Men ishlayotgan tashkilot printsipial jihatdan masofadan ishlashni taqiqlaydi. O'tgan haftagacha. Endi biz zudlik bilan yechimni amalga oshirishimiz kerak edi. Biznes jarayonlarni yangi ish formatiga moslashtirishi kerak edi va biz PIN-kodlar va tokenlar, VPN, batafsil jurnallar va boshqa ko'p narsalarni o'z ichiga olgan PKI-ni joriy qilishimiz kerak edi.
Boshqa narsalar qatorida, men masofaviy ish stoli infratuzilmasini (aka Terminal Services) o'rnatishda ishtirok etdim. Turli ma'lumotlar markazlarida bir nechta RDS o'rnatishimiz mavjud. Vazifalardan biri qo'shni IT bo'limlaridagi hamkasblarga foydalanuvchi sessiyalariga interaktiv ulanish imkonini berish edi. Ma'lumki, buning uchun o'rnatilgan RDS Shadow mexanizmi mavjud va uni topshirishning eng oson yo'li RDS serverlarida mahalliy administrator huquqlarini berishdir.
Men hamkasblarimni hurmat qilaman va qadrlayman, lekin administrator huquqlarini berishda juda ochko‘zman. 🙂 Men bilan rozi bo'lganlar, iltimos, o'qing.
Xo'sh, vazifa aniq, endi ishga kirishamiz.
1 bosqichma
Active Directory da xavfsizlik guruhini yaratamiz RDP_Operatorlar va unga biz huquqlarni topshirmoqchi bo'lgan foydalanuvchilarning hisoblarini kiriting:
$Users = @(
"UserLogin1",
"UserLogin2",
"UserLogin3"
)
$Group = "RDP_Operators"
New-ADGroup -Name $Group -GroupCategory Security -GroupScope DomainLocal
Add-ADGroupMember -Identity $Group -Members $Users
Agar sizda bir nechta AD saytlari bo'lsa, keyingi bosqichga o'tishdan oldin yangilanish barcha domen kontrollerlarida takrorlanishini kutishingiz kerak bo'ladi. Bu odatda 15 daqiqadan ko'proq vaqtni oladi.
2 bosqichma
Keling, guruhga har bir RDSH serverida terminal seanslarini boshqarishga ruxsat beraylik:
Set-RDSPermissions.ps1
$Group = "RDP_Operators"
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
ForEach ($Server in $Servers) {
#Делегируем право на теневые сессии
$WMIHandles = Get-WmiObject `
-Class "Win32_TSPermissionsSetting" `
-Namespace "rootCIMV2terminalservices" `
-ComputerName $Server `
-Authentication PacketPrivacy `
-Impersonation Impersonate
ForEach($WMIHandle in $WMIHandles)
{
If ($WMIHandle.TerminalName -eq "RDP-Tcp")
{
$retVal = $WMIHandle.AddAccount($Group, 2)
$opstatus = "успешно"
If ($retVal.ReturnValue -ne 0) {
$opstatus = "ошибка"
}
Write-Host ("Делегирование прав на теневое подключение группе " +
$Group + " на сервере " + $Server + ": " + $opstatus + "`r`n")
}
}
}
3 bosqichma
Keling, mahalliy guruhga guruh qo'shamiz Masofaviy ish stoli foydalanuvchilari Har bir RDSH serverida. Agar sizning serverlaringiz sessiya to'plamlariga guruhlangan bo'lsa, buni yig'ish darajasida bajaring:
$Group = "RDP_Operators"
$CollectionName = "MyRDSCollection"
[String[]]$CurrentCollectionGroups = @(Get-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup).UserGroup
Set-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup ($CurrentCollectionGroups + $Group)
Biz foydalanadigan yagona serverlar uchun , uning serverlarga qo'llanilishini kuting. Kutishga dangasa bo'lganlar, yaxshisi, eski gpupdate-dan foydalanib, jarayonni majburlashlari mumkin .
4 bosqichma
Keling, "menejerlar" uchun quyidagi PS skriptini tayyorlaylik:
RDSManagement.ps1
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
function Invoke-RDPSessionLogoff {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
logoff $SessionID /server:$ComputerName /v 2>&1
}
function Invoke-RDPShadowSession {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
mstsc /shadow:$SessionID /v:$ComputerName /control 2>&1
}
Function Get-LoggedOnUser {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName="localhost"
)
$ErrorActionPreference = "Stop"
Test-Connection $ComputerName -Count 1 | Out-Null
quser /server:$ComputerName 2>&1 | Select-Object -Skip 1 | ForEach-Object {
$CurrentLine = $_.Trim() -Replace "s+"," " -Split "s"
$HashProps = @{
UserName = $CurrentLine[0]
ComputerName = $ComputerName
}
If ($CurrentLine[2] -eq "Disc") {
$HashProps.SessionName = $null
$HashProps.Id = $CurrentLine[1]
$HashProps.State = $CurrentLine[2]
$HashProps.IdleTime = $CurrentLine[3]
$HashProps.LogonTime = $CurrentLine[4..6] -join " "
$HashProps.LogonTime = $CurrentLine[4..($CurrentLine.GetUpperBound(0))] -join " "
}
else {
$HashProps.SessionName = $CurrentLine[1]
$HashProps.Id = $CurrentLine[2]
$HashProps.State = $CurrentLine[3]
$HashProps.IdleTime = $CurrentLine[4]
$HashProps.LogonTime = $CurrentLine[5..($CurrentLine.GetUpperBound(0))] -join " "
}
New-Object -TypeName PSCustomObject -Property $HashProps |
Select-Object -Property UserName, ComputerName, SessionName, Id, State, IdleTime, LogonTime
}
}
$UserLogin = Read-Host -Prompt "Введите логин пользователя"
Write-Host "Поиск RDP-сессий пользователя на серверах..."
$SessionList = @()
ForEach ($Server in $Servers) {
$TargetSession = $null
Write-Host " Опрос сервера $Server"
Try {
$TargetSession = Get-LoggedOnUser -ComputerName $Server | Where-Object {$_.UserName -eq $UserLogin}
}
Catch {
Write-Host "Ошибка: " $Error[0].Exception.Message -ForegroundColor Red
Continue
}
If ($TargetSession) {
Write-Host " Найдена сессия с ID $($TargetSession.ID) на сервере $Server" -ForegroundColor Yellow
Write-Host " Что будем делать?"
Write-Host " 1 - подключиться к сессии"
Write-Host " 2 - завершить сессию"
Write-Host " 0 - ничего"
$Action = Read-Host -Prompt "Введите действие"
If ($Action -eq "1") {
Invoke-RDPShadowSession -ComputerName $Server -SessionID $TargetSession.ID
}
ElseIf ($Action -eq "2") {
Invoke-RDPSessionLogoff -ComputerName $Server -SessionID $TargetSession.ID
}
Break
}
Else {
Write-Host " сессий не найдено"
}
}
PS skriptini ishga tushirishni osonlashtirish uchun keling, uning uchun PS skripti bilan bir xil nomga ega cmd fayli shaklida qobiq yarataylik:
RDSManagement.cmd
@ECHO OFF
powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.ps1" %*
Ikkala faylni ham "menejerlar" uchun ochiq jildga joylashtiring va ulardan qayta kirishni so'rang. Endi cmd faylini ishga tushirish orqali ular RDS Shadow rejimida boshqa foydalanuvchilarning seanslariga ulanishlari va ularni majburan chiqarishlari mumkin bo‘ladi (bu foydalanuvchi muzlatilgan seansni to‘xtata olmaganida foydalidir).
Bu shunday ko'rinadi:
"Menejer" uchun
Foydalanuvchi uchun
Bir nechta yakuniy sharhlar
Nuance 1Agar biz nazorat qilmoqchi bo'lgan foydalanuvchi seansi Set-RDSPermissions.ps1 skripti serverda ishga tushmasdan oldin boshlangan bo'lsa, "boshqariladigan" foydalanuvchi kirish xatosini oladi. Yechim aniq: boshqariladigan foydalanuvchi yana tizimdan chiqmaguncha kuting.
Nuance 2RDP Shadow bilan bir necha kun ishlaganimizdan so'ng, biz qiziq xato yoki xususiyatni payqadik: soyali seans tugatilgandan so'ng, tizim tepsisidagi foydalanuvchi til paneli yo'qoladi va uni qayta tiklash uchun foydalanuvchi tizimga qayta kirishi kerak. Ma'lum bo'lishicha, biz yolg'iz emasmiz: , , .
Hozircha hammasi shu. Sizga va serverlaringizga sihat-salomatlik tilayman. Har doimgidek, sharhlaringizda fikr-mulohazalaringizni mamnuniyat bilan qabul qilaman va quyida qisqa so'rovnomada qatnashishingizni so'rayman.
Axborot manbalari
So'rovda faqat ro'yxatdan o'tgan foydalanuvchilar ishtirok etishlari mumkin. iltimos.
Nima ishlatasiz?
8,1%AMMYY administratori5
17,7%AnyDesk11
9,7%DameWare6
24,2%Radmin 15
14,5%RDS Shadow9
1,6%Quick Assist / Windows Remote Assistance1
38,7%TeamViewer 24
32,3%VNC20
32,3%boshqa 20
3,2%LiteManager2
62 ta foydalanuvchi ovoz berdi. 22 nafar foydalanuvchi betaraf qoldi.
Manba: www.habr.com
