Ninu agbari ti Mo ṣiṣẹ, iṣẹ latọna jijin jẹ eewọ ni ipilẹ. je. Titi di ọsẹ to kọja. Bayi a ni lati ṣe imuse ojutu kan ni iyara. Lati iṣowo - awọn ilana imudọgba si ọna kika iṣẹ tuntun, lati ọdọ wa - PKI pẹlu awọn koodu PIN ati awọn ami, VPN, gedu alaye ati pupọ diẹ sii.
Lara awọn ohun miiran, Mo n ṣeto Awọn amayederun Ojú-iṣẹ Latọna aka Awọn Iṣẹ Terminal. A ni ọpọlọpọ awọn imuṣiṣẹ RDS ni oriṣiriṣi awọn ile-iṣẹ data. Ọkan ninu awọn ibi-afẹde naa ni lati jẹ ki awọn ẹlẹgbẹ ṣiṣẹ lati awọn apa IT ti o ni ibatan lati sopọ si awọn akoko olumulo ni ibaraenisọrọ. Bii o ṣe mọ, ẹrọ Ojiji RDS boṣewa kan wa fun eyi, ati pe ọna ti o rọrun julọ lati ṣe aṣoju rẹ ni lati fun awọn ẹtọ alabojuto agbegbe lori awọn olupin RDS.
Mo bọwọ fun ati ki o ṣe pataki fun awọn ẹlẹgbẹ mi, ṣugbọn ojukokoro pupọ wa nigbati o ba de fifun awọn ẹtọ abojuto. 🙂 Fun awọn ti o gba pẹlu mi, jọwọ tẹle awọn ge.
O dara, iṣẹ-ṣiṣe jẹ kedere, bayi jẹ ki a sọkalẹ lọ si iṣowo.
Igbesẹ 1
Jẹ ki a ṣẹda ẹgbẹ aabo ni Active Directory RDP_Oṣiṣẹ ati pẹlu ninu rẹ awọn akọọlẹ ti awọn olumulo wọnyẹn ti a fẹ lati fi awọn ẹtọ fun:
$Users = @(
"UserLogin1",
"UserLogin2",
"UserLogin3"
)
$Group = "RDP_Operators"
New-ADGroup -Name $Group -GroupCategory Security -GroupScope DomainLocal
Add-ADGroupMember -Identity $Group -Members $Users
Ti o ba ni awọn aaye AD pupọ, iwọ yoo nilo lati duro titi yoo fi tun ṣe si gbogbo awọn oludari agbegbe ṣaaju gbigbe si igbesẹ ti n tẹle. Eyi nigbagbogbo gba diẹ sii ju iṣẹju 15 lọ.
Igbesẹ 2
Jẹ ki a fun awọn ẹtọ ẹgbẹ lati ṣakoso awọn akoko ipari lori ọkọọkan awọn olupin RDSH:
Ṣeto-RDSPermissions.ps1
$Group = "RDP_Operators"
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
ForEach ($Server in $Servers) {
#Делегируем право на теневые сессии
$WMIHandles = Get-WmiObject `
-Class "Win32_TSPermissionsSetting" `
-Namespace "rootCIMV2terminalservices" `
-ComputerName $Server `
-Authentication PacketPrivacy `
-Impersonation Impersonate
ForEach($WMIHandle in $WMIHandles)
{
If ($WMIHandle.TerminalName -eq "RDP-Tcp")
{
$retVal = $WMIHandle.AddAccount($Group, 2)
$opstatus = "успешно"
If ($retVal.ReturnValue -ne 0) {
$opstatus = "ошибка"
}
Write-Host ("Делегирование прав на теневое подключение группе " +
$Group + " на сервере " + $Server + ": " + $opstatus + "`r`n")
}
}
}
Igbesẹ 3
Fi ẹgbẹ kun si ẹgbẹ agbegbe Awọn olumulo Ojú-iṣẹ Latọna jijin lori ọkọọkan awọn olupin RDSH. Ti awọn olupin rẹ ba ni idapo sinu awọn akojọpọ igba, lẹhinna a ṣe eyi ni ipele gbigba:
$Group = "RDP_Operators"
$CollectionName = "MyRDSCollection"
[String[]]$CurrentCollectionGroups = @(Get-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup).UserGroup
Set-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup ($CurrentCollectionGroups + $Group)
Fun awọn olupin nikan ti a lo , nduro fun o lati wa ni loo lori awọn olupin. Awọn ti o lọra pupọ lati duro le mu ilana naa pọ si nipa lilo gpupdate atijọ ti o dara, ni pataki .
Igbesẹ 4
Jẹ ki a mura iwe afọwọkọ PS atẹle fun “awọn alakoso”:
RDSManagement.ps1
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
function Invoke-RDPSessionLogoff {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
logoff $SessionID /server:$ComputerName /v 2>&1
}
function Invoke-RDPShadowSession {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
mstsc /shadow:$SessionID /v:$ComputerName /control 2>&1
}
Function Get-LoggedOnUser {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName="localhost"
)
$ErrorActionPreference = "Stop"
Test-Connection $ComputerName -Count 1 | Out-Null
quser /server:$ComputerName 2>&1 | Select-Object -Skip 1 | ForEach-Object {
$CurrentLine = $_.Trim() -Replace "s+"," " -Split "s"
$HashProps = @{
UserName = $CurrentLine[0]
ComputerName = $ComputerName
}
If ($CurrentLine[2] -eq "Disc") {
$HashProps.SessionName = $null
$HashProps.Id = $CurrentLine[1]
$HashProps.State = $CurrentLine[2]
$HashProps.IdleTime = $CurrentLine[3]
$HashProps.LogonTime = $CurrentLine[4..6] -join " "
$HashProps.LogonTime = $CurrentLine[4..($CurrentLine.GetUpperBound(0))] -join " "
}
else {
$HashProps.SessionName = $CurrentLine[1]
$HashProps.Id = $CurrentLine[2]
$HashProps.State = $CurrentLine[3]
$HashProps.IdleTime = $CurrentLine[4]
$HashProps.LogonTime = $CurrentLine[5..($CurrentLine.GetUpperBound(0))] -join " "
}
New-Object -TypeName PSCustomObject -Property $HashProps |
Select-Object -Property UserName, ComputerName, SessionName, Id, State, IdleTime, LogonTime
}
}
$UserLogin = Read-Host -Prompt "Введите логин пользователя"
Write-Host "Поиск RDP-сессий пользователя на серверах..."
$SessionList = @()
ForEach ($Server in $Servers) {
$TargetSession = $null
Write-Host " Опрос сервера $Server"
Try {
$TargetSession = Get-LoggedOnUser -ComputerName $Server | Where-Object {$_.UserName -eq $UserLogin}
}
Catch {
Write-Host "Ошибка: " $Error[0].Exception.Message -ForegroundColor Red
Continue
}
If ($TargetSession) {
Write-Host " Найдена сессия с ID $($TargetSession.ID) на сервере $Server" -ForegroundColor Yellow
Write-Host " Что будем делать?"
Write-Host " 1 - подключиться к сессии"
Write-Host " 2 - завершить сессию"
Write-Host " 0 - ничего"
$Action = Read-Host -Prompt "Введите действие"
If ($Action -eq "1") {
Invoke-RDPShadowSession -ComputerName $Server -SessionID $TargetSession.ID
}
ElseIf ($Action -eq "2") {
Invoke-RDPSessionLogoff -ComputerName $Server -SessionID $TargetSession.ID
}
Break
}
Else {
Write-Host " сессий не найдено"
}
}
Lati jẹ ki iwe afọwọkọ PS rọrun lati ṣiṣẹ, a yoo ṣẹda ikarahun kan fun ni irisi faili cmd pẹlu orukọ kanna bi iwe afọwọkọ PS:
RDSManagement.cmd
@ECHO OFF
powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.ps1" %*
A fi awọn faili mejeeji sinu folda ti yoo wa si “awọn alakoso” ati beere lọwọ wọn lati tun buwolu wọle. Ni bayi, nipa ṣiṣiṣẹ faili cmd, wọn yoo ni anfani lati sopọ si awọn akoko ti awọn olumulo miiran ni ipo Ojiji RDS ati fi ipa mu wọn lati jade (eyi le wulo nigbati olumulo ko ba le fopin si ominira ni igba “irọkọ”).
O dabi iru eyi:
Fun "oluṣakoso"
Fun olumulo
A diẹ ik comments
Nuance 1. Ti igba olumulo ti a ngbiyanju lati gba iṣakoso ti ṣe ifilọlẹ ṣaaju ṣiṣe iwe afọwọkọ Ṣeto-RDSPermissions.ps1 lori olupin naa, lẹhinna “oluṣakoso” yoo gba aṣiṣe wiwọle. Ojutu nibi jẹ kedere: duro titi ti olumulo iṣakoso yoo wọle.
Nuance 2. Lẹhin awọn ọjọ pupọ ti ṣiṣẹ pẹlu Ojiji RDP, a ṣe akiyesi kokoro ti o nifẹ tabi ẹya: lẹhin ipari igba ojiji, ọpa ede ti o wa ninu atẹ parẹ fun olumulo ni asopọ si, ati lati gba pada, olumulo nilo lati tun ṣe. -wo ile. Bi o ti wa ni jade, a ko nikan: , , .
Gbogbo ẹ niyẹn. Mo fẹ ki iwọ ati awọn olupin rẹ ni ilera to dara. Gẹgẹbi nigbagbogbo, Mo nireti awọn esi rẹ ninu awọn asọye ati beere lọwọ rẹ lati mu iwadi kukuru ni isalẹ.
Awọn orisun
Awọn olumulo ti o forukọsilẹ nikan le kopa ninu iwadi naa. , Jowo.
Kini o nlo?
-
8,1%AMMYY Abojuto5
-
17,7%AnyDesk11
-
9,7%DameWare6
-
24,2%Radmin15
-
14,5%Ojiji RDS9
-
1,6%Iranlọwọ iyara / Iranlọwọ Latọna jijin Windows1
-
38,7%TeamViewer24
-
32,3%VNC20
-
32,3%omiran20
-
3,2%LiteManager2
62 olumulo dibo. 22 olumulo abstained.
orisun: www.habr.com