Nan òganizasyon kote m ap travay, travay a distans entèdi an prensip. Te. Jiska semèn pase a. Koulye a, nou te oblije aplike yon solisyon ijan. Soti nan biznis - adapte pwosesis nan yon nouvo fòma travay, nan men nou - PKI ak kòd PIN ak marqueur, VPN, antre detaye ak plis ankò.
Pami lòt bagay, mwen te mete kanpe Remote Desktop Enfrastrikti aka Sèvis Tèminal. Nou gen plizyè deplwaman RDS nan diferan sant done. Youn nan objektif yo se te pèmèt kòlèg ki soti nan depatman IT ki gen rapò konekte ak sesyon itilizatè yo entèaktif. Kòm ou konnen, gen yon mekanis lonbraj RDS estanda pou sa a, ak fason ki pi fasil pou delege li se bay dwa administratè lokal sou serveurs RDS.
Mwen respekte ak valè kòlèg mwen yo, men mwen trè visye lè li rive distribye dwa admin. 🙂 Pou moun ki dakò avèm, tanpri swiv koupe a.
Oke, travay la klè, kounye a ann desann nan biznis.
Etap 1
Ann kreye yon gwoup sekirite nan Active Directory RDP_Operatè yo epi mete ladan l kont itilizatè sa yo ke nou vle delege dwa yo:
$Users = @(
"UserLogin1",
"UserLogin2",
"UserLogin3"
)
$Group = "RDP_Operators"
New-ADGroup -Name $Group -GroupCategory Security -GroupScope DomainLocal
Add-ADGroupMember -Identity $Group -Members $Users
Si ou gen plizyè sit AD, w ap bezwen rete tann jiskaske li repwodui nan tout contrôleur domèn anvan ou ale nan pwochen etap la. Sa a anjeneral pran pa plis pase 15 minit.
Etap 2
Ann bay gwoup dwa pou jere sesyon tèminal yo sou chak sèvè RDSH yo:
Set-RDSPermissions.ps1
$Group = "RDP_Operators"
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
ForEach ($Server in $Servers) {
#Делегируем право на теневые сессии
$WMIHandles = Get-WmiObject `
-Class "Win32_TSPermissionsSetting" `
-Namespace "rootCIMV2terminalservices" `
-ComputerName $Server `
-Authentication PacketPrivacy `
-Impersonation Impersonate
ForEach($WMIHandle in $WMIHandles)
{
If ($WMIHandle.TerminalName -eq "RDP-Tcp")
{
$retVal = $WMIHandle.AddAccount($Group, 2)
$opstatus = "успешно"
If ($retVal.ReturnValue -ne 0) {
$opstatus = "ошибка"
}
Write-Host ("Делегирование прав на теневое подключение группе " +
$Group + " на сервере " + $Server + ": " + $opstatus + "`r`n")
}
}
}
Etap 3
Ajoute gwoup la nan gwoup lokal la Itilizatè Desktop Remote sou chak nan sèvè RDSH yo. Si sèvè ou yo konbine nan koleksyon sesyon, Lè sa a, nou fè sa nan nivo koleksyon an:
$Group = "RDP_Operators"
$CollectionName = "MyRDSCollection"
[String[]]$CurrentCollectionGroups = @(Get-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup).UserGroup
Set-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup ($CurrentCollectionGroups + $Group)
Pou sèl serveurs nou itilize , ap tann pou li aplike sou serveurs yo. Moun ki twò parese pou tann ka akselere pwosesis la lè l sèvi avèk bon ansyen gpupdate, de preferans .
Etap 4
Ann prepare script PS sa a pou "manadjè":
RDSManagement.ps1
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
function Invoke-RDPSessionLogoff {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
logoff $SessionID /server:$ComputerName /v 2>&1
}
function Invoke-RDPShadowSession {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
mstsc /shadow:$SessionID /v:$ComputerName /control 2>&1
}
Function Get-LoggedOnUser {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName="localhost"
)
$ErrorActionPreference = "Stop"
Test-Connection $ComputerName -Count 1 | Out-Null
quser /server:$ComputerName 2>&1 | Select-Object -Skip 1 | ForEach-Object {
$CurrentLine = $_.Trim() -Replace "s+"," " -Split "s"
$HashProps = @{
UserName = $CurrentLine[0]
ComputerName = $ComputerName
}
If ($CurrentLine[2] -eq "Disc") {
$HashProps.SessionName = $null
$HashProps.Id = $CurrentLine[1]
$HashProps.State = $CurrentLine[2]
$HashProps.IdleTime = $CurrentLine[3]
$HashProps.LogonTime = $CurrentLine[4..6] -join " "
$HashProps.LogonTime = $CurrentLine[4..($CurrentLine.GetUpperBound(0))] -join " "
}
else {
$HashProps.SessionName = $CurrentLine[1]
$HashProps.Id = $CurrentLine[2]
$HashProps.State = $CurrentLine[3]
$HashProps.IdleTime = $CurrentLine[4]
$HashProps.LogonTime = $CurrentLine[5..($CurrentLine.GetUpperBound(0))] -join " "
}
New-Object -TypeName PSCustomObject -Property $HashProps |
Select-Object -Property UserName, ComputerName, SessionName, Id, State, IdleTime, LogonTime
}
}
$UserLogin = Read-Host -Prompt "Введите логин пользователя"
Write-Host "Поиск RDP-сессий пользователя на серверах..."
$SessionList = @()
ForEach ($Server in $Servers) {
$TargetSession = $null
Write-Host " Опрос сервера $Server"
Try {
$TargetSession = Get-LoggedOnUser -ComputerName $Server | Where-Object {$_.UserName -eq $UserLogin}
}
Catch {
Write-Host "Ошибка: " $Error[0].Exception.Message -ForegroundColor Red
Continue
}
If ($TargetSession) {
Write-Host " Найдена сессия с ID $($TargetSession.ID) на сервере $Server" -ForegroundColor Yellow
Write-Host " Что будем делать?"
Write-Host " 1 - подключиться к сессии"
Write-Host " 2 - завершить сессию"
Write-Host " 0 - ничего"
$Action = Read-Host -Prompt "Введите действие"
If ($Action -eq "1") {
Invoke-RDPShadowSession -ComputerName $Server -SessionID $TargetSession.ID
}
ElseIf ($Action -eq "2") {
Invoke-RDPSessionLogoff -ComputerName $Server -SessionID $TargetSession.ID
}
Break
}
Else {
Write-Host " сессий не найдено"
}
}
Pou fè script PS la pratik pou kouri, nou pral kreye yon koki pou li nan fòm yon dosye cmd ki gen menm non ak script PS la:
RDSManagement.cmd
@ECHO OFF
powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.ps1" %*
Nou mete tou de fichye yo nan yon katab ki pral aksesib a "manadjè" epi mande yo re-konekte. Kounye a, lè yo kouri dosye cmd la, yo pral kapab konekte ak sesyon lòt itilizatè yo nan mòd RDS Shadow epi fòse yo dekonekte (sa a ka itil lè itilizatè a pa ka mete fen nan yon sesyon "pandye" poukont li).
Li sanble yon bagay tankou sa a:
Pou "manadjè a"
Pou itilizatè a
Kèk kòmantè final
Nuans 1. Si sesyon itilizatè a ke nou ap eseye jwenn kontwòl te lanse anvan script la Set-RDSPermissions.ps1 te egzekite sou sèvè a, Lè sa a, "manadjè a" ap resevwa yon erè aksè. Solisyon an isit la se evidan: rete tann jiskaske itilizatè a jere konekte.
Nuans 2. Apre plizyè jou nan travay ak RDP Shadow, nou remake yon ensèk enteresan oswa karakteristik: apre fen sesyon lonbraj la, ba lang nan plato a disparèt pou itilizatè a ke yo te konekte ak, epi jwenn li tounen, itilizatè a bezwen re -ouvri sesyon an. Kòm li vire soti, nou pa poukont nou: , , .
Se tout. Mwen swete ou menm ak serveurs ou yo bon sante. Kòm toujou, mwen gade pou pi devan pou fidbak ou nan kòmantè yo epi mande ou pran sondaj kout anba a.
Sous
Se sèlman itilizatè ki anrejistre ki ka patisipe nan sondaj la. , tanpri.
Ki sa ou itilize?
-
8,1%AMMYY Admin5
-
17,7%AnyDesk11
-
9,7%DameWare6
-
24,2%Radmin15
-
14,5%RDS Shadow9
-
1,6%Asistans rapid / Windows Remote Assistance1
-
38,7%TeamViewer24
-
32,3%VNC20
-
32,3%lòt20
-
3,2%LiteManager2
62 itilizatè te vote. 22 itilizatè te absteni.
Sous: www.habr.com