From b97b85a358518c6f81dd290503c6a3c5c7097ae9 Mon Sep 17 00:00:00 2001 From: vfedosevich Date: Tue, 7 Apr 2015 02:36:13 -0700 Subject: [PATCH] RDS GPO --- .../Windows2012.cs | 31 +++++++++++++++++-- 1 file changed, 29 insertions(+), 2 deletions(-) diff --git a/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs b/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs index 42a11ee8..233fe6a2 100644 --- a/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs +++ b/WebsitePanel/Sources/WebsitePanel.Providers.TerminalServices.Windows2012/Windows2012.cs @@ -1144,14 +1144,14 @@ namespace WebsitePanel.Providers.RemoteDesktopServices try { - runspace = OpenRunspace(); + runspace = OpenRunspace(); string collectionComputersPath = GetComputerGroupPath(organizationId, collectionName); CreatePolicy(runspace, organizationId, string.Format("{0}-administrators", collectionName), new DirectoryEntry(GetGroupPath(organizationId, collectionName, GetLocalAdminsGroupName(collectionName))), new DirectoryEntry(collectionComputersPath), collectionName); CreatePolicy(runspace, organizationId, string.Format("{0}-users", collectionName), new DirectoryEntry(GetUsersGroupPath(organizationId, collectionName)), new DirectoryEntry(collectionComputersPath), collectionName); - CreateHelpDeskPolicy(runspace, new DirectoryEntry(GetHelpDeskGroupPath(RDSHelpDeskGroup)), new DirectoryEntry(collectionComputersPath), organizationId, collectionName); + CreateHelpDeskPolicy(runspace, new DirectoryEntry(GetHelpDeskGroupPath(RDSHelpDeskGroup)), new DirectoryEntry(collectionComputersPath), organizationId, collectionName); RemoveRegistryValue(runspace, ScreenSaverGpoKey, administratorsGpo); RemoveRegistryValue(runspace, ScreenSaverGpoKey, usersGpo); RemoveRegistryValue(runspace, RemoveRestartGpoKey, administratorsGpo); @@ -1200,6 +1200,25 @@ namespace WebsitePanel.Providers.RemoteDesktopServices } } + private void CheckPolicySecurityFiltering(Runspace runspace, string gpoName, DirectoryEntry collectionComputersEntry) + { + var scripts = new List{ + string.Format("Get-GPPermissions -Name {0} -TargetName {1} -TargetType group", gpoName, string.Format("'{0}'", ActiveDirectoryUtils.GetADObjectProperty(collectionComputersEntry, "sAMAccountName").ToString())) + }; + + object[] errors = null; + ExecuteRemoteShellCommand(runspace, PrimaryDomainController, scripts, out errors); + + if (errors != null && errors.Any()) + { + scripts = new List{ + string.Format("Set-GPPermissions -Name {0} -PermissionLevel gpoapply -TargetName {1} -TargetType group", gpoName, string.Format("'{0}'", ActiveDirectoryUtils.GetADObjectProperty(collectionComputersEntry, "sAMAccountName").ToString())) + }; + } + + ExecuteRemoteShellCommand(runspace, PrimaryDomainController, scripts, out errors); + } + private void SetPowershellPermissions(Runspace runspace, RdsServerSetting setting, string usersGpo, string administratorsGpo) { if (setting != null) @@ -1316,6 +1335,10 @@ namespace WebsitePanel.Providers.RemoteDesktopServices SetPolicyPermissions(runspace, gpoName, entry, collectionComputersEntry); SetRegistryValue(runspace, RDSSessionGpoKey, gpoName, "2", RDSSessionGpoValueName, "DWord"); } + else + { + CheckPolicySecurityFiltering(runspace, gpoName, collectionComputersEntry); + } } private string CreatePolicy(Runspace runspace, string organizationId, string gpoName, DirectoryEntry entry, DirectoryEntry collectionComputersEntry, string collectionName) @@ -1327,6 +1350,10 @@ namespace WebsitePanel.Providers.RemoteDesktopServices gpoId = CreateAndLinkPolicy(runspace, gpoName, organizationId, collectionName); SetPolicyPermissions(runspace, gpoName, entry, collectionComputersEntry); } + else + { + CheckPolicySecurityFiltering(runspace, gpoName, collectionComputersEntry); + } return gpoId; }