Archive for the ‘rdp’ Tag
Remote Desktop Services “Drain mode” PowerShell script
If you’ve ever had to put a large number of 2008+ Windows Terminal/Remote Desktop servers in “drain mode” using the gui admin tool, you know it can be slow and tedious. Faced with doing this on a Saturday night for about 30 servers I decided to make life a little quicker and easier by building a powershell script. While my long term goal is to figure out how to drain an entire farm, for now I’m pretty satisfied to be able to do it from PowerShell pretty quickly.
There are two scripts. Drain-RDserver.ps1 and Undrain-RDserver.ps1. Both require a single parameter “-RDserver” followed by the server name. Drain changes the “User logon mode” to “Allow reconnections, but prevent new logons.” This could be changed to the “Allow reconnections, but prevent new logons until the server is restarted” by modifying the script. Undrain puts the server back in “Allow all connections” mode.
Big thanks to SourceDaddy’s article which got me started on the right path. (http://sourcedaddy.com/windows-7/preparing-server-maintenance.html)
Here is the code:
###Drain-RDServer
# Input computer name
param (
[string]$RDServer = $(throw "-RDserver is required")
)
$RDSH = Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace "root\CIMV2\terminalservices" -ComputerName $RDServerdra -Authentication PacketPrivacy -Impersonation Impersonate
$RDSH.SessionBrokerDrainMode=1
$RDSH.put() > $null
Write-Host "$RDServer is set to:"
switch ($RDSH.SessionBrokerDrainMode)
{
0 {"Allow all connections."}
1 {"Allow incoming reconnections but prohibit new connections."}
2 {"Allow incoming reconnections but until reboot prohibit new connections."}
default {"The user logon state cannot be determined."}
}
###Undrain-RDServer
# Input computer name
param (
[string]$RDServer = $(throw "-RDserver is required")
)
$RDSH = Get-WmiObject -Class "Win32_TerminalServiceSetting" -Namespace "root\CIMV2\terminalservices" -ComputerName $RDServer -Authentication PacketPrivacy -Impersonation Impersonate
$RDSH.SessionBrokerDrainMode=0
$RDSH.put() > $null
Write-Host "$RDServer is set to:"
switch ($RDSH.SessionBrokerDrainMode)
{
0 {"Allow all connections."}
1 {"Allow incoming reconnections but prohibit new connections."}
2 {"Allow incoming reconnections but until reboot prohibit new connections."}
default {"The user logon state cannot be determined."}
}
And here is a link to the scripts in a zip file.
Disabling RDP Network Level Authentication (NLA) remotely via the registry
Filed under: Windows Server 2008 | Tags: network level authentication, nla, rdp, windows
Comments (16) So I logged into a server that was setup by another administrator using RDP to configure some software. For whatever reason it is requesting a reboot, so I let it reboot before I start my work. After the server comes back up I attempt to connect and get a “The connection cannot continue because the identity of the remote computer cannot be verified” error.
From experience I knew this means that Network Level Authentication (NLA) is enabled. NLA is a nice security feature if you have an internal Certificate Authority and time to configure auto-enrollment, but most smaller organization opt for the “less secure” option. Since I have no console level access I’d have to wait for an onsite technician to change it to allow for “less secure” connectivity.
But I can remote into another server on the same local network and connect to the registry. A quick google search failed to identify the key/value to change so I did some digging and testing and found it.
To disable NLA remotely:
- Open regedit on another computer on the same network.
- Under the File menu click “Connect Network Registry…”
- Enter your computer name and click Ok. If this fails to connect you may be out of luck.
- Scroll down in the left pane to find the newly added server. Navigate to this Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp - Find the value “SecurityLayer” and change the data to 0 (that is a zero).
- Voila, I was able to remote in without issue.
