Enable Remote Desktop on remote computers with PowerShell

• Author
• Recent Posts

Sitaram Pamarthi

Sitaram Pamarthi is working as a Windows Engineer and his special fields of interest are PowerShell, Active Directory, Exchange, and virtualization.

Latest posts by Sitaram Pamarthi (see all)

• Add a domain user or group to local administrators with PowerShell - Wed, Mar 19 2014
• Create a list of local administrators with PowerShell - Wed, Mar 5 2014
• Remotely query user profile information with PowerShell - Tue, Nov 26 2013

Having Remote Desktop enabled on servers is essential for system administrators to be able to connect interactively to, and manage, servers. If this feature is disabled, system administrators will end up connecting to the server via ILO/DRAC or via some other remote control method and enabling Remote Desktop from there—a painful and time-consuming process.

Script description

The PowerShell script at the end of the  post relies on the WMI class Win32_TerminalServiceSetting under Root/CIMV2/TerminalServices. This WMI class is a hidden gem that most people are not aware of. This class has methods to enable/disable Remote Desktop access on remote computers and configure several other Remote Desktop options.

I use the SetAllowTSConnections() method to enable Remote Desktop access. This method takes two integers as arguments. The first one specifies the state (0 – disable; 1 – enable) of Remote Desktop, and the second one specifies whether to modify firewall exceptions or not (0 – do not modify firewall exception setting; 1 – modify firewall exception setting). In this script, I set both the arguments to 1 to enable Remote Desktop access and modify the firewall exception settings to allow the RDP port.

Below is the code that queries the Win32_TerminalServiceSetting class to get the status of Remote Desktop access. Notice that I use one additional parameter, called Authentication, in the WMI query. This is required because the Win32_TerminalServiceSetting WMI class allows remote access only if packet-level authentication is enabled. Passing the value 6 to the Authentication parameter does the job here; otherwise, you will get an “Access Denied” error even if you have administrative rights on the remote computer.

$RDP = Get-WmiObject -Class Win32_TerminalServiceSetting `
			-Namespace root\CIMV2\TerminalServices `
			-Computer $Computer `
			-Authentication 6 `
			-ErrorAction Stop

And the following code enables Remote Desktop:

$result = $RDP.SetAllowTsConnections(1,1)
   if($result.ReturnValue -eq 0) {
   Write-Host "$Computer : Enabled RDP Successfully"
   "$Computer : RDP Enabled Successfully" | Out-File -FilePath $SuccessComps -Append
 } else {
   Write-Host "$Computer : Failed to enabled RDP"
   "$Computer : Failed to enable RDP" | Out-File -FilePath $FailedComps -Append
}

Input

The script has two parameters:

• ComputerName: This parameter takes a single computer name, or multiple computer names separated by commas, as an argument that specifies the computers on which to enable Remote Desktop. The parameter also takes input from the pipeline; see the Usage Examples section below to see how to pass computer names via the pipeline. If this parameter is not specified, the script executes on the computer from where you are running the script.
• OutFolder: This parameter takes a folder path as an argument. This is where you want to store the results of the script in a text file format. If this parameter is not specified, the script stores the output files in C:\.

Output

This script returns the status both to the PowerShell console and in text files in the path you give via the OutFolder parameter. The script writes the successful computers list to successcomps.txt and the failed/offline computers list to failedcomps.txt.

Usage examples

Enable Remote Desktop on a local computer:

.\Enable-RDPAccess.ps1

Enable Remote Desktop on a remote computer:

.\Enable-RDPAccess.ps1 -ComputerName TIBPC1

Enable Remote Desktop on a list of remote computers:

Get-Content c:\servers.txt | Enable-RDPAccess.ps1

Enable Remote Desktop with a PowerShell scipt

Note: You should test this script in your test lab before using it in a production environment. Depending on the kind of environment, the script may need additional enhancements. Feel free to write in the comments section if you need any further help.

Here is the complete code of the of the PowerShell script Enable RDP Access:

[cmdletbinding()]
param(
	[parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)]
	[string[]]$ComputerName = $env:computername,
	[ValidateScript({Test-Path $_})]
	[string]$OutFolder = "c:\"
)

begin {
$SuccessComps = Join-Path $OutFolder "Successcomps.txt"
$FailedComps = Join-Path $OutFolder "FailedComps.txt"
}

process {
	foreach($Computer in $ComputerName) {
		if(!(Test-Connection -Computer $Computer -Count 1 -ea 0)) {
			Write-Host "$Computer : OFFLINE"
			"$Computer : OFFLINE" | Out-File -FilePath $FailedComps -Append
			Continue
		}
		
		try {
			$RDP = Get-WmiObject -Class Win32_TerminalServiceSetting `
								-Namespace root\CIMV2\TerminalServices `
								-Computer $Computer `
								-Authentication 6 `
								-ErrorAction Stop
								
		} catch {
			Write-Host "$Computer : WMIQueryFailed"
			"$Computer : WMIQueryFailed" | Out-File -FilePath $FailedComps -Append
			continue
		}
		
		if($RDP.AllowTSConnections -eq 1) {
			Write-Host "$Computer : RDP Already Enabled"
			"$Computer : RDP Already Enabled" | Out-File -FilePath $SuccessComps -Append
			continue
		} else {
			try {
				$result = $RDP.SetAllowTsConnections(1,1)
				if($result.ReturnValue -eq 0) {
					Write-Host "$Computer : Enabled RDP Successfully"
					"$Computer : RDP Enabled Successfully" | Out-File -FilePath $SuccessComps -Append
				} else {
					Write-Host "$Computer : Failed to enabled RDP"
					"$Computer : Failed to enable RDP" | Out-File -FilePath $FailedComps -Append

				}
			
			} catch {
				Write-Host "$computer : Failed to enabled RDP"
				"$Computer : Failed to enable RDP" | Out-File -FilePath $FailedComps -Append
			}
		}
	}

}

end {}