远程桌面服务:CAP或RAP通过PowerShell

时间:2018-05-07 20:42:50

标签: windows powershell remote-desktop gateway new-item

我正在尝试通过Powershell配置新的RDS网关服务器(用于创建EC2后的自动设置)。我现在遇到的问题是设置默认值或其他CAP和RAP。其他所有东西似乎都运行得很好,如果我通过服务器对话框并点击我的方式来执行CAP / RAP向导,一切正常。在我这样做之前,这些政策并不存在(甚至不是默认的)。

我使用的代码,我从technet关于该主题的博客文章中获取的代码是:

new-item -Force -Credential $AdminCredentials -path RDS:\GatewayServer\CAP -Name DomainAdmin-CAP -UserGroups “$AdminGroupName@$NetBiosDomainName" -AuthMethod 1
new-item -Force -Credential $AdminCredentials -path RDS:\GatewayServer\CAP -Name DomainUser-CAP -UserGroups “$UserGroupName@$NetBiosDomainName" -AuthMethod 1

new-item -Force -Credential $AdminCredentials -path RDS:\GatewayServer\RAP -Name DomainAdmin-RAP -UserGroups “$AdminGroupName@$NetBiosDomainName" -ComputerGroupType 2
new-item -Force -Credential $AdminCredentials -path RDS:\GatewayServer\RAP -Name DomainUser-RAP -UserGroups “$UserGroupName@$NetBiosdomainName" -ComputerGroupType 2

同样,其他一切正常,系统100%可用,一旦我进入服务器并手动设置它们,所以我唯一的问题就是这个自动化步骤。我运行脚本时遇到的错误是:

  

new-item:访问RDS上的对象:\ cmdlet拒绝访问\ GatewayServer \ CAP \ DomainAdmin-CAP   New-Item。提供的值无效,或者您没有   足够的权限。在行:89 char:1   + new-item -Force -Credential $ AdminCredentials -path RDS:\ GatewayServe ...   + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~       + CategoryInfo:PermissionDenied:(:) [New-Item],AccessViolationException       + FullyQualifiedErrorId:PermissionDenied,Microsoft.PowerShell.Commands.NewItemCommand

编辑:我根据建议和挫折尝试的事情:

我做了所有"有人指出他们在我的-UserGroup变量字符串的前后实际上不是一回事 - 没有错误改变。

我试过$ NetBiosDomainName作为简单的单词NetBIOS版本(DOMAIN)以及完整的域名(domain.company.com) - 没有错误更改。

我尝试更改" $ AdministratorsGroupName @ $ NetBiosDomainName"字符串输出为$ AdminGroup(= $ AdministratorsGroupName +" @" + $ NetBiosDomainName")以简化-UserGroups参数的输入 - 无错误更改

我已将此脚本作为域管理员和本地管理员帐户运行 - 无错误更改

1 个答案:

答案 0 :(得分:0)

我能够使用以下脚本在非域 Windows 2019/2016 服务器上配置远程访问网关。这包括 CAP、RAP 和 ManagedComputerGroup。

Install-WindowsFeature -Name "RDS-Gateway" -IncludeAllSubFeature -IncludeManagementTools > $null
Import-Module -Name RemoteDesktopServices

#=============User Modifiable=============#
$GroupName="SG_RemoteUsers@$env:COMPUTERNAME"
# No Restrictions
#$GroupName="Users@BUILTIN"
$ManagedComputers="RDG_RDCBComputers"
# Managed Computer Groups
$MCGComputers=@($env:COMPUTERNAME,"<target machines>")
$MCGs=@(@{Name="RDG_RDCBComputers";Desc="All RDCB Computers in the deployment";Computers=$MCGComputers})
# Connection Authorization Policies
$CAPs=@(@{Name="RDG_CAP_AllUsers";UserGroups=$GroupName;AuthMethod=1;Status=1})
# Resrouce Authorization Policies
$RAPs=@(@{Name="RDG_AllComputers";UserGroups=$GroupName;ComputerGroupType=2;ComputerGroup=$null})

# If you already have a certificate, skip this part.
<#region Certificate
$FilePath="C:\temp\export.cer"
$SelfSigned=New-SelfSignedCertificate -CertStoreLocation "Cert:\LocalMachine\My" -DnsName $env:COMPUTERNAME -FriendlyName $env:COMPUTERNAME -KeyAlgorithm "RSA" -HashAlgorithm "SHA256" -KeyDescription "RDG Key" -KeyLength 4096 -KeyUsage KeyEncipherment,DataEncipherment -KeyUsageProperty All
$CertPassword=ConvertTo-SecureString -String “password” -Force –AsPlainText
Export-PfxCertificate -Cert $SelfSigned.PSPath -FilePath $FilePath -Password $CertPassword > $null
Import-PfxCertificate -CertStoreLocation "Cert:\LocalMachine\Root" -FilePath $FilePath -Password $CertPassword > $null
Remove-Item -Path $FilePath
$Certificate=$SelfSigned
#endregion
#>
$Certificate=Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } | Sort-Object -Property NotAfter -Descending | Select-Object -Last 1

#=============Do not modify=============#
$CAPPath="RDS:\GatewayServer\CAP"
$RAPPath="RDS:\GatewayServer\RAP"
$MCGPath="RDS:\GatewayServer\GatewayManagedComputerGroups"

#=============Script=============#
# Add the certificate to RDS
Set-Item -Path "RDS:\GatewayServer\SSLCertificate\Thumbprint" -Value $Certificate.Thumbprint

try { Get-LocalGroup -Name $GroupName -ErrorAction Stop > $null }
catch { New-LocalGroup -Name $GroupName > $null }

try { Get-LocalGroupMember -Group $GroupName -Member "<user that should have access>" -ErrorAction Stop > $null }
catch { Add-LocalGroupMember -Group $GroupName -Member "<user that should have access>" > $null }

# Remove existing items (must be done in the order of CAP and/or RAP first, then GatewayManagedComputerGroups
$CAPs | ForEach-Object { if (Test-Path -Path "$CAPPath\$($_.Name)") { Remove-Item -Path "$CAPPath\$($_.Name)" -Recurse } }
$RAPs | ForEach-Object { if (Test-Path -Path "$RAPPath\$($_.Name)") { Remove-Item -Path "$RAPPath\$($_.Name)" -Recurse } }
$MCGs | ForEach-Object { if (Test-Path -Path "$MCGPath\$($_.Name)") { Remove-Item -Path "$MCGPath\$($_.Name)" -Recurse } }

$MCGs | ForEach-Object { New-Item -Path $MCGPath -Name $_.Name -Description $_.Desc -Computers $_.Computers > $null }
$CAPs | ForEach-Object { New-Item -Path $CAPPath -Name $_.Name -UserGroups $_.UserGroups -AuthMethod $_.AuthMethod -Status $_.Status > $null }
$RAPs | ForEach-Object { New-Item -Path $RAPPath -Name $_.Name -UserGroups $_.UserGroups -ComputerGroupType $_.ComputerGroupType > $null }

# Stop redirection of Serial Ports
$CAPs | ForEach-Object { Set-Item -Path "$CAPPath\$($_.Name)\DeviceRedirection\SerialPorts" -Value 0 }

Restart-Service -Name "TSGateway"

这个脚本共享了前面的重要部分,是我用来在作为 AD 域成员的服务器上配置相同的脚本。这不是唯一的方法,但希望它能给你一个良好的开端。

此脚本的一部分用于创建必要的 AD 组。

唯一缺少的部分是证书必须放在受信任的根目录要连接的 PC

Install-WindowsFeature -Name "RDS-Gateway" -IncludeAllSubFeature -IncludeManagementTools > $null
Import-Module -Name RemoteDesktopServices
Add-Type -AssemblyName System.DirectoryServices.AccountManagement 

#=============User Modifiable=============#
$GroupName="SG_RemoteUsers"
$ManagedComputers="RDG_RDCBComputers"
# Managed Computer Groups
$MCGComputers=@($env:COMPUTERNAME,"<target machines>")
$MCGs=@(@{Name=$ManagedComputers;Desc="All RDCB Computers in the deployment";Computers=$MCGComputers})
# Connection Authorization Policies
$CAPs=@(@{Name="RDG_CAP_AllUsers";UserGroups="$GroupName@$env:USERDOMAIN";AuthMethod=1;Status=1})
# Resrouce Authorization Policies
$RAPs=@(@{Name="RDG_AllDomainComputers";UserGroups="$GroupName@$env:USERDOMAIN";ComputerGroupType=1;ComputerGroup="Domain Computers@$env:USERDOMAIN"},
        @{Name="RDG_RDConnectionBrokers";UserGroups="Domain Users@$env:USERDOMAIN";ComputerGroupType=0;ComputerGroup=$ManagedComputers})

# If you already have a certificate, skip this part.
<#region Certificate
$FilePath="C:\temp\export.cer"
$SelfSigned=New-SelfSignedCertificate -CertStoreLocation "Cert:\LocalMachine\My" -DnsName "$env:COMPUTERNAME.$env:USERDNSDOMAIN" -FriendlyName $env:COMPUTERNAME -KeyAlgorithm "RSA" -HashAlgorithm "SHA256" -KeyDescription "RDG Key" -KeyLength 4096 -KeyUsage KeyEncipherment,DataEncipherment -KeyUsageProperty All
$CertPassword=ConvertTo-SecureString -String “password” -Force –AsPlainText
Export-PfxCertificate -Cert $SelfSigned.PSPath -FilePath $FilePath -Password $CertPassword > $null
Import-PfxCertificate -CertStoreLocation "Cert:\LocalMachine\Root" -FilePath $FilePath -Password $CertPassword > $null
Remove-Item -Path $FilePath
$Certificate=$SelfSigned
#endregion
#>
$Certificate=Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } | Sort-Object -Property NotAfter -Descending | Select-Object -Last 1

#=============Do not modify=============#
$CAPPath="RDS:\GatewayServer\CAP"
$RAPPath="RDS:\GatewayServer\RAP"
$MCGPath="RDS:\GatewayServer\GatewayManagedComputerGroups"

#=============Script=============#
# Add the certificate to RDS
Set-Item -Path "RDS:\GatewayServer\SSLCertificate\Thumbprint" -Value $Certificate.Thumbprint

$ADGroup=[System.DirectoryServices.DirectorySearcher]::new("(&(objectCategory=Group)(samAccountName=$GroupName))").FindOne()
if ($ADGroup -ne $null) {
  $ADGroup=$ADGroup.GetDirectoryEntry()
  $Parent=[System.DirectoryServices.DirectoryEntry]::new($ADGroup.Parent)
  $Parent.Children.Remove($ADGroup)
  $Parent.CommitChanges()
  $Parent.Close()
}

$ADGroup=[System.DirectoryServices.AccountManagement.GroupPrincipal]::new([System.DirectoryServices.AccountManagement.PrincipalContext]::new([System.DirectoryServices.AccountManagement.ContextType]::Domain),$GroupName)
$ADGroup.Description="Remote Gateway Users Group"
$ADGroup.GroupScope=[System.DirectoryServices.AccountManagement.GroupScope]::Global
$ADGroup.IsSecurityGroup=$true
$Member=[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity([System.DirectoryServices.AccountManagement.PrincipalContext]::new([System.DirectoryServices.AccountManagement.ContextType]::Domain),"Administrator")
$ADGroup.Members.Add($Member)
$Member=[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity([System.DirectoryServices.AccountManagement.PrincipalContext]::new([System.DirectoryServices.AccountManagement.ContextType]::Domain),"admin_jeberhardt")
$ADGroup.Members.Add($Member)
$ADGroup.DisplayName=$ADGroup.SamAccountName
$ADGroup.Save()
$OU=[System.DirectoryServices.DirectoryEntry]::new("LDAP://$($ADGroup.DistinguishedName)")
$NewOU=[System.DirectoryServices.DirectoryEntry]::new("LDAP://OU=<target OU>,DC=<domain name>,DC=com")
$OU.MoveTo($NewOU)
$OU.CommitChanges()
$OU.Close()
$NewOU.Close()

# Remove existing items (must be done in the order of CAP and/or RAP first, then GatewayManagedComputerGroups
$CAPs | ForEach-Object { if (Test-Path -Path "$CAPPath\$($_.Name)") { Write-Verbose "Removing $($_.Name)"; Remove-Item -Path "$CAPPath\$($_.Name)" -Recurse } }
$RAPs | ForEach-Object { if (Test-Path -Path "$RAPPath\$($_.Name)") { Write-Verbose "Removing $($_.Name)"; Remove-Item -Path "$RAPPath\$($_.Name)" -Recurse } }
$MCGs | ForEach-Object { if (Test-Path -Path "$MCGPath\$($_.Name)") { Write-Verbose "Removing $($_.Name)"; Remove-Item -Path "$MCGPath\$($_.Name)" -Recurse } }

$MCGs | ForEach-Object { Write-Verbose "Creating $($_.Name)"; New-Item -Path $MCGPath -Name $_.Name -Description $_.Desc -Computers $_.Computers > $null }
$CAPs | ForEach-Object { Write-Verbose "Creating $($_.Name)"; New-Item -Path $CAPPath -Name $_.Name -UserGroups $_.UserGroups -AuthMethod $_.AuthMethod -Status $_.Status > $null }
$RAPs | ForEach-Object { Write-Verbose "Creating $($_.Name)"; New-Item -Path $RAPPath -Name $_.Name -UserGroups $_.UserGroups -ComputerGroup $_.ComputerGroup -ComputerGroupType $_.ComputerGroupType > $null }

# Stop redirection of Serial Ports
$CAPs | ForEach-Object { Set-Item -Path "$CAPPath\$($_.Name)\DeviceRedirection\SerialPorts" -Value 0 }

Restart-Service -Name "TSGateway"