Checking \ Setting Remote Desktop Services Profile Settings

December 24, 2012

Check or Set Remote Desktop Services Profile Settings With PowerShell

Many Administrators and Helpdesk teams are assigned with the task of configuring their clients RDP Settings. from the GUI, It is done through the “Remote Desktop Services Profile” tab in the ADUC user settings (that’s in Windows Server 2008 R2. in earlier versions, its called “Terminal Services Profile”)

Like most IT tasks (when it comes to Microsoft’s products), this task can be automated with PowerShell.
Personally, I like to use Microsoft’s ActiveDirectory PowerShell module for all PowerShell AD tasks.

In order to retrieve Remote Desktop settings, the Classic “Get-ADUser -Identity SomeUser -Properties *” wont help us find properties with relevant info, because Get-ADUser can’t get them all.

Another built-in solution is to use the old-fashioned ADSI adapter type. the .NET frameworks wraps the adapter like a PowerShell object. its accessible through the .psbase member set which let us access the objects public members.
Not as friendly as a Cmdlet, but it will give us properties and methods to work with.

The ADSI adapter is operated using LDAP queries (it can also query other LDAP instances than Active Directory), which means I have to use a Distinguished Name (DN) in order to get the user object:

PS C:\> $ADUser = [ADSI]”LDAP://CN=UserName,OU=Users,DC=TestDomain,DC=com”

But I got many OU’s… and typing down DN’s is so V1…

PS C:\> $ADUser = Get-ADUser UserName | select -ExpandProperty disting*
PS C:\> $ADUser = [ADSI]”LDAP://$ADUser”

(Notice that LDAP is all upper-case!)

Next, I query the object received with its InvokeGet() method.
First, I see if the Profile Path attribute is populated:

PS C:\> $ADUser.psbase.InvokeGet(“terminalservicesprofilepath”)
\\TSServer\Profiles\UserName

And make sure that the “Deny this user permissions to log on to Remote Desktop Sessions host server”
is UN-checked (“1” stands for allow, “0” for denied):

$ADUser.psbase.InvokeGet(‘allowlogon’)
1

So I can also check bulks of users:

PS C:\> Get-ADGroupMember Sales_Team | ForEach-Object {
>> Write-Host $_.samaccountname + ” RDP Configuration:”
>> $x = [ADSI]”LDAP://$($_.DistinguishedName)”
>> $x.psbase.invokeget(“terminalservicesprofilepath”)
>> $x.psbase.invokeget(“allowLogon”)
>> }

Thats pretty useful, but how do I configure those attributes? similar to the last example, I use the InvokeSet() method.

PS C:\> $x.psbase.invokeset(“terminalservicesprofilepath”,”\\TSServer\Profiles\UserName”)
PS C:\> $x.psbase.invokeSet(“allowLogon”,1)
PS C:\> $x.setinfo()

Do you find it helpful?
Let me know what you think!
Happy scripting 🙂