We have a remote support tool that allows us to connect to machines behind a NAT firewall. Once connected, we can choose to either connect to the console session or to any active RDP session from a list. We cannot connect to inactive/disconencted RDP sessions, and the tool has no way to create new loopback/redirected RDP sessions. What we would like to do is find a way to spawn these RDP sessions via a script or a small application so that the support tool can detect them and allow us to connect. The motivation to get this working is to be able to have multiple techs access the same server simultaneously (up to one active console session and two active RDP sessions, all at the same time, for a total of three techs).
If we log on to the console session of the target servers and then RDP to the loopback, we see the new RDP session in our support tool, which we can then select and connect to. The problem is that this RDP session creation depends on the console session. It also gives the console session access to the RDP session, and if the RDP window is minimized then the output/input for that session in our support tool is frozen. I was able to use the PS script Connect-Mstsc (mostly just a wrapper for mstsc.exe but with support for adding creds) to create RDP sessions from another random server on the remote internal network to the target server we want to create a new RDP session on. This works well from an automation standpoint but we have the same limitation described above - it only works if run interactively. If you run this from a SYSTEM shell remotely, the RDP session never appears in our support tool.
The remote support tool in question is ScreenConnect and our servers are all Windows, mostly 2012 R2, all AD environments. I think the core challenges to this solution are getting the RDP sessions created and active in a non-interactive fashion, and then preventing RDP from freezing the session input/output.
Related
We manage several laptops that are used for emergency situations and thus are rarely used (knock on wood).
When we start up these laptops periodically to run windows updates, we also sign in with several user accounts for each laptop in order to keep the profile up to date.
Is there a way to automate the logging in of each account with a script?
For example, I could log in as administrator, run the script and the laptop would do the following:
Log out my administrator account,
sign in with useraccount 1, log out
sign in with useraccount 2, log out
sign in with useraccount 3, log out
I havent had much luck in googling this type of thing and was hoping someone here might have an idea.
I simply cant find a script that logs in with a user account.
The closest I can find is recommending auto signin but that only applies to one account and not what I need for this task.
Globally, you can't do that: it would break security if you were allowed to interact, programmatically, with the login screen.
IF it's possible, I would look to a way to do the login to remote machine through either Telnet (not recommended! but can be done with standard Windows tools) or SSH (will need a SSH server). If you can do the upgrade this way, then you're saved, in particular with SSH because you can avoid passwords' sharing through key exchange - probably won't work with domain accounts, however, but local accounts will be fine.
Otherwise, if you require to really open a Windows session, best you can do, IF your configuration allows it AND if it works (regarding the profile's update) is to connect through RDP (Remote Desktop) to each laptop, with each login.
You'll need to establish a RDP connection to each laptop from a "pilot" PC, save each connexion individually within a .rdp file, saving password inside the connection file.
Then, you can launch the connection with the command mstsc <machine+account>.rdp to establish a connection. A bit later, you can kill the connection (with either taskkill or through a pilot process / tool, I would use AutoIt for this preferably).
If password saving is an issue, then each employee should have its own set of RDP files. Through something like Autoit, in particular, you can input the password once, and fill automatically each password prompt.
The tricky part would be to know when it's time to close the remote desktop. I would try to automatically execute a command to distant computer that would reboot it once done, so your remote desktop would close automatically.
Anyway, it will be a real gas plant to implement all this in a smooth process...
We have a few Windows 10 Pro computers with Remote Desktop enabled. There are "client" machines running Windows 10 Pro and Windows 10 Home.
Is it possible to programmatically check, from a client machine, that the remote computer is already occupied by someone? That is, if another remote client is already connected to it? If so, can I do this without breaking the existing remote connection?
When a user logs on to a Remote Desktop Services–enabled computer, a
session is started for the user. Each session is identified by a
unique session ID. Because each logon to a Remote Desktop Connection
(RDC) client receives a separate session ID.
Refer: Remote Desktop Sessions
You can use the WTSEnumerateSessions function to retrieve the identifiers of all sessions on a specified RD Session Host server.
WTSEnumerateSessions : Retrieves a list of sessions on a Remote Desktop Session Host (RD
Session Host) server.
Note:
To enumerate a session, you must enable the query information
permission. For more information, see Remote Desktop Services
Permissions.
To change permissions on a session, use the Remote Desktop Services
Configuration administrative tool.
To enumerate sessions running on a virtual machine hosted on a RD
Virtualization Host server, you must be a member of the
Administrators group on the RD Virtualization Host server.
If you want to retrieve the session ID of the current session that the remote desktop service is running, you can call WTSQuerySessionInformation and specify WTS_CURRENT_SESSION for the SessionId parameter and WTSSessionId for the WTSInfoClass parameter.
You can use the query session command from the command line.
If you're on the same local network as the remote computer, then you can directly use the query session:
Use the command query session /SERVER:<remote pc name, or IP address>
If there is someone actively logged into the console, then it returns console <username> Active as the state. However, this can also mean someone logged in, the session locked, and they walked away for coffee. It doesn't actually mean they are doing something in the session; they are simply logged into the console. This state also occurs if you use another remote login software such as TeamViewer, since it logs in as an active console.
C:\Users\Myself>query session /server:LabServerPC
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
console LabUser 1 Active
rdp-tcp 65536 Listen
If the computer is already in use by a remote desktop session, it will return it as a session as the active state. In this case rdp-tcp#1 <username> Active.
C:\Users\Myself>query session /server:LabServerPC
SESSIONNAME USERNAME ID STATE TYPE DEVICE
services 0 Disc
rdp-tcp#1 LabUser 1 Active
console 3 Conn
rdp-tcp 65536 Listen
If you are operating via a VPN, or off the native network, it may be easier to remotely log into the PC using SSH and then query the session directly. In this case, you would use query session only.
We have a software that needs to get password to be initialized. Software is running on a build server (Windows 10) and used as part of the build process. Password resets after reboot or after RDP session. Therefore RDP access to the server is disabled and it's running VNC.
However, still we have a problem that once in a while server reboots and in this case someone needs to login to the server over VNC and to initialize the software by typing password in.
Is there any way that this process may be automated? Some QA tools that may be utilized for this puprpose?
If auto logon is set (find the instruction on SuperUser site), startup script can run on this server without alive VNC connection (in Windows Task Scheduler by logon trigger). As an GUI automation library you can use pywinauto (need any Python on the server + pip install pywinauto). If you keep the server always logged in, maybe another trigger would be useful (from Jenkins slave if it's connected to Jenkins). But it must run not as a service (services can't access GUI).
I'm using Windows Server 2008 R2 which runs a VB6.0 application that uses a smartcard locally.
I then connect to this machine remotely using Remote Desktop Connection (6.3). However now the application shows the following error (SmartCard):
0x8010001d The Smart card resource manager is not running.
Research so far:
I don't want to use redirection as the card is on the remote machine already.
Using RDP the way I am trying to use it for is wrong and tightVNC is more appropriate (This does fix the issue)
Unsure - SCardEstablishContext API is returning that error because it gets an Access Denied error when trying to open an event called "Global\Microsoft Smart Card Resource Manager Started" with OpenEvent API. The default security for that event on Vista and Windows 7 specifies that only SYSTEM, LOCAL SERVICE and INTERACTIVE users have access to it. NETWORK SERVICE or non-interactive users won’t be able to access the event.
Why is the SmartCard not being recognised?
Any Information would be appreciated.
NOTE: The smartcard works fine when the application is on Windows Server 2008 R2 - however only fails when connecting remotely.
It is not possible, you can't use the locally plugged smartcard of the server you RDP into, as your session is redirected to the client then only the clients smartcard is accessible in the rdp session.
Microsoft made it like this for security reasons.
But there is a turn around, like sharing the device (smartcard reader, Usb token, Usb devices ) using software or hardware :
softawre examples (i only found paid solutions), see link
or hardware using a Device server but it doesn't work through WAN only LAN.
Use VNC instead of RDP
TLDR: Use VNC as a Windows Service
If you insist on using RPD, then you'll have to patch your RDP DLLs. If you don't want to do this, then instead use ANY OTHER PROTOCOL other than RDP. If it's a vmware VM, then just use the vcenter console. If it's an Azure VM where you don't GET a console, then just install VNC-server-softer on the server that has the Smart Cards and then access from somewhere else via VNC-client. "TightVNC" (https://community.chocolatey.org/packages/tightvnc) worked nicely for me.
There are two ways to run TightVNC server:
TightVNC Server (Service Mode) -- Connecting with VNC-client will take you to the Windows logon screen.
TightVNC Server (Application Mode)
You will need to run TightVNC as a Windows Service. Then you will start a NEW session. Otherwise you'll just be on top of the existing RDP session and still not see remote Smart Cards.
Long Version
If you RDP into a remote server, then that remote server's Smart Cards will be hidden. That behavior is baked into RDP and it is BY DESIGN.
You can optionally take your LOCAL Smart Cards along into the RDP session. (Via mstsc.exe's "Local Resources" tab and then checking "Smart cards".) But these are the Smart Cards connected LOCALLY to your laptop. And NOT the Smart Cards connected to the remote server.
So if you use RDP, then you have option to either see no Smart Cards at all (neither local, nor remote) or just see your LOCAL Smart Cards. To see the REMOTE Smart Cards is NOT possible via RDP.
This is by design inside RDP. And if you want to change it, then you have to manually patch some .DLL files. And somebody has actually done this. See this question here:
How to Access Remote USB Smartcard during RDP
Before you create your Remote Desktop session, click on "Show options". Under the "Local Resources" tab there is a "Local devices and resources" panel. Click the "More" button.
Click on "Smart Cards". No complete the remote desktop session.
I need to call WNetGetConnection to get the UNC path and it works good when application run as standard user but it returns 1201(ERROR_CONNECTION_UNAVAIL) error code when application run as admin. According to the documentation its working as expected.
If the network connection was made using the Microsoft LAN Manager
network, and the calling application is running in a different logon
session than the application that made the connection, a call to the
WNetGetConnection function for the associated local device will fail.
The function fails with ERROR_NOT_CONNECTED or
ERROR_CONNECTION_UNAVAIL. This is because a connection made using
Microsoft LAN Manager is visible only to applications running in the
same logon session as the application that made the connection. (To
prevent the call to WNetGetConnection from failing it is not
sufficient for the application to be running in the user account that
created the connection.)
that means its not possible at all to get the UNC path from the app running as admin ? Is there some other way ?
This is by design. Network shares created by a non-elevated account are not visible under elevation, and vice versa.
See this question on Super User for discussion of the issue. There is apparently a registry setting that enables mapped drives to be shared between elevated and non-elevated accounts but I've never tried it myself.
Network connections cannot normally be shared across different Windows login sessions. This is regardless of admin account / elevation level. Each Windows login or impersonation session needs to create its own network connections.