Enhlanganweni engisebenza kuyo, umsebenzi okude awuvunyelwe ngokomthetho. Kwakunjalo. Kuze kube yisonto eledlule. Manje kwadingeka sisebenzise isisombululo ngokushesha. Kusukela kubhizinisi - izinqubo zokujwayela ifomethi entsha yomsebenzi, evela kithi - i-PKI enamakhodi e-PIN namathokheni, i-VPN, ukugawulwa kwemithi okunemininingwane nokunye okuningi.
Phakathi kwezinye izinto, bengimisa Ingqalasizinda Yedeskithophu Ekude aka Amasevisi Wendawo. Sinokuthunyelwa okuningana kwe-RDS ezikhungweni zedatha ezihlukene. Enye yezinjongo bekuwukuvumela ozakwabo abavela eminyangweni ye-IT ehlobene ukuthi baxhumane nezikhathi zabasebenzisi ngokuhlanganyela. Njengoba wazi, kunendlela evamile ye-RDS Shadow yalokhu, futhi indlela elula yokuyidlulisela ukunikeza amalungelo omlawuli wendawo kumaseva e-RDS.
Ngiyabahlonipha futhi ngiyabazisa ozakwethu, kodwa nginomhobholo kakhulu uma kukhulunywa ngokunikeza amalungelo okuphatha. 🙂 Kulabo abavumelana nami, ngicela ulandele ukusikwa.
Awu, umsebenzi ucacile, manje ake sehlele ebhizinisini.
Isinyathelo 1
Masidale iqembu lokuvikela ku-Active Directory RDP_Operators futhi ufake kuyo ama-akhawunti alabo basebenzisi esifuna ukubadlulisela amalungelo:
$Users = @(
"UserLogin1",
"UserLogin2",
"UserLogin3"
)
$Group = "RDP_Operators"
New-ADGroup -Name $Group -GroupCategory Security -GroupScope DomainLocal
Add-ADGroupMember -Identity $Group -Members $Users
Uma unamasayithi amaningi e-AD, uzodinga ukulinda kuze kube yilapho iphindaphindwa kuzo zonke izilawuli zesizinda ngaphambi kokudlulela esinyathelweni esilandelayo. Lokhu ngokuvamile akuthathi imizuzu engaphezu kweyi-15.
Isinyathelo 2
Ake sinikeze iqembu amalungelo okuphatha izikhathi zokugcina kuseva ngayinye ye-RDSH:
Setha-RDSPermissions.ps1
$Group = "RDP_Operators"
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
ForEach ($Server in $Servers) {
#Делегируем право на теневые сессии
$WMIHandles = Get-WmiObject `
-Class "Win32_TSPermissionsSetting" `
-Namespace "rootCIMV2terminalservices" `
-ComputerName $Server `
-Authentication PacketPrivacy `
-Impersonation Impersonate
ForEach($WMIHandle in $WMIHandles)
{
If ($WMIHandle.TerminalName -eq "RDP-Tcp")
{
$retVal = $WMIHandle.AddAccount($Group, 2)
$opstatus = "успешно"
If ($retVal.ReturnValue -ne 0) {
$opstatus = "ошибка"
}
Write-Host ("Делегирование прав на теневое подключение группе " +
$Group + " на сервере " + $Server + ": " + $opstatus + "`r`n")
}
}
}
Isinyathelo 3
Faka iqembu eqenjini lendawo Abasebenzisi bedeskithophu yesilawuli kude kuseva ngayinye ye-RDSH. Uma iziphakeli zakho zihlanganiswa zibe amaqoqo esikhathi, lapho-ke sikwenza lokhu ezingeni leqoqo:
$Group = "RDP_Operators"
$CollectionName = "MyRDSCollection"
[String[]]$CurrentCollectionGroups = @(Get-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup).UserGroup
Set-RDSessionCollectionConfiguration -CollectionName $CollectionName -UserGroup ($CurrentCollectionGroups + $Group)
Kumaseva angawodwa sisebenzisa
Isinyathelo 4
Ake silungiselele umbhalo we-PS olandelayo "wabaphathi":
RDSMManagement.ps1
$Servers = @(
"RDSHost01",
"RDSHost02",
"RDSHost03"
)
function Invoke-RDPSessionLogoff {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
logoff $SessionID /server:$ComputerName /v 2>&1
}
function Invoke-RDPShadowSession {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName,
[parameter(Mandatory=$true, Position=1)][String]$SessionID
)
$ErrorActionPreference = "Stop"
mstsc /shadow:$SessionID /v:$ComputerName /control 2>&1
}
Function Get-LoggedOnUser {
Param(
[parameter(Mandatory=$True, Position=0)][String]$ComputerName="localhost"
)
$ErrorActionPreference = "Stop"
Test-Connection $ComputerName -Count 1 | Out-Null
quser /server:$ComputerName 2>&1 | Select-Object -Skip 1 | ForEach-Object {
$CurrentLine = $_.Trim() -Replace "s+"," " -Split "s"
$HashProps = @{
UserName = $CurrentLine[0]
ComputerName = $ComputerName
}
If ($CurrentLine[2] -eq "Disc") {
$HashProps.SessionName = $null
$HashProps.Id = $CurrentLine[1]
$HashProps.State = $CurrentLine[2]
$HashProps.IdleTime = $CurrentLine[3]
$HashProps.LogonTime = $CurrentLine[4..6] -join " "
$HashProps.LogonTime = $CurrentLine[4..($CurrentLine.GetUpperBound(0))] -join " "
}
else {
$HashProps.SessionName = $CurrentLine[1]
$HashProps.Id = $CurrentLine[2]
$HashProps.State = $CurrentLine[3]
$HashProps.IdleTime = $CurrentLine[4]
$HashProps.LogonTime = $CurrentLine[5..($CurrentLine.GetUpperBound(0))] -join " "
}
New-Object -TypeName PSCustomObject -Property $HashProps |
Select-Object -Property UserName, ComputerName, SessionName, Id, State, IdleTime, LogonTime
}
}
$UserLogin = Read-Host -Prompt "Введите логин пользователя"
Write-Host "Поиск RDP-сессий пользователя на серверах..."
$SessionList = @()
ForEach ($Server in $Servers) {
$TargetSession = $null
Write-Host " Опрос сервера $Server"
Try {
$TargetSession = Get-LoggedOnUser -ComputerName $Server | Where-Object {$_.UserName -eq $UserLogin}
}
Catch {
Write-Host "Ошибка: " $Error[0].Exception.Message -ForegroundColor Red
Continue
}
If ($TargetSession) {
Write-Host " Найдена сессия с ID $($TargetSession.ID) на сервере $Server" -ForegroundColor Yellow
Write-Host " Что будем делать?"
Write-Host " 1 - подключиться к сессии"
Write-Host " 2 - завершить сессию"
Write-Host " 0 - ничего"
$Action = Read-Host -Prompt "Введите действие"
If ($Action -eq "1") {
Invoke-RDPShadowSession -ComputerName $Server -SessionID $TargetSession.ID
}
ElseIf ($Action -eq "2") {
Invoke-RDPSessionLogoff -ComputerName $Server -SessionID $TargetSession.ID
}
Break
}
Else {
Write-Host " сессий не найдено"
}
}
Ukwenza iskripthi se-PS sisebenze kalula, sizokwakhela igobolondo ngendlela yefayela le-cmd elinegama elifanayo nelombhalo we-PS:
RDSMManagement.cmd
@ECHO OFF
powershell -NoLogo -ExecutionPolicy Bypass -File "%~d0%~p0%~n0.ps1" %*
Sibeka womabili amafayela kufolda ezofinyeleleka “kubaphathi” futhi sibacele ukuthi baphinde bangene ngemvume. Manje, ngokusebenzisa ifayela le-cmd, bazokwazi ukuxhuma ngezikhathi zabanye abasebenzisi kumodi ye-RDS Shadow futhi babaphoqe ukuthi baphume (lokhu kungaba usizo lapho umsebenzisi engakwazi ukunqamula ngokuzimela iseshini "yokulenga").
Kubukeka kanjena:
Oko "mphathi"
Okomsebenzisi
Amazwana ambalwa okugcina
Isinyathelo 1. Uma iseshini yomsebenzisi esizama ukuthola ukulawula kwayo yethulwa ngaphambi kokusetshenziswa kweskripthi se-Set-RDSPermissions.ps1 kuseva, khona-ke “umphathi” uzothola iphutha lokufinyelela. Isixazululo lapha sisobala: linda kuze kungene umsebenzisi ophethwe.
Isinyathelo 2. Ngemva kwezinsuku ezimbalwa sisebenza ne-RDP Shadow, sabona iphutha noma isici esithakazelisayo: ngemva kokuphela kweseshini yesithunzi, ibha yolimi ethreyini iyanyamalala ukuze umsebenzisi axhumeke kuyo, futhi ukuze ayibuyisele, umsebenzisi udinga ukuphinda ayibuyisele. -Ngena ngemvume. Njengoba kuvela, asisodwa:
Yilokho kuphela. Ngifisela wena namaseva akho impilo enhle. Njengenjwayelo, ngibheke ngabomvu impendulo yakho kumazwana futhi ngikucela ukuthi wenze inhlolovo emfushane engezansi.
Imithombo
I-RDS Shadow - uxhumano lwesithunzi kumaseshini wabasebenzisi be-RDP ku-Windows Server 2016 / 2012 R2 I-Windows Server 2012 Shadowing - Ukudlulisela Amalungelo Kwabangebona Abaphathi I-Get-LoggedOnUser Iqoqa ulwazi lwabasebenzisi abangene ngemvume kumasistimu akude Indlela engcono kakhulu yokuqalisa imibhalo ye-PowerShell PS1 Ukwengeza abasebenzisi besizinda eqenjini lezokuphepha lasendaweni I-GPMC - Phoqa i-gpupdate kuwo wonke amakhompyutha aku-OU
Abasebenzisi ababhalisiwe kuphela abangabamba iqhaza kuhlolovo.
Usebenzisani?
-
8,1%AMMYY Admin5
-
17,7%Noma yimuphiDesk11
-
9,7%I-DameWare6
-
24,2%I-Radmin15
-
14,5%I-RDS Shadow9
-
1,6%Usizo Olusheshayo / Usizo Lwe-Windows Remote1
-
38,7%I-TeamViewer24
-
32,3%I-VNC20
-
32,3%abanye20
-
3,2%I-LiteManager2
Bangu-62 abasebenzisi abavotile. Abasebenzisi abangama-22 bayenqaba.
Source: www.habr.com