Home > Administration, PowerShell Scripting, Remote Desktop Services (RDS), Server Based Computing, XenApp > Using powershell as a replacement for the Change Logon command in Remote Desktop Services.

Using powershell as a replacement for the Change Logon command in Remote Desktop Services.

Still on my PowerShell buzz for the week, this is post 2 of 3 on some Remote Desktop Services / XenApp Powershell goodness!

This is one I’ve been meaning to post for quite some time, but other things got in the way. Mainly me forgetting how to use most of the powershell native methods due to having my head stuck in .net the last few weeks… Moving on…

While trying to find a method to check the status of logon’s to a Remote Desktop server via PowerShell, I didn’t have much luck. Either people are string scraping the output of the command using select-string or going to the registry and checking the raw Value with get-itemproperty. I wasn’t happy with either approach so I dug down into WMI and found the following.

From what I’ve found, the settings for enable, disable and the two drain modes are stored under the namespace root\cimv2\terminalservices. Under the class Win32_terminalservicesetting.

There are two properties we are interested in here:

  • logons (0 = enabled, 1 = disabled*)
  • SessionBrokerDrainMode (0 = Disabled, 1 = DrainUntilRestart, 2 = Drain)

*why oh why 1 is disabled is beyond me, but I digress.

The order of priority is enabled / disabled first, before the drain options are referenced.

So what does this tell us? Well, a change logon /query is simply performing the following simple checks:

Change Logon /query

gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices" | %{
    if ($_.logons -eq 1){
    "Disabled"}
    Else {
        switch ($_.sessionbrokerdrainmode)
        {
            0 {"Enabled"}
            1 {"DrainUntilRestart"}
            2 {"Drain"}
            default {"something's not right here!"}
        }
    }
}

Ok that’s great and all, we’ve now replicated change logon /enable, but how do we set these values?

Easy! Using the native PowerShell $_.put() method, we can push values back in.

Below you will find each “Change Logon” option in server 2008 R2 and the corresponding WMI property.

Change logon /Enable

$temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices")
$temp.sessionbrokerdrainmode=0
$temp.logons=0
$temp.put()

Change Logon /Disable

$temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices")
$temp.logons=1
$temp.put()

Change Logon /Drain

$temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices")
$temp.sessionbrokerdrainmode=2
$temp.put()

Change Logon /DrainUntilRestart

$temp = (gwmi win32_terminalservicesetting -N "root\cimv2\terminalservices")
$temp.sessionbrokerdrainmode=1
$temp.put()

And that’s it! now if you want to wrap this up in a function be my guest, or if you would like me to do so just drop me a line.

  1. Rob
    December 11, 2012 at 8:20 pm

    Andrew, this is exactly what I’m looking for. I’m having an
    issue with the .put() command though, as powershell is throwing an
    error: Exception calling “Put” with “0” argument(s): “” Any idea
    what I’m doing wrong?

    • December 13, 2012 at 10:42 am

      Hi Rob,

      Are you running powershell as an administrator?

      A

  2. Jaco
    February 15, 2013 at 12:14 pm

    Hi Andrew,

    Great digging in the WMI pile!
    I am also bumping into the .put issue. Running as admin. Put needs an argument. I have nog figured this one out yet.

    • February 15, 2013 at 2:39 pm

      Have you tried running the wmi command with -enableallprivileges ?

  3. Jaco
    February 15, 2013 at 12:59 pm

    Hi Andrew,

    When I was trying to work around this problem with an old fashioned solution, I found a possible cause:

    Invoke-Expression “change logon /disable”

    change.exe : Connections are currently ENABLED by Group Policy for this machine, unable to change.
    At line:1 char:7
    + change <<<< logon /disable
    + CategoryInfo : NotSpecified: (Connections are…able to change.:String) [], RemoteException
    + FullyQualifiedErrorId : NativeCommandError

    I was not aware of the policy 😦 and this is probably preventing the WMI change.

    • February 15, 2013 at 2:40 pm

      That error can be dismissed, as you can see from the message the command is working powershell is just getting a bit upset by the return value.

  4. Mikkel
    February 23, 2013 at 2:08 pm

    Hello there,

    I’ve found this post to be pretty useful – as I was also trying to google this without much luck.
    After tinkering a bit I noticed that trying to specify some other computer to run this on returned “Access denied” even with both pcs being in same domain, on a domain admin account.

    A little more searching revealed packet level privacy to be the culprit, so to get this to work you have to also specify the “authentication” parameter.

    i.e.

    gwmi win32_terminalservicesetting -N “root\cimv2\terminalservices” -computer somemachine -authentication 6

    Anyways thanks for sharing, always find something useful here on your blog. 🙂

  5. Lance
    July 11, 2013 at 10:35 pm

    Thanks!!!! This was exactly what I was looking for, it just makes me realize I’ve got alot to learn about powershell.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: