (currently the script will output the same information into a file located on c: drive that takes the form of:
c:\ComputerInformation_23-3-2012-14-40-56.txt
********* Terminal Service Account settings **********
Terminal name: RDP-Tcp
Account name: NT AUTHORITY\SYSTEM
Permissions Mask ( Hexadecimal ): F03BF
Allowed:Full Control
Terminal name: RDP-Tcp
Account name: NT AUTHORITY\LOCAL SERVICE
Permissions Mask ( Hexadecimal ): F0089
Allowed:Virtual Channel + Special Permissions = Query Information + Message
Terminal name: RDP-Tcp
Account name: NT AUTHORITY\NETWORK SERVICE
Permissions Mask ( Hexadecimal ): 81
Allowed:Special Permissions = Query Information + Message
Terminal name: RDP-Tcp
Account name: BR549ROOT\FordP2
Permissions Mask ( Hexadecimal ): F03BF
Allowed:Full Control
Terminal name: RDP-Tcp
Account name: BR549ROOT\QI
Permissions Mask ( Hexadecimal ): 1
Allowed:Special Permissions = Query Information
Terminal name: RDP-Tcp
Account name: BR549ROOT\SI
Permissions Mask ( Hexadecimal ): 2
Allowed:Special Permissions = Set Information
Terminal name: RDP-Tcp
Account name: BR549ROOT\RC
Permissions Mask ( Hexadecimal ): 10
Allowed:Special Permissions = Remote Control
Terminal name: RDP-Tcp
Account name: BR549ROOT\LON
Permissions Mask ( Hexadecimal ): 20
Allowed:Guest Access
Terminal name: RDP-Tcp
Account name: BR549ROOT\LOFF
Permissions Mask ( Hexadecimal ): 4
Allowed:Special Permissions = Logoff
Terminal name: RDP-Tcp
Account name: BR549ROOT\msg
Permissions Mask ( Hexadecimal ): 80
Allowed:Special Permissions = Message
Terminal name: RDP-Tcp
Account name: BR549ROOT\con
Permissions Mask ( Hexadecimal ): 100
Allowed:Special Permissions = Connect
Terminal name: RDP-Tcp
Account name: BR549ROOT\discon
Permissions Mask ( Hexadecimal ): 200
Allowed:Special Permissions = Disconnect
Terminal name: RDP-Tcp
Account name: BR549ROOT\VC
Permissions Mask ( Hexadecimal ): F0008
Allowed:Virtual Channel
Terminal name: RDP-Tcp
Account name: BR549ROOT\useraccess
Permissions Mask ( Hexadecimal ): 121
Allowed:User Access & Guest Access
Terminal name: RDP-Tcp
Account name: BR549ROOT\GuestAccess
Permissions Mask ( Hexadecimal ): 20
Allowed:Guest Access
Terminal name: RDP-Tcp
Account name: BUILTIN\Administrators
Permissions Mask ( Hexadecimal ): F03BF
Allowed:Full Control
Terminal name: RDP-Tcp
Account name: BUILTIN\Remote Desktop Users
Permissions Mask ( Hexadecimal ): 121
Allowed:User Access & Guest Access
Terminal name: RDP-Tcp
Account name: NT AUTHORITY\INTERACTIVE
Permissions Mask ( Hexadecimal ): 1
Allowed:Special Permissions = Query Information
********* Client Settings from the Terminal server*************
0 - Enabled 1 - Disabled
For Default Client Printer 0 -Diabled 1 - Enabled
Drive mapping: 0
Windows printer mapping: 0
LPT port mapping: 0
COM port mapping: 0
Clipboard mapping: 0
Audio mapping: 1
Default to client printer: 1
*********************************
Script.
'
' Permissions Constants
'
const FULL_CONTROL = &HF03BF ' Full Control
const USER_ACCESS = &H121 ' User Access ( includes Guest Access )
const GUEST_ACCESS = &H20 ' Guest Access
const WINSTATION_QUERY = 1 ' Query Informaiton
const WINSTATION_SET = 2 ' Set Information
const WINSTATION_LOGOFF = 4 ' Logoff
const WINSTATION_SHADOW = &H10 ' Remote Control
const WINSTATION_LOGON = &H20 ' Logon
const WINSTATION_RESET = &H40 ' Reset, no an individual setting.
const WINSTATION_MSG = &H80 ' Message
const WINSTATION_CONNECT = &H100 ' Connect
const WINSTATION_DISCONNECT = &H200 ' Disconnect
const WINSTATION_VIRTUAL = &HF0008 ' Virtual Channel - WINSTATION_VIRTUAL | STANDARD_RIGHTS_REQUIRED
'==================================================
' Main script code.
' Helper functions are below
'
' The Perms varialbe will be a dicitionary asscociating the permissions flags
' with a human readable string. LoadPerms initializes the Perms colleciton.
'
dim Perms : set Perms = CreateObject("Scripting.Dictionary")
Dim iOffset 'used for display only (left justifying displayed values)
iOffset = 20
Dim fso,oFile,OutputFile,dateTime, objFolder,strFolder
Set dateTime = CreateObject("WbemScripting.SWbemDateTime")
LoadPerms
'
' Create the output file name, put it on drive C:\
' with a format simliar to the following path name:
' c:\ComputerInformation_23-3-2012-14-40-56.txt
'
strFolder="C:\"
OutputFile="\" & "ComputerInformation_" & Day(Now()) & "-" & Month(Now()) & "-" & Year(Now()) & "-" & Hour(Now()) & "-" & Minute(Now()) & "-" & Second(Now()) & "." & "txt"
'
' Get an FSO object
'
Set FSO = CreateObject("Scripting.FileSystemObject")
Set oFile = FSO.CreateTextFile(strFolder & OutputFile, True)
strComputer = "."
'
'For Server 2008 R2 use the following wmi namespace
' the namespace is different for 2003
'
Set objWMIService = GetObject("winmgmts:{authenticationLevel=pktPrivacy}!Root\CIMv2\TerminalServices")
'
'For server 2003
'Set objWMIService = GetObject("winmgmts:" _
' & "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
'
Set colItems = objWMIService.ExecQuery("Select * from Win32_TSGeneralSetting")
oFile.WriteLine("********* Terminal Service Account settings **********")
oFile.WriteLine("")
'
' Retreive all of the RDP accounts that are either, allowed or
' denied access to this machine
'
Set colItems = objWMIService.ExecQuery("Select * from Win32_TSAccount")
For Each objItem in colItems
'
' Excluse the console sessions
'
If(objItem.TerminalName<>"Console") Then
oFile.WriteLine "Terminal name: " & objItem.TerminalName
ConvertToNTFSPerm objItem.PermissionsAllowed, oFile ,objItem.AccountName, TRUE
ConvertToNTFSPerm objItem.PermissionsDenied, oFile ,objItem.AccountName, FALSE
End If
Next
oFile.WriteLine("********* Client Settings from the Terminal server*************")
oFile.WriteLine ("0 - Enabled 1 - Disabled")
oFile.WriteLine("For Default Client Printer 0 -Diabled 1 - Enabled")
oFile.WriteLine("")
set colItems = objWMIService.ExecQuery("Select * from Win32_TSClientSetting")
For Each objItem in colItems
oFile.WriteLine "Drive mapping: " & objItem.DriveMapping
oFile.WriteLine "Windows printer mapping: " & objItem.WindowsPrinterMapping
oFile.WriteLine "LPT port mapping: " & objItem.LPTPortMapping
oFile.WriteLine "COM port mapping: " & objItem.COMPortMapping
oFile.WriteLine "Clipboard mapping: " & objItem.ClipboardMapping
oFile.WriteLine "Audio mapping: " & objItem.AudioMapping
oFile.WriteLine "Default to client printer: " & objItem.DefaultToClientPrinter
oFile.WriteLine("*********************************")
Next
oFile.WriteLine("")
oFile.Close()
'
'------------------------------------------------------------
' Function Definitions
'------------------------------------------------------------
'
Function ConvertToNTFSPerm (inputPerm,oFile, AccountName, bAllow)
strPerm = ""
if( inputPerm = 0 ) then exit function
IsSpecailPermission = False
'
' Check for exact match for
' Full Control
' User Access
' and
' Guest Access
'
select case inputperm
case FULL_CONTROL
strPerm = "Full Control"
case USER_ACCESS
strPerm = "User Access & Guest Access"
case GUEST_ACCESS
strPerm = "Guest Access"
case WINSTATION_VIRTUAL:
strPerm = "Virtual Channel"
case else
strPerm = ""
end select
'
' If we have a string in strPerm
' Then the permissions could be a combination
' of User Access and special or Guest Access and special.
' First, check for User Access and Special case
'
dim strip : strip = 0
if( strPerm = "" ) then
if((inputPerm AND WINSTATION_VIRTUAL) = WINSTATION_VIRTUAL) then
'
' Have a matcho for Virtual Channel and other bits
'
strip = inputPerm xOR WINSTATION_VIRTUAL
strPerm = "Virtual Channel + Special Permissions = " & GetPermString( strip )
end if
if((strPerm = "") and (( inputPerm and USER_ACCESS ) = USER_ACCESS )) then
'
' Have a match for User Access, lets find out what other bits are present
'
strip = inputPerm xor USER_ACCESS
strPerm = "User Access + Guest Access + Special Permissions = " + GetPermString( strip )
end if
if((strPerm = "" ) and (( inputPerm and GUEST_ACCESS ) = GUEST_ACCESS ) )then
'
' Have a match for User Access, lets find out what other bits are present
'
strip = inputPerm xor GUEST_ACCESS
strPerm = "Guest Access + Special Permissions = " & GetPermString(strip)
end if
'
' Nothing matched up so far, this must be some kind of
' special permission
'
if( strPerm = "" ) then
strPerm = "Special Permissions = " & GetPermString( inputPerm )
end if
end if
if( strPerm <> "" ) then
oFile.WriteLine "Account name: " & AccountName
oFile.WriteLine "Permissions Mask ( Hexidecimal ): " & hex(inputPerm)
if( bAllow ) then
oFile.WriteLine "Allowed:" & strPerm
else
oFile.WriteLine "Denied: " & strPerm
end if
oFile.WriteLine("")
end if
End Function
'
' LoadPerms - sets up the dictionary with the strings and their
' values.
'
sub LoadPerms
Perms.Add WINSTATION_QUERY, "Query Information"
perms.Add WINSTATION_SET, "Set Information"
Perms.Add WINSTATION_LOGOFF, "Logoff"
Perms.Add WINSTATION_SHADOW, "Remote Control"
Perms.Add WINSTATION_LOGON, "Logon"
Perms.Add WINSTATION_RESET, "Reset"
Perms.Add WINSTATION_MSG, "Message"
Perms.Add WINSTATION_CONNECT, "Connect"
Perms.Add WINSTATION_DISCONNECT, "Disconnect"
end sub
'
' GetPermString - builds a string that contains the
' bits strings for the permissions constants using
' the dictionary from LoadPerms
'
function GetPermString( inVal )
GetPermString = ""
dim pkeys : pkeys = Perms.Keys
dim bFirst : bFirst = true
for each pk in pkeys
if(( inVal and pk ) = pk) then
if( bFirst ) then
GetPermString = GetPermsString & Perms.Item(pk)
bFirst = false
else
GetPermString = GetPermString & " + " & perms.Item(pk)
end if
end if
next
end function
Content developed by: Irfan Ahmed
Content reviewed by: Max Vaughn
Comments
- Anonymous
July 30, 2014
Absolutely great script. Question. for remote computers ( strComputer = "ComputerName" ) works on remote 2003 Computers. I can not get it to connect to 2008 computers properly no matter where I insert strComputer, Set objWMIService = GetObject("winmgmts:{authenticationLevel=pktPrivacy}!RootCIMv2TerminalServices") Can you advise please and respond via email??? Many thanks for assisting