RDP aktivieren – remote per Powershell

4. Oktober 2019

RDP (Remote Desktop Protocol) ist bereits standardmäßig auf aktuellen Windows-Clients deaktiviert – aus Sicherheitsgründen. Nutzen Unternehmen allerdings intern die RDP-Dienste, um sich auf entfernten Systemen anzumelden, müssen die benötigten Funktionen erst auf den betroffenen Systemen eingeschaltet werden. Manuell kann dies sehr viel Zeit in Anspruch nehmen, aber findige Administratoren nutzen für solche Aufgaben passende Cmdlets. Für diesen Zweck ist beispielsweise das Skript „Enable-RDP“ von „MichalGajda“ auf Technet maßgeschneidert:

1Function Enable-RDP
2{
3<#
4    .SYNOPSIS
5        Remotly enable RDP on domain machines or workgroup.
6  
7    .DESCRIPTION
8        Use Enable-RDP to enable RDP on all domain machines or workgroup.
9  
10    .PARAMETER ComputerName
11        Specific Computer Name or Ldap path to object or set of object like computer, OU or whole domain.
12  
13    .EXAMPLE
14        Get-ADComputer PC1 | Enable-RDP
15  
16        RDP is enabled in Remote Registry on machine: PC1
17  
18    .EXAMPLE
19        Enable-RDP -ComputerName "CN=Computers,DC=your,DC=domain,DC=com"
20  
21        RDP is enabled in Remote Registry on machine: PC1
22        RDP is enabled in Remote Registry on machine: PC2
23        WARNING: Machine: PC3 is unavailable
24        RDP is enabled in Remote Registry on machine: PC4
25  
26    .EXAMPLE
27        "PC1", "PC2" | Enable-RDP
28  
29        RDP is enabled in Remote Registry on machine: PC1
30        RDP is enabled in Remote Registry on machine: PC2
31         
32    .NOTES
33        Author: Michal Gajda
34#>
35  
36    [CmdletBinding(
37        SupportsShouldProcess=$True,
38        ConfirmImpact="High"
39    )]
40    param
41    (
42        [Parameter(ValueFromPipeline=$True)]
43        [Array]$ComputerName = "LocalHost"
44    )
45  
46    Begin{}
47  
48    Process
49    {
50        if($ComputerName -match "=")
51        {
52            Write-Verbose "Searching LDAP Objects in path: $ComputerName"
53            $Searcher=[adsisearcher]"(&(objectCategory=computer)(objectClass=computer))"
54  
55            $ComputerName = ([String]$ComputerName).replace("LDAP://","")
56            $Searcher.SearchRoot="LDAP://$ComputerName"
57            $Results=$Searcher.FindAll()
58            $Direct = $false           
59        }
60        else
61        {
62            Write-Verbose "Direct access to specific machine: $ComputerName"
63            $Results = $ComputerName           
64            $Direct = $true
65        }
66         
67        Foreach($result in $results)
68        {
69            if($Direct)
70            {
71                $ComputerName = $result
72            }
73            else
74            {
75                $ComputerName = $result.Properties.Item("Name")
76            }
77            $EnableFlag = $null
78                 
79            if ($pscmdlet.ShouldProcess($ComputerName,"Enable RDP"))
80            {
81                Do
82                {
83                    #Check Remote Registry status via WinRM
84                    Write-Verbose "Checking Remote Registry status via WinRM on machine: $ComputerName"
85                    $RRStatusIC = Invoke-Command -ComputerName $ComputerName -ScriptBlock {C:\Windows\System32\sc query RemoteRegistry} -ErrorAction SilentlyContinue
86  
87                    if([string]$RRStatusIC -eq "")
88                    {
89                        #Check Remote Registry status via WMI
90                        Write-Verbose "Checking Remote Registry status via WMI on machine: $ComputerName"
91                        $RRStatusGWMI = Get-WmiObject -computer $ComputerName Win32_Service -Filter "Name='RemoteRegistry'" -ErrorAction SilentlyContinue
92     
93                        if($RRStatusGWMI -notlike $null)
94                        {
95                            #Check Remote Registry status
96                            Write-Verbose "Checking Remote Registry status via Get-Service on machine: $ComputerName" 
97                            $RRStatusGS = Get-Service -ComputerName $ComputerName RemoteRegistry -ErrorAction SilentlyContinue
98                             
99                            if($RRStatusGS -notlike $null)
100                            {
101                                #Get-Service, WMI and WinRM not respond.
102                                $EnableFlag = $false
103                                Write-Warning "Machine: $ComputerName is unavailable"
104                            }
105                        }
106                        else
107                        {
108                            #Start Remote Registry via WMI
109                            Try
110                            {
111                                Write-Verbose "Starting Remote Registry via WMI on machine: $ComputerName"
112                                (Get-WmiObject -computer $ComputerName Win32_Service -Filter "Name='RemoteRegistry'" -ErrorAction SilentlyContinue ).InvokeMethod("StartService",$null) | Out-Null
113                            }
114                            Catch
115                            {
116                                $EnableFlag = $false
117                                Write-Warning "Can't start Remote Registry on machine: $ComputerName"
118                            }
119                        }
120                         
121                    }
122                    else
123                    {
124                        if($RRStatusIC -match "STOPPED")
125                        {
126                            #Start Remote Registry via WinRM
127                            Write-Verbose "Starting Remote Registry via WinRM on machine: $ComputerName"
128                            Invoke-Command -ComputerName $ComputerName -ScriptBlock {net start RemoteRegistry} -ErrorAction SilentlyContinue | Out-Null
129                        }
130                        else
131                        {
132                            Write-Verbose "Remote Registry is Running on machine: $ComputerName"
133                            $EnableFlag = $true
134                        }
135                    }
136                }
137                While($EnableFlag -eq $null)
138                 
139                if($EnableFlag)
140                {
141                    #Try modify registry value
142                    Try
143                    {
144                        Write-Verbose "Modifying Remote Registry on machine: $ComputerName"
145                        $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName)
146                        $regkey = $reg.OpenSubKey("SYSTEM\\CurrentControlSet\\Control\\Terminal Server",$true)
147                        $regkey.SetValue('fDenyTSConnections','0','DWord'
148         
149                        Write-Host "RDP is enabled in Remote Registry on machine: $ComputerName"          
150                    }
151                    Catch
152                    {
153                        #Sometimes can't open remote key by HostName then try by IP
154                        [string]$HostIP = ([System.Net.Dns]::GetHostByName($ComputerName)).AddressList
155                        Try
156                        {
157                            Write-Verbose "Modifying Remote Registry by IP on machine: $ComputerName"
158                            $reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $HostIP)
159                            $regkey = $reg.OpenSubKey("SYSTEM\\CurrentControlSet\\Control\\Terminal Server",$true)
160                            $regkey.SetValue('fDenyTSConnections','0','DWord'
161                            #$regkey.GetValue("fDenyTSConnections",-1)
162             
163                            Write-Host "RDP is enabled in Remote Registry on machine: $ComputerName" 
164                        }
165                        Catch
166                        {
167                            Write-Warning "You havent access to Remote Registry on machine: $ComputerName"
168                        }
169                    }
170  
171                    #Enable firewall rules
172                    Write-Verbose "Enable firewall rules on machine: $ComputerName"
173                    $fw = Invoke-Command -ComputerName $ComputerName -ScriptBlock {netsh firewall set service remoteadmin enable} -ErrorAction SilentlyContinue
174                    $fw = Invoke-Command -ComputerName $ComputerName -ScriptBlock {netsh firewall set service remotedesktop enable} -ErrorAction SilentlyContinue
175                    if(!($fw -match "Ok."))
176                    {
177                        Write-Warning "Can't enable firewall rules on machine: $ComputerName. Try use maunaly winrm quickconfig on remote machine."
178                    }
179                     
180                    if([string]$RRStatusIC -ne "")
181                    {
182                        #Restart Terminal Service service via WinRM
183                        Write-Verbose "Restart Terminal Service service via WinRM on machine: $ComputerName"
184                        Invoke-Command -ComputerName $ComputerName -ScriptBlock {net stop UmRdpService} -ErrorAction SilentlyContinue | Out-Null
185                        Invoke-Command -ComputerName $ComputerName -ScriptBlock {net stop TermService} -ErrorAction SilentlyContinue | Out-Null
186                        Invoke-Command -ComputerName $ComputerName -ScriptBlock {net start TermService} -ErrorAction SilentlyContinue | Out-Null
187                        Invoke-Command -ComputerName $ComputerName -ScriptBlock {net start UmRdpService} -ErrorAction SilentlyContinue | Out-Null
188                    }
189                    else
190                    {
191                        #Restart Terminal Service service via WMI
192                        Try
193                        {
194                            Write-Verbose "Restart Terminal Service service via WMI on machine: $ComputerName"
195                            (Get-WmiObject -computer $ComputerName Win32_Service -Filter "Name='UmRdpService'" -ErrorAction SilentlyContinue ).InvokeMethod("StopService",$null) | Out-Null 
196                            (Get-WmiObject -computer $ComputerName Win32_Service -Filter "Name='TermService'" -ErrorAction SilentlyContinue ).InvokeMethod("StopService",$null) | Out-Null
197                            (Get-WmiObject -computer $ComputerName Win32_Service -Filter "Name='TermService'" -ErrorAction SilentlyContinue ).InvokeMethod("StartService",$null) | Out-Null
198                            (Get-WmiObject -computer $ComputerName Win32_Service -Filter "Name='UmRdpService'" -ErrorAction SilentlyContinue ).InvokeMethod("StartService",$null) | Out-Null
199                        }
200                        Catch
201                        {
202                            Write-Warning "Can't restart Terminal Service on machine: $ComputerName. Try Reboot this machine manualy."
203                        }   
204                    }
205                }
206            
207        }
208    }
209  
210    End{}
211}

Florian Huttenloher

Lesen Sie auch