Ing organisasi sing aku kerja, kerja jarak jauh dilarang ing prinsip. Was. Nganti minggu kepungkur. Saiki kita kudu ngetrapake solusi kanthi cepet. Saka bisnis - proses adaptasi menyang format kerja anyar, saka kita - PKI kanthi kode PIN lan token, VPN, logging rinci lan liya-liyane.
Antarane liyane, aku nyiyapake Infrastruktur Desktop Jarak Jauh alias Layanan Terminal. Kita duwe sawetara panyebaran RDS ing pusat data sing beda. Salah sawijining tujuane yaiku supaya kolega saka departemen IT sing gegandhengan bisa nyambung menyang sesi pangguna kanthi interaktif. Kaya sing sampeyan ngerteni, ana mekanisme RDS Shadow standar kanggo iki, lan cara paling gampang kanggo utusan yaiku menehi hak administrator lokal ing server RDS.
Aku ngormati lan ngormati kolega, nanging aku banget srakah nalika nerangake hak admin. 🙂 Kanggo sing setuju karo kula, mangga tindakake cut.
Inggih, tugas wis jelas, saiki ayo pindhah menyang bisnis.
langkah 1
Ayo nggawe grup keamanan ing Active Directory RDP_Operator lan kalebu ing akun kasebut pangguna sing pengin kita utusan hak:
$Users = @(
"UserLogin1",
"UserLogin2",
"UserLogin3"
)
$Group = "RDP_Operators"
New-ADGroup -Name $Group -GroupCategory Security -GroupScope DomainLocal
Add-ADGroupMember -Identity $Group -Members $Users
Yen sampeyan duwe sawetara situs AD, sampeyan kudu ngenteni nganti ditiru menyang kabeh pengontrol domain sadurunge pindhah menyang langkah sabanjure. Iki biasane njupuk ora luwih saka 15 menit.
langkah 2
Ayo menehi hak grup kanggo ngatur sesi terminal ing saben server RDSH:
Set-RDSPermissions.ps1
$Group = "RDP_Operators"
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
ForEach ($Server in $Servers) {
#Делегируем право на теневые сессии
$WMIHandles = Get-WmiObject `
-Class "Win32_TSPermissionsSetting" `
-Namespace "rootCIMV2terminalservices" `
-ComputerName $Server `
-Authentication PacketPrivacy `
-Impersonation Impersonate
ForEach($WMIHandle in $WMIHandles)
{
If ($WMIHandle.TerminalName -eq "RDP-Tcp")
{
$retVal = $WMIHandle.AddAccount($Group, 2)
$opstatus = "успешно"
If ($retVal.ReturnValue -ne 0) {
$opstatus = "ошибка"
}
Write-Host ("Делегирование прав на теневое подключение группе " +
$Group + " на сервере " + $Server + ": " + $opstatus + "`r`n")
}
}
}
langkah 3
Tambah grup menyang grup lokal Pangguna Desktop Jarak Jauh ing saben server RDSH. Yen server sampeyan digabungake dadi koleksi sesi, banjur kita nindakake iki ing tingkat koleksi:
$Group = "RDP_Operators"
$CollectionName = "MyRDSCollection"
[String[]]$CurrentCollectionGroups = @(Get-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup).UserGroup
Set-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup ($CurrentCollectionGroups + $Group)
Kanggo server siji sing digunakake , ngenteni kanggo ditrapake ing server. Sing kesed ngenteni bisa nyepetake proses nggunakake gpupdate lawas sing apik, luwih becik .
langkah 4
Ayo nyiyapake skrip PS ing ngisor iki kanggo "manajer":
RDSManagement.ps1
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
function Invoke-RDPSessionLogoff {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
logoff $SessionID /server:$ComputerName /v 2>&1
}
function Invoke-RDPShadowSession {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
mstsc /shadow:$SessionID /v:$ComputerName /control 2>&1
}
Function Get-LoggedOnUser {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName="localhost"
)
$ErrorActionPreference = "Stop"
Test-Connection $ComputerName -Count 1 | Out-Null
quser /server:$ComputerName 2>&1 | Select-Object -Skip 1 | ForEach-Object {
$CurrentLine = $_.Trim() -Replace "s+"," " -Split "s"
$HashProps = @{
UserName = $CurrentLine[0]
ComputerName = $ComputerName
}
If ($CurrentLine[2] -eq "Disc") {
$HashProps.SessionName = $null
$HashProps.Id = $CurrentLine[1]
$HashProps.State = $CurrentLine[2]
$HashProps.IdleTime = $CurrentLine[3]
$HashProps.LogonTime = $CurrentLine[4..6] -join " "
$HashProps.LogonTime = $CurrentLine[4..($CurrentLine.GetUpperBound(0))] -join " "
}
else {
$HashProps.SessionName = $CurrentLine[1]
$HashProps.Id = $CurrentLine[2]
$HashProps.State = $CurrentLine[3]
$HashProps.IdleTime = $CurrentLine[4]
$HashProps.LogonTime = $CurrentLine[5..($CurrentLine.GetUpperBound(0))] -join " "
}
New-Object -TypeName PSCustomObject -Property $HashProps |
Select-Object -Property UserName, ComputerName, SessionName, Id, State, IdleTime, LogonTime
}
}
$UserLogin = Read-Host -Prompt "Введите логин пользователя"
Write-Host "Поиск RDP-сессий пользователя на серверах..."
$SessionList = @()
ForEach ($Server in $Servers) {
$TargetSession = $null
Write-Host " Опрос сервера $Server"
Try {
$TargetSession = Get-LoggedOnUser -ComputerName $Server | Where-Object {$_.UserName -eq $UserLogin}
}
Catch {
Write-Host "Ошибка: " $Error[0].Exception.Message -ForegroundColor Red
Continue
}
If ($TargetSession) {
Write-Host " Найдена сессия с ID $($TargetSession.ID) на сервере $Server" -ForegroundColor Yellow
Write-Host " Что будем делать?"
Write-Host " 1 - подключиться к сессии"
Write-Host " 2 - завершить сессию"
Write-Host " 0 - ничего"
$Action = Read-Host -Prompt "Введите действие"
If ($Action -eq "1") {
Invoke-RDPShadowSession -ComputerName $Server -SessionID $TargetSession.ID
}
ElseIf ($Action -eq "2") {
Invoke-RDPSessionLogoff -ComputerName $Server -SessionID $TargetSession.ID
}
Break
}
Else {
Write-Host " сессий не найдено"
}
}
Kanggo nggawe skrip PS trep kanggo mbukak, kita bakal nggawe cangkang ing wangun file cmd kanthi jeneng sing padha karo skrip PS:
RDSManagement.cmd
@ECHO OFF
powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.ps1" %*
Kita sijine loro file ing folder sing bakal bisa diakses kanggo "manajer" lan takon kanggo maneh login. Saiki, kanthi mbukak file cmd, dheweke bakal bisa nyambung menyang sesi pangguna liyane ing mode RDS Shadow lan meksa dheweke metu (iki bisa migunani nalika pangguna ora bisa mandhegake sesi "gantung").
Kayane kaya iki:
Kanggo "manajer"
Kanggo pangguna
A sawetara komentar pungkasan
Nuansa 1. Yen sesi pangguna sing kita coba entuk kontrol diluncurake sadurunge skrip Set-RDSPermissions.ps1 dieksekusi ing server, banjur "manajer" bakal nampa kesalahan akses. Solusi ing kene jelas: ngenteni nganti pangguna sing dikelola mlebu.
Nuansa 2. Sawise pirang-pirang dina nggarap RDP Shadow, kita weruh bug utawa fitur sing menarik: sawise mburi sesi bayangan, garis basa ing tray bakal ilang kanggo pangguna sing disambungake, lan kanggo njaluk maneh, pangguna kudu maneh. -login. Pranyata, kita ora piyambak: , , .
Mekaten. Muga-muga sampeyan lan server sampeyan sehat. Kaya biasane, aku ngarepake tanggapan sampeyan ing komentar lan njaluk sampeyan njupuk survey singkat ing ngisor iki.
Sumber informasi
Mung pangguna pangguna sing bisa melu survey. nggih.
Apa sampeyan nggunakake?
-
8,1%AMMYY Admin5
-
17,7%AnyDesk11
-
9,7%DameWare6
-
24,2%Radmin15
-
14,5%RDS Shadow9
-
1,6%Quick Assist / Windows Remote Assistance1
-
38,7%TeamViewer24
-
32,3%VNC20
-
32,3%liyane20
-
3,2%LiteManager2
62 pangguna milih. 22 pangguna abstain.
Source: www.habr.com