A cikin ƙungiyar da nake aiki, an hana aikin nesa bisa manufa. Was Har satin da ya gabata. Yanzu dole ne mu aiwatar da mafita cikin gaggawa. Daga kasuwanci - daidaita matakai zuwa sabon tsarin aiki, daga gare mu - PKI tare da lambobin PIN da alamu, VPN, cikakken shiga da ƙari.
Daga cikin wasu abubuwa, Ina kafa Kayayyakin Kayan Aiki na Nesa (Remote Desktop Infrastructure) wato Terminal Services. Muna da jigilar RDS da yawa a cibiyoyin bayanai daban-daban. Ɗaya daga cikin manufofin shine don baiwa abokan aiki daga sassan IT masu alaƙa don haɗawa da zaman mai amfani da mu'amala. Kamar yadda kuka sani, akwai daidaitaccen tsarin inuwa na RDS don wannan, kuma hanya mafi sauƙi don wakilta ita ce ba da haƙƙin mai gudanarwa na gida akan sabar RDS.
Ina mutuntawa da daraja abokan aikina, amma ina matukar kwadayin bayar da hakkin admin. 🙂 Ga wadanda suka yarda da ni, don Allah a bi yanke.
To, aikin a bayyane yake, yanzu bari mu sauka zuwa kasuwanci.
Mataki 1
Bari mu ƙirƙiri ƙungiyar tsaro a cikin Active Directory RDP_Masu aiki kuma hada da asusun waɗancan masu amfani waɗanda muke son ba wa haƙƙoƙinsu a ciki:
$Users = @(
"UserLogin1",
"UserLogin2",
"UserLogin3"
)
$Group = "RDP_Operators"
New-ADGroup -Name $Group -GroupCategory Security -GroupScope DomainLocal
Add-ADGroupMember -Identity $Group -Members $Users
Idan kuna da shafukan AD da yawa, kuna buƙatar jira har sai an kwaikwayi shi ga duk masu kula da yanki kafin matsawa zuwa mataki na gaba. Wannan yawanci bai wuce mintuna 15 ba.
Mataki 2
Mu baiwa ƙungiyar haƙƙoƙin gudanar da zaman tasha akan kowane sabar RDSH:
Saita-RDSPermissions.ps1
$Group = "RDP_Operators"
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
ForEach ($Server in $Servers) {
#Делегируем право на теневые сессии
$WMIHandles = Get-WmiObject `
-Class "Win32_TSPermissionsSetting" `
-Namespace "rootCIMV2terminalservices" `
-ComputerName $Server `
-Authentication PacketPrivacy `
-Impersonation Impersonate
ForEach($WMIHandle in $WMIHandles)
{
If ($WMIHandle.TerminalName -eq "RDP-Tcp")
{
$retVal = $WMIHandle.AddAccount($Group, 2)
$opstatus = "успешно"
If ($retVal.ReturnValue -ne 0) {
$opstatus = "ошибка"
}
Write-Host ("Делегирование прав на теневое подключение группе " +
$Group + " на сервере " + $Server + ": " + $opstatus + "`r`n")
}
}
}
Mataki 3
Ƙara ƙungiyar zuwa rukunin gida Masu amfani da Desktop mai nisa akan kowane sabar RDSH. Idan an haɗa sabar ku zuwa tarin zaman, to muna yin haka a matakin tarin:
$Group = "RDP_Operators"
$CollectionName = "MyRDSCollection"
[String[]]$CurrentCollectionGroups = @(Get-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup).UserGroup
Set-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup ($CurrentCollectionGroups + $Group)
Don uwar garken guda ɗaya muna amfani da su , jiran a yi amfani da shi a kan sabobin. Wadanda suka yi kasala don jira zasu iya hanzarta aiwatar da yin amfani da tsohuwar gpupdate mai kyau, zai fi dacewa .
Mataki 4
Bari mu shirya rubutun PS mai zuwa don "manji":
RDSManagement.ps1
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
function Invoke-RDPSessionLogoff {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
logoff $SessionID /server:$ComputerName /v 2>&1
}
function Invoke-RDPShadowSession {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
mstsc /shadow:$SessionID /v:$ComputerName /control 2>&1
}
Function Get-LoggedOnUser {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName="localhost"
)
$ErrorActionPreference = "Stop"
Test-Connection $ComputerName -Count 1 | Out-Null
quser /server:$ComputerName 2>&1 | Select-Object -Skip 1 | ForEach-Object {
$CurrentLine = $_.Trim() -Replace "s+"," " -Split "s"
$HashProps = @{
UserName = $CurrentLine[0]
ComputerName = $ComputerName
}
If ($CurrentLine[2] -eq "Disc") {
$HashProps.SessionName = $null
$HashProps.Id = $CurrentLine[1]
$HashProps.State = $CurrentLine[2]
$HashProps.IdleTime = $CurrentLine[3]
$HashProps.LogonTime = $CurrentLine[4..6] -join " "
$HashProps.LogonTime = $CurrentLine[4..($CurrentLine.GetUpperBound(0))] -join " "
}
else {
$HashProps.SessionName = $CurrentLine[1]
$HashProps.Id = $CurrentLine[2]
$HashProps.State = $CurrentLine[3]
$HashProps.IdleTime = $CurrentLine[4]
$HashProps.LogonTime = $CurrentLine[5..($CurrentLine.GetUpperBound(0))] -join " "
}
New-Object -TypeName PSCustomObject -Property $HashProps |
Select-Object -Property UserName, ComputerName, SessionName, Id, State, IdleTime, LogonTime
}
}
$UserLogin = Read-Host -Prompt "Введите логин пользователя"
Write-Host "Поиск RDP-сессий пользователя на серверах..."
$SessionList = @()
ForEach ($Server in $Servers) {
$TargetSession = $null
Write-Host " Опрос сервера $Server"
Try {
$TargetSession = Get-LoggedOnUser -ComputerName $Server | Where-Object {$_.UserName -eq $UserLogin}
}
Catch {
Write-Host "Ошибка: " $Error[0].Exception.Message -ForegroundColor Red
Continue
}
If ($TargetSession) {
Write-Host " Найдена сессия с ID $($TargetSession.ID) на сервере $Server" -ForegroundColor Yellow
Write-Host " Что будем делать?"
Write-Host " 1 - подключиться к сессии"
Write-Host " 2 - завершить сессию"
Write-Host " 0 - ничего"
$Action = Read-Host -Prompt "Введите действие"
If ($Action -eq "1") {
Invoke-RDPShadowSession -ComputerName $Server -SessionID $TargetSession.ID
}
ElseIf ($Action -eq "2") {
Invoke-RDPSessionLogoff -ComputerName $Server -SessionID $TargetSession.ID
}
Break
}
Else {
Write-Host " сессий не найдено"
}
}
Don sanya rubutun PS ya dace don aiki, za mu ƙirƙira masa harsashi ta hanyar fayil cmd tare da suna iri ɗaya da rubutun PS:
RDSManagement.cmd
@ECHO OFF
powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.ps1" %*
Mun sanya fayiloli guda biyu a cikin babban fayil da za su iya samun dama ga "manjoji" kuma mu tambaye su su sake shiga. Yanzu, ta hanyar gudanar da fayil ɗin cmd, za su iya haɗawa da zaman sauran masu amfani a cikin yanayin Shadow na RDS kuma su tilasta su fita (wannan na iya zama da amfani lokacin da mai amfani ba zai iya dakatar da zaman "hange") da kansa ba.
Yana kama da wani abu kamar haka:
Domin "manager"
Ga mai amfani
'Yan sharhi na ƙarshe
Nuance 1. Idan an ƙaddamar da zaman mai amfani wanda muke ƙoƙarin samun iko kafin a aiwatar da rubutun Set-RDSPermissions.ps1 akan sabar, to "mai sarrafa" zai sami kuskuren shiga. Maganin a nan a bayyane yake: jira har sai mai amfani da aka sarrafa ya shiga.
Nuance 2. Bayan kwanaki da yawa na aiki tare da RDP Shadow, mun lura da bug mai ban sha'awa ko fasali: bayan ƙarshen zaman inuwa, mashaya harshe a cikin tire ya ɓace don haɗin mai amfani da shi, kuma don dawo da shi, mai amfani yana buƙatar sakewa. -shiga. Kamar yadda ya bayyana, ba mu kadai ba: , , .
Shi ke nan. Ina muku fatan alheri da kuma sabobin ku. Kamar koyaushe, ina sa ido ga ra'ayoyin ku a cikin sharhi kuma in tambaye ku da ku ɗauki ɗan gajeren binciken da ke ƙasa.
Sources
Masu amfani da rajista kawai za su iya shiga cikin binciken. don Allah.
Me kuke amfani?
-
8,1%AMMYY Admin5
-
17,7%AnyDesk11
-
9,7%DameWare6
-
24,2%Radmin15
-
14,5%RDS Shadow9
-
1,6%Taimako mai sauri / Taimakon Nesa na Windows1
-
38,7%TeamViewer24
-
32,3%Saukewa: VNC20
-
32,3%sauran 20
-
3,2%LiteManager 2
Masu amfani 62 sun kada kuri'a. Masu amfani 22 sun ƙi.
source: www.habr.com