RDPSoft’s New Free Tool, RDSConfig.exe, Allows You To Adjust RDP Permissions Granularly
Greetings again, everyone. Last year I wrote a blog article about how it was tricky to adjust RDP security permissions on Windows Server 2012 and Windows Server 2016 session hosts to allow non-Administrators to shadow Remote Desktop Users. Back in Windows Server 2008, Microsoft provided an MMC snap-in called TSConfig.msc, also known as the Remote Desktop Session Host Configuration tool. This tool would allow you to adjust a whole host of properties regarding session host behavior and rules for user sessions, including who could connect to and who could administer different aspects of Remote Desktop Services on that host.
TSConfig.msc, as well as TSAdmin.msc (for active user and process management), were removed from the RDS management tools starting in Windows Server 2012. The RDSM (Remote Desktop Services Manager) available within the Server Manager console in Windows Server 2012, allows you to do *some* of the administrative functions that you used to do in TSAdmin.msc and TSConfig.msc respectively, but not all of them. Even in Windows Server 2016, RDSM has not reached feature parity with the old set of tools.
This is problematic, because while you can adjust certain aspects of RDS configuration both from within the RDSM and directly in Group Policy, there are some things you still cannot get to. Like RDP permissions for instance. In that blog article above, I published a script that would simply grant a user or group full control to perform ALL administrative actions on a Remote Desktop Session Host server via WMI. While effective, this was a pretty crude way to go about it.
Therefore, I’ve spent several weeks this year designing a free tool I’m calling RDSConfig (the RDS Configuration Tool) that allows you to adjust RDP permissions on a very granular basis. You can add/remove accounts to the Remote Desktop Protocol ACL (Access Control List), adjust their permissions granularly (just like the old TSConfig.msc tool), but you can also do some cool new things, like quickly add users with permission presets (e.g. Guest, Standard, or Full Control/Admin), or completely reset the RDP Access Control List back to the “out of the box” defaults.
It is my hope to add support for adjusting *auditing policies* as well in the near future for RDS users, but after some initial research, there seem to be a few bugs in the API related to audit policy administration. However, I think I’ve found a workaround, so I hope to add that feature set soon. I’ll also be adding features to adjust many of the more common, group policy adjustable settings, such as the licensing server the session host should use, idle/disconnect times, color depth, and much more. This will make RDS deployments in non-domain or non-collection based environments easier, because you can bypass the RDSM and/or Group Policy manager as needed.
Download the RDSConfig Beta Now!
RDSConfig is now in beta – click here to download it now. This tool requires v4 of the .NET Framework, and its installer will attempt to download/install the framework if you don’t already have it. Feel free to make any feature suggestions in the comments below. You can also submit any bug reports at the RDPSoft corporate site here.
Also, if you haven’t already downloaded and installed Remote Desktop Commander Lite, please visit this page to learn more about this other free tool and grab a copy. Remote Desktop Commander Lite effectively replaces most of the old functionality of TSAdmin.msc, works in all RDS environments (domain, workgroup, collection based, non collection based), and also has many additional features, such as displaying RDP connection quality and latency. We will be bundling RDSConfig with Remote Desktop Commander Lite soon.