NS News & Views

By Clive Norman
List all 36 articles

PowerShell to secure AD users RDP access

| Tags: DevOps PowerShell SysAdmin Script

It’s a sad fact that security can all too often be the poor relative in software and systems design (please note that this blog post is not intended to address system security per se; the OWASP website and / or security expert Troy Hunt’s blog, are good references for that topic).

This post is primarily designed to demonstrate a quick fix for what could potential be a security hole pertaining to Active Directory user accounts and Remote Desktop access.

AD User Options

When creating a new user in AD, depending on the network environment, several account configurations are automatically set (profile paths, home folder settings, group membership etc).

One of these options, is to allow or deny the user access to a Remote Desktop Session; in many instances this will automatically be set to allow, which is not necessarily a bad thing.  However this may be a security weakness, depending on circumstances (e.g. possibly if one was to create a generic ‘visitors’ account etc).

Clearly, this can be controlled manually (by ticking / unticking the appropriate check box) or indeed by using Group Policy.  However, there may also be times when it is preferable to run a script, that will quickly change this setting for all users, in a specific OU or OU’s.

For example, you may wish to instantly deny this permission for all users on the entire network, allowing for a more controlled re-enabling, per OU.

Enter PowerShell and Quest ActiveRoles ADManagement, a set of free, predefined commands for Windows PowerShell.

Quest have offered this set of PowerShell extensions (cmdlets - or whatever the correct terminology for this add-on is! free of charge for several years; at this stage, it my be worth noting that Quest appear to have been purchased by Dell – although from what I can gather, there doesn’t appear to be any negative change in the availability of this extension.

The Script

The workflow is:

Add-PSSnapin Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
Get-QADUser * -OrganizationalUnit "ou=Your Sub-OU,ou=Your OU,dc=Your LDAP,dc=Your LDAP" |
?{$_.TsAllowLogon -ne $true} |
Set-QADUser -TsAllowLogon $true

Clearly you can modify this script to enable all users by just reversing the true and false settings as appropriate, within the script.

As with any scripting solution, especially those associated with Active Directory, you are advised to test thoroughly before deploying in anger!