- Add a domain user or group to local administrators with PowerShell - Wed, Mar 19 2014
- Create a list of local administrators with PowerShell - Wed, Mar 5 2014
- Remotely query user profile information with PowerShell - Tue, Nov 26 2013
Having Remote Desktop enabled on servers is essential for system administrators to be able to connect interactively to, and manage, servers. If this feature is disabled, system administrators will end up connecting to the server via ILO/DRAC or via some other remote control method and enabling Remote Desktop from there—a painful and time-consuming process.
Script description
The PowerShell script at the end of the post relies on the WMI class Win32_TerminalServiceSetting under Root/CIMV2/TerminalServices. This WMI class is a hidden gem that most people are not aware of. This class has methods to enable/disable Remote Desktop access on remote computers and configure several other Remote Desktop options.
I use the SetAllowTSConnections() method to enable Remote Desktop access. This method takes two integers as arguments. The first one specifies the state (0 – disable; 1 – enable) of Remote Desktop, and the second one specifies whether to modify firewall exceptions or not (0 – do not modify firewall exception setting; 1 – modify firewall exception setting). In this script, I set both the arguments to 1 to enable Remote Desktop access and modify the firewall exception settings to allow the RDP port.
Below is the code that queries the Win32_TerminalServiceSetting class to get the status of Remote Desktop access. Notice that I use one additional parameter, called Authentication, in the WMI query. This is required because the Win32_TerminalServiceSetting WMI class allows remote access only if packet-level authentication is enabled. Passing the value 6 to the Authentication parameter does the job here; otherwise, you will get an “Access Denied” error even if you have administrative rights on the remote computer.
$RDP = Get-WmiObject -Class Win32_TerminalServiceSetting ` -Namespace root\CIMV2\TerminalServices ` -Computer $Computer ` -Authentication 6 ` -ErrorAction Stop
And the following code enables Remote Desktop:
$result = $RDP.SetAllowTsConnections(1,1) if($result.ReturnValue -eq 0) { Write-Host "$Computer : Enabled RDP Successfully" "$Computer : RDP Enabled Successfully" | Out-File -FilePath $SuccessComps -Append } else { Write-Host "$Computer : Failed to enabled RDP" "$Computer : Failed to enable RDP" | Out-File -FilePath $FailedComps -Append }
Input
The script has two parameters:
- ComputerName: This parameter takes a single computer name, or multiple computer names separated by commas, as an argument that specifies the computers on which to enable Remote Desktop. The parameter also takes input from the pipeline; see the Usage Examples section below to see how to pass computer names via the pipeline. If this parameter is not specified, the script executes on the computer from where you are running the script.
- OutFolder: This parameter takes a folder path as an argument. This is where you want to store the results of the script in a text file format. If this parameter is not specified, the script stores the output files in C:\.
Output
This script returns the status both to the PowerShell console and in text files in the path you give via the OutFolder parameter. The script writes the successful computers list to successcomps.txt and the failed/offline computers list to failedcomps.txt.
Usage examples
Enable Remote Desktop on a local computer:
.\Enable-RDPAccess.ps1
Enable Remote Desktop on a remote computer:
.\Enable-RDPAccess.ps1 -ComputerName TIBPC1
Enable Remote Desktop on a list of remote computers:
Get-Content c:\servers.txt | Enable-RDPAccess.ps1
Enable Remote Desktop with a PowerShell scipt
Note: You should test this script in your test lab before using it in a production environment. Depending on the kind of environment, the script may need additional enhancements. Feel free to write in the comments section if you need any further help.
Here is the complete code of the of the PowerShell script Enable RDP Access:
[cmdletbinding()] param( [parameter(ValueFromPipeline=$true,ValueFromPipelineByPropertyName=$true)] [string[]]$ComputerName = $env:computername, [ValidateScript({Test-Path $_})] [string]$OutFolder = "c:\" ) begin { $SuccessComps = Join-Path $OutFolder "Successcomps.txt" $FailedComps = Join-Path $OutFolder "FailedComps.txt" } process { foreach($Computer in $ComputerName) { if(!(Test-Connection -Computer $Computer -Count 1 -ea 0)) { Write-Host "$Computer : OFFLINE" "$Computer : OFFLINE" | Out-File -FilePath $FailedComps -Append Continue } try { $RDP = Get-WmiObject -Class Win32_TerminalServiceSetting ` -Namespace root\CIMV2\TerminalServices ` -Computer $Computer ` -Authentication 6 ` -ErrorAction Stop } catch { Write-Host "$Computer : WMIQueryFailed" "$Computer : WMIQueryFailed" | Out-File -FilePath $FailedComps -Append continue } if($RDP.AllowTSConnections -eq 1) { Write-Host "$Computer : RDP Already Enabled" "$Computer : RDP Already Enabled" | Out-File -FilePath $SuccessComps -Append continue } else { try { $result = $RDP.SetAllowTsConnections(1,1) if($result.ReturnValue -eq 0) { Write-Host "$Computer : Enabled RDP Successfully" "$Computer : RDP Enabled Successfully" | Out-File -FilePath $SuccessComps -Append } else { Write-Host "$Computer : Failed to enabled RDP" "$Computer : Failed to enable RDP" | Out-File -FilePath $FailedComps -Append } } catch { Write-Host "$computer : Failed to enabled RDP" "$Computer : Failed to enable RDP" | Out-File -FilePath $FailedComps -Append } } } } end {}
Hello, you guys forgot to attach and link to the script in this article. If just using what was pasted to us as examples, we wouldn’t have any output or $env:computername, etc.
Thank you!
That is great. I knew that there was a way to do this but never got around to looking it up.
THANKS!
Jeffrey Snover[MSFT]
Distinguished Engineer and Lead Architect of Windows Server
Nick, sorry, that was my fault. I added the link to the script at the end of the post. Thanks for the hint.
there are easier ways without powershell:
psexec @computerlist cmd /C reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /t REG_DWORD /v fDenyTSConnections /D 0 /f
of course you can reg query each host to sort the result in files.