在 Windows 2008 中通过 CMD 或脚本禁用远程桌面

tag-icon tag-icon windows windows-server-2008 group-policy vbscript windows-command-prompt
在 Windows 2008 中通过 CMD 或脚本禁用远程桌面

我正在寻找一种方法来为特定用户(本地管理员帐户)禁用 Windows 2008 的远程桌面登录,可以使用 Windows 2008 中的命令行或脚本(例如 VBS)。

我知道我需要修改本地安全策略,但是我还没有找到通过 cmd 或基于脚本的解决方案执行此操作的方法。

有人对如何解决这个问题有什么建议吗?

此致

安德斯·L.

答案1

要从 Windows 命令行禁用远程桌面,请以管理员身份运行以下命令:

reg 添加“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server”/v fDenyTSConnections /t REG_DWORD /d 1 /f

要从 Windows 命令行启用远程桌面,请以管理员身份运行以下命令:

reg 添加“HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server”/v fDenyTSConnections /t REG_DWORD /d 0 /f

答案2

创建一个包含以下内容的注册表文件 (.reg):

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server]
"fDenyTSConnections"=dword:00000001

然后使用regedit /s yourregfile.reg

如果您希望编写更好的脚本,请使用 vbscript:

在远程系统上启用或禁用 rdp(远程桌面).vbs

如果您想了解有关管理本地组策略的更多信息,请查看此 Microsoft KB,它似乎涵盖了很多内容:管理多个本地组策略对象的分步指南

答案3

@echo off
setlocal
if {%1}=={} goto syntax
:loop
if {%1}=={} goto finish
set remote="\\%1\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"
shift
reg.exe ADD %remote% /v fDenyTSConnections /t REG_DWORD /d 1 /f>nul 2>&1
if NOT %ERRORLEVEL% EQU 0 @echo %remote% NOT found.
goto loop
:syntax
@echo Syntax: RemoteDesktop Computer1 [Computer2 .... Computern]
goto loop
:finish
endlocal

保存为bat文件,打开CMD“rdpdisabler.bat PCNAME

答案4

最后我最终使用了基于 VBS(恐怖)的解决方案secedit

' Windows 2008

' Setting variables and default value.
Dim denyLine,newConfigFile,user,config,secExport,secVal,secImport
denyLine            = "None"

' Path and filename for both the exported configuration file from secedit as well
' as the modified configuration file, as well as the name of the user.
newConfigFile       = "C:\some_config.ini"
config              = "C:\some_new_config.ini"

' The Windows user previously created for this purpose.
user                = "some_user"

' secedit commands required for exporting, validating and importing the new local user policy.
secExport           = "secedit /export /cfg "&config&" /areas USER_RIGHTS"
secVal              = "secedit /validate " & newConfigFile
secImport           = "secedit /configure /db %windir%\security\user_updated.sdb /cfg "& newConfigFile &" /areas USER_RIGHTS"

' Setting up the required regular expressions.
Set deny            = New RegExp
Set rights          = New RegExp
deny.Pattern        = "^SeDenyRemoteInteractiveLogonRight"
rights.Pattern      = "^\[Privilege Rights\]$"

' Reading the configuration file, this reading object supports unicode (TriStateTrue).
Const ForReading    = 1
Const TriStateTrue  = -1
Const ForWriting    = 2

' Create the Windows shell to run the command to extract the local security policy.
Set WshShell        = WScript.CreateObject("WScript.Shell")

' Only export the section we wish to append this information within.
export              = WshShell.Run(secExport,1,vbTrue)

' Verify the return code.
if export <> 0 Then
    WScript.Quit 1
End If

' Create the file object.
Set objFSO          = CreateObject("Scripting.FileSystemObject")

' Verify that the file exist.
If (objFSO.FileExists(config)) Then
    Set objFile         = objFSO.OpenTextFile(config,ForReading,False,TriStateTrue)
    strData             = objFile.ReadAll

    ' Closing the file descriptior.
    objFile.Close

    ' Placing the content of the file into an array.
    arrLines            = Split(strData,vbCrLf)
Else
    ' Quit if the file does not exist.
    WScript.Quit 1
End If

' Open the new configuration file, where we are appending the modified/new rule.
Set filetxt         = objFSO.OpenTextFile(newConfigFile,ForWriting,TriStateTrue)

' Walking over the array looking for an already existing configuration.
For Each strLine in arrLines
    If deny.Test(strLine) Then
        denyLine = strLine
    End If
Next

' Verify if a previous configuration exists.
If denyLine <> "None" Then
    ' There is already an existing configuration, append ADDM user to this line.
    denyLine = denyLine & "," & user
Else
    ' No existing previous configuration exists, create a new line with the new user.
    denyLine = "SeDenyRemoteInteractiveLogonRight = " & user
End If

' Write changes to the new configuration file.
For Each strLine in arrLines
    ' Make sure the line has content.
    if len(strLine) <> 0 Then
        ' Do not write the old configuration, look for everything except that line.
        if NOT deny.Test(strLine) Then
            'If we find the line line [Privilege Rights] append our modified line after.
            if rights.Test(strLine) Then
                filetxt.WriteLine(strLine)
                filetxt.WriteLine(denyLine)
            ' Otherwise keep writing everything else as normal.
            else
                filetxt.WriteLine(strLine)
            End If
        End If
    End If
Next

' Close the file descriptor.
filetxt.Close

' Validate the syntax in the new config file.
validate              = WshShell.Run(secVal,1,vbTrue)

' Verify the return code.
if validate <> 0 Then
    WScript.Quit 1
End If

import                = WshShell.Run(secImport,1,vbTrue)

' Verify the return code.
if import <> 0 Then
    WScript.Quit 1
End If

WScript.Quit 0

相关内容