Thursday, September 12, 2013

PowerShell to enable Remote Desktop for Administration on the local machine

I had a teammate request that I enable Remote Desktop for Administration as a portion of my SCVMM Service Template.

You cannot script sconfig – although that is a easy manual way to do it.

If you try any of the Server 2012 cmdlets you will end up mucking with Remote Desktop Services and enabling user access.

Well, it turns out the key is a key.  And it is easiest to tweak it with WMI.

The following script runs on the server that is being modified (localhost is the default).  And it can run using administrator or local system security credentials.

try {
    $RDP = Get-WmiObject -Class Win32_TerminalServiceSetting `
                        -Namespace root\CIMV2\TerminalServices
                        # -Computer $Computer `
                        # -Authentication 6 `
                        # -ErrorAction Stop
} catch {
    "WMIQueryFailed"
    continue
}
if($RDP.AllowTSConnections -eq 1) {
    "RDP Already Enabled"
    continue
} else {
    try {
        $result = $RDP.SetAllowTsConnections(1,1)
        if($result.ReturnValue -eq 0) { "Enabled RDP Successfully" }
        if ($result.ReturnValue -eq 4096) {
                $Job = [WMI]$Result.Job
                while ($Job.JobState -eq 4) {
                    Write-Progress -Id 2 -ParentId 1 $Job.Caption -Status "Executing" -PercentComplete $Job.PercentComplete
                    Start-Sleep 1
                    $Job.PSBase.Get()
                }
        }
    } catch {
        "Failed to enable RDP"
    }
}

Wednesday, September 4, 2013

PowerShell to disable IE Enhanced Security

So, my employer has a number of web consoles for various applications.

This is fine, except for pesky IE Enhanced Security.

So, to automatically disable this for members of the local Administrators group just comment out the User section from the script below.

Now, before you reply that I should be adding the URL to the exclusion list and all that.  This is so much simpler.  Why?  Because I don’t have to worry about a shortcut having localhost vs. the FQDN in it.

This one section of my script runs and Administrators are happy.  After all, these are servers.  And outside of hitting a local console once or twice or applying updates, they should not even be logged in locally, right(?)

# Disable IE Enhanced Security Configuration for Administrators and Users for web consoles
try {
$AdminKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}”
$UserKey = “HKLM:\SOFTWARE\Microsoft\Active Setup\Installed Components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}”
Set-ItemProperty -Path $AdminKey -Name “IsInstalled” -Value 0
Set-ItemProperty -Path $UserKey -Name “IsInstalled” -Value 0
Stop-Process -Name Explorer
“IE Enhanced Security Configuration (ESC) has been disabled on this machine.”
}
catch {"Failed to disable IE ESC" }