AD RDS Profile Removal PowerShell

I was having a issue with slow logon times and temporary profile when users where logging on to an Windows RDS 2012 farm. I had a look at the issue and it was down to the RDS profile path in AD being set to use an old decommissioned server.RDS1

Once I found the issue, I need to figure out how many users where affected so the easiest way I could do this was to use PowerShell.

Below is the report script that I used.  The distinguished name used in Get-ADUser -searchbase will need to be update and the export path.  (Test before running any script and also check the quotes and doubles quotes when copying) 

## Get list of Users
$RDUsers = Get-aduser -SearchBase “OU=TestUsers,OU=Users,DC=Domain,DC=Local” -Filter *

## Set Results Array
$Results = @()

foreach ($user in $RDUsers){
$RD = [ADSI]”LDAP://$($user.DistinguishedName)”
if ($RD.Properties.Contains(“userParameters”)){

$profilepath = $RD.psbase.Invokeget(“terminalservicesprofilepath”)
$profileHome = $RD.psbase.Invokeget(“terminalServicesHomeDirectory”)
$props = @{
UserName = $user.SamAccountName
RDSProfile = $profilepath
RDSHome = $profileHome
DistinguishedName = $user.DistinguishedName
}

$Results += New-Object psobject -Property $props
}

else {
Write-Host “No UserParameters set on” $user.SamAccountName -ForegroundColor Green
}
}
$Results | Export-Csv C:\Temp\Logs\RDSProfile.csv -NoTypeInformation

RDS2

Once the script has completed the results will be export to a CSV with all user and there profile pathsRDS3Once we have the list we can either remove manually or the better option use the CSV and remove the profiles using the invokeset method.

Below is the script I used. The script could be run against all AD users but I prefer to limit the amount of object I have to run against. (This will replace values on users so should be fully tested before apply to large amount of users.)

$RDProfile = Import-Csv -Path C:\Temp\Logs\RDSProfile.csv
foreach ($RDU in $RDProfile){
Write-Warning “Removing Profile from $($RDU.UserName)”
$RD = [ADSI]”LDAP://$($RDU.DistinguishedName)”
$RD.psbase.Invokeset(“terminalservicesprofilepath”,”$null”)
$RD.psbase.Invokeset(“TerminalServicesHomeDirectory”,”$null”)
$RD.setinfo()
}

RDS4

After the script has run the profiles should now be cleared.RDS5

Deploying Microsoft LAPS Part 3

In the last post we went through deploying the LAPS agent using a script, GPO or SCCM. The next step is to configure the GPO settings to apply LAPS management policy’s

First, we create a new GPO to apply the LAPS management policy’s, the LAPS policy’s are under Computer Configuration > Polices > Administrative Templates > LAPS (If this doesn’t show the ADMX template is probable missing and will need to be installed. This can be done using the LAPS installer)LAPSGP1Password settings policy used to set the password complexity, length and ageLAPSGP2Specify the account that the password policy will apply to if this is the default administrator account this should be left at defaultLAPSGP3LAPSGP4Enabled management of local admin accountLAPSGP5Once the policy is configured apply the policy against the required OULAPSPass1To confirm that all settings are working, run a gpupdate on a test device. Once applied we can check the password in a few different ways

First way is to run PowerShell command:LAPSPass

Second way is to use the LAPS UI , this can be either used from the management server or installed on local computer using the LAPS installer and selecting the LAPS management tools

LAPSPass2LAPSPass3

The third method is to check the AD computer attribute ms-Mcs-AdmPwd:LAPSPass4

Last step is to set delegated access to a security group or set of users to view and reset the local administrator password. Use the below command to verify the current rights

Find-AdmPwdExtendedRights -identity:OU distinguishedName

LAPSPass5There are two command to set the rights, one for read and one for reset rights

Set-AdmPwdReadPasswordPermission -OrgUnit OU distinguishedName -AllowedPrincipals “HelpDesk_LAPS_Access”

Set-AdmPwdResetPasswordPermission -OrgUnit OU distinguishedName -AllowedPrincipals “HelpDesk_LAPS_Access”

LAPSPass6Last step is to verify the permission have been appliedLAPSPass7

LAPS is now deployed and ready to use.

 

Deploying Microsoft LAPS Part 2

In the last post we went through installing LAPS management tools, extending the AD schema and setting the delegation rights for computer OU to allow computer to write back to the LAPS password attribute.

The next step is to install the LAPS client this can be done either by using a script, group policy or SCCM.

I used the below the script to install remotely just need to create the complist with host name of devices and update the sharename and verions of LAPS that is required

$Computers = Get-Content “C:\Temp\complist.txt”
foreach ($Computer in $Computers){
Write-Warning “installing LAPS on $Computer”
$command = “msiexec /i C:\windows\temp\LAPS.x64.msi /quiet”
$Remotecmd = “CMD.EXE /c ” + $command
Copy-Item \\sharename\LAPS.x64.msi -Destination \\$Computer\c$\windows\temp\
Invoke-WmiMethod -class Win32_process -name Create -ArgumentList $Remotecmd -ComputerName $Computer | Out-Null
}

The second option is to deploy using GPO software install

Craete a new GPO > Policies > Software settings > software installtion > New packageLAPS6Add the installerLAPS7LAPS8LAPS9Next apply the policy agaist the OU or use security filtering to apply to specific devices once the policy is applied logon to the device and run gpupdate /force to apply LAPS10

Third option is to use a tool like SCCM to package the application and deploy to devices. This would be my preferred way as its gives the best reporting.

We won’t go through the process but the command line install will  msiexec /i C:\windows\temp\LAPS.x64.msi /quietLASCCMLASCCM1

Deploying Microsoft LAPS Part 1

In this post we will be going through deploying and configuring Microsoft LAPS (Local Administration Password Solution).  LAPS is a solution to automate the changing of a local administrator account on every computer in the domain.

To install LAPS will require a management server / workstation I will be installing on my domain controller.

Supported Operating System

Windows 10, Windows 7, Windows 8, Windows 8.1, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Windows Server 2016, Windows Server 2019, Windows Vista

Active Directory: (requires AD schema extension)
• Windows 2003 SP1 or later.
Managed machines: 
• Windows Server 2003 SP2 or later, or Windows Server 2003 x64 Edition SP2 or later.
Note: Itanium-based machines are not supported.
Management tools: 
• .NET Framework 4.0
• PowerShell 2.0 or later

First step is to download the install files for LAPS

https://www.microsoft.com/en-us/download/details.aspx?id=46899

Next install the full deployment of LAPS on the designated management server / workstation.

Run LAPS installer for operating system verisonLAPS1LAPS2LAPS3

Install full management tools LAPS4LAPS5

After the management tools have been installed the next step is to extend the AD schema

The LAPS PowerShell module is called AdmPws.PSLAPSAD1

To update the Schema first add the LAPS module and then run

Update-AdmPwdADSchemaLAPSAD2

Last step is to delegate right to computer objects to allow them to write to the ms-MCS-AdmPwd and ms-Mcs-AdmPwdExpirationTime AD attributes.

Set-AdmPwdComputerSelfPermission -OrgUnit “OU=Computers,DC=Domain,DC=local”LAPSAD4

In the next post we will go through delegating access to specific users to allow them read the ms-MCS-AdmPwd attribute and to deploy the LAPS client through SCCM , script and GPO.

 

Remote Desktop Services 2012 R2 Deployment Part 3

In the last post we setup the RD connection broker HA to add additional resilience to the RDS deployment. In this post we are going to create and configure RDS collection.

To create a collection go to

Server Manager > Remote Desktop Services > Collections

Click on tasks and Create Session Collectionrdsc3

rdsc2

Give the collection and Namerdsc4

Select the required session hosts that will be used for this collectionrdsc5

Add user group that will have access I have left as domain users but this can be change to any security group to restrict accessrdsc6

In this setup we wont be using server profile disk but if this is required just enable and select a network location to save the VHDX user disks for the users profilesrdsc7

Click next and confirm all setting are correct continue with the deploymentrdsc8

Once this is completed we can now see the collection

Next step is to configure the session collection settings.

Select the collection and go to task Edit Propertiesrdsc16

First tab is just for changing the Name, adding a description and showing the session collection in RD web accessrdsc17

Second tab is for user / groups that will have access to the specific collectionrdsc18

Security allow you to change the security layer and encryption level. The default is negotiate (This will use the most secure layer that is supported by the client. ) and client compatible (This encrypt’s to the max strength that the client supports.)

rdsc19

To change session time out go to session. I am going to end disconnected sessions after 3 hours, never disconnect active sessions and set idle session limit to 3 hoursrdsc9

Load Balancing can be changed to session limits or prioritize one server over another by change Relative weight value or Session Limit value. In this case we will leave the defaultsrdsc10

Allow or deny redirction of local resource to the RDS session host ie Audio devices, local disk, printer .etcrdsc20

The last tab is to enable or disable user profile disk and specify network location and setting to be save to the profile disk. rdsc21

Once the collection is created and all setting are configured, we should now see the collection show in the RD web page.

RDSc12.png

click on the collection to launch the session and you should see the connection broker HA DNS address show as the connection address on the RDP session

rdsc13

In part 4, we will look at customizing the RDS web page and deploying the RDS licencing role.

 

 

 

Remote Desktop Services 2012 R2 Deployment Part 2

In the last post we setup the two RDS server that will be used for RD web access, connection broker and sessions hosts. In this post we will go through setting up RD connection broker HA to give more resilience to the RDS deployment.

To add connection broker HA we need to have server with SQL 2008 R2 or above and have a load balancer or DNS round robin to redirect traffic. I am using SQL 2014 with just the database engine and management tools selected. I have used a separate SQL server / RDS licensing for this as I don’t want the database on either of the current RDS servers.

I am going to use DNS round robin for redirecting traffic to both brokers as I don’t have a load balancer setup so I setup the below 4 DNS records on my internal DNS serverrdsbrokerha12

Once the database server is setup we need to create a security group and add the two RDS server that will be used as connection brokers. rdsbrokerha20

Once this group has been created we can set up the SQL permissions. Open SQL management studio on the database server and create a new login for the group

rdsbrokerhardsbrokerha1

Give dbcreator access as this will be required when setting up the HA deploymentrdsbrokerha2

To connect to the database SQL Server Native client is require on both the RD connection brokers. The latest version of this client is from SQL 2012 and can be downloaded from Microsoft : https://www.microsoft.com/en-us/download/details.aspx?id=50402

Once the client is installed go to Control Panel\All Control Panel Items\Administrative Tools and go to ODBC Data Sources (64-bit). Click Add and select SQL Server Native Client 11.0rdsbrokerha3

Enter in a Name, Description and SQL server that the permission where setup for the security group aboverdsbrokerha4

Leave as integrated windows authenticationrdsbrokerha5

Make sure that the application intent is readwrite the rest of the setting can be left as defaultrdsbrokerha6rdsbrokerha7

Once completed run a test to make sure that the database can be accessedrdsbrokerha8rdsbrokerha9

Once this is completed on both RD connection brokers we can start to set up the HA deployment.

Go back to the RDS deployment page and right-click on RD connection broker and click Configure High Availabilityrdsbrokerha10

Database connection string: (We need to put in SQL server name & the database name that will be created during the deployment.)

DRIVER=SQL Server Native Client 11.0;SERVER=<name of SQL server>;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=<name of database>

Folder to store database files: (I used the default SQL location)

Add in DNS Name: HARDSBroker.Lab.local

rdsbrokerha13

Next page is just to confirm all the settings are correctrdsbrokerha14rdsbrokerha15

Once HA has been configure we can now add the additional connection broker. Right click on RD connection broker and click Add RD Connection Broker Serverrdsbrokerha16

Select the required serverrdsbrokerha17

Click Add rdsbrokerha18

Once completed both server should now show the RD Connection Broker role as installed.rdsbrokerha19

In part 3, we will go over creating  and configure RDS collections

 

 

Remote Desktop Services 2012 R2 Deployment Part 1

I recently had a request to build a new Windows Server 2012 R2 RDS farm as the existing single Windows server 2012 RDS deployment as it was crashing and users where getting a bit angry. So I decided to build out the deployment on my test domain to make sure it would work out as expected.

I will be using three servers for this deployment as I want to co-locate some roles as to keep the number of servers to a minimum as this is a small 20 users setup.

I have two servers that will be RDS session host, connection brokers and RDS web access and one that will be used later as the licensing and SQL server for RDS broker HA setup.

To start we need add all servers to server manager on one of the RDS servers. rds1rds3

Once all servers are added to server manager and showing as online we can start to install the RDS roles.

Go to mange on the top right of server manager and click add roles and features

On the Installation type select Remote Desktops Services installation. rds4

Next select standard deployment rds5

Select session-based desktop deploymentrds6

Only one RD connection broker can be select during initial setup HA will be setup after intial setuprds7

Select Install the RD web access role on RD connection broker. We can add the RD web access to the second server afterrds8

Select both servers that will be used for sessions hosts. rds9

Next confirm if all servers have been selected for the correct roles and deployrds10

The deployment progress screen should then show it can take a while for this to complete rds13

Once the deployment has completed there will be the RDS icon on server manager. All servers need to be added to server manager or you be able to mange the deploymentrds14

To finish the current deployment I will add the second RD web access server to do this click on task above deployment servers and add RD Web Access Servers and select second server that will have the role addedrds18rdsc19

Last step I want to do was to use a wild card cert that I have from my internal CA so that I don’t get any cert errors when access the RD web access URL.

I wont go through generating the cert here but once you have the cert you can go to Deployment overview and click on edit deployment properties. rds15

Go to certificates. Select the roles you want to assign the cert to in my case it was the two RD connection broker and RD web access. click select existing certificate and select the cert that will be used. You can also create a new certificate on this windows aswell. rds16

Once cert is applied and all status say ok you should no longer get a cert error when access the RD web access URLrds17

We will use DNS round robin to load balance between the two RD web access servers and this will create a single URL for users to access.

rds19

We can now access the RDS web page using: HTTPS://RDS.Lab.Local/RDWeb

Instead of having to go to each individual serversrdsc11

In part 2, we will go through setting up a second connection broker for high availability deployment.

Windows Admin Center

I setup a Windows 2019 Core server and wanted to see how well the new Windows Admin Center works. This can be installed on server core itself as it is all Web-based so I used the core server to host the WAC.

I downloaded the WAC and server Core from

https://www.microsoft.com/en-us/software-download/windowsinsiderpreviewserver

This needs an account that has signed up to windows insider program.

Once the install file is downloaded, log on to the server core console and run powershell.exe.

To copy the install to the local OS I ran

Copy-Item -Path \\serverShare\WindowsAdminCenterPreview1808.msi -Destination C:\Users\Administrator\desktop\

To install run: msiexec /i WindowsAdminCenterPreview1808.msi /qn /L*v log.txt SME_PORT=6516 SSL_CERTIFICATE_OPTION=generate or msiexec /i WindowsAdminCenterPreview1808.msi to do an interactive install. 2Once the install has completed you can browse to either the IP or host name of the server.3

Select the server you want to manage this will then bring up all the management tools and features for that server. 4

Configuring server core 2019 TP

With newer version of Windows server, Microsoft is trying to move away from desktop style management and moving to a command line setup that is managed remotely using Windows Admin Center. I was setting up a new Windows Server 2019 Technical Preview server for testing and decided to do a post on how to set up and domain join server core.

The overall install process is the same as previous version of Windows. Once the OS is installed you will be prompted with a command prompt window.First screen

This is to set the local admin password for the server. SecondScreen

Once the password has been set you will be brought to a standard command prompt screen. Type sconfig to start the server configuration screen. This is where you will configure most of the initial setup options like Server Name, domain join, Static IP …….6th

Select option 2 to set the server name.7th

Select option 1 to domain join the server. Restart server after the domain join completes 9th

Next I enabled remote management so I could install feature remote. Select option 4 to configure remote management. 11th

If you want to leave the server on DHCP you can. I decided to add a static IP to do this select option 8.

Select the adapter that will have the static IP assigned. Net1Net2

Select option 2 to set DNS servers. Net3Net4

To manage the server either install Windows Admin Center or go to another 2012 / 2016 server and add to server manager. Once there you can right click on the server to add roles / Features and other management tools. 12th