0

我正在尝试通过 Powershell 配置新的 RDS 网关服务器(用于创建 EC2 后的自动设置)。我现在遇到的问题是设置默认值或其他 CAP 和 RAP。其他一切似乎都工作得很好,如果我通过服务器对话框并指向并单击我的方式来执行 CAP/RAP 向导,那么一切正常。在我这样做之前,这些政策不存在(甚至不是默认政策)。

我正在使用的代码是从 technet 上有关该主题的博客文章中获取的,它是:

new-item -Force -Credential $AdminCredentials -path RDS:\GatewayServer\CAP -Name DomainAdmin-CAP -UserGroups “$AdminGroupName@$NetBiosDomainName" -AuthMethod 1
new-item -Force -Credential $AdminCredentials -path RDS:\GatewayServer\CAP -Name DomainUser-CAP -UserGroups “$UserGroupName@$NetBiosDomainName" -AuthMethod 1

new-item -Force -Credential $AdminCredentials -path RDS:\GatewayServer\RAP -Name DomainAdmin-RAP -UserGroups “$AdminGroupName@$NetBiosDomainName" -ComputerGroupType 2
new-item -Force -Credential $AdminCredentials -path RDS:\GatewayServer\RAP -Name DomainUser-RAP -UserGroups “$UserGroupName@$NetBiosdomainName" -ComputerGroupType 2

同样,其他一切正常,一旦我将 RDP 连接到服务器并手动设置这些系统,系统就 100% 可用,所以我唯一的问题是这个自动化步骤。运行脚本时遇到的错误是:

new-item :拒绝 cmdlet New-Item 访问 RDS:\GatewayServer\CAP\DomainAdmin-CAP 中的对象。提供的值无效,或者您没有足够的权限。在 line:89 char:1 + new-item -Force -Credential $AdminCredentials -path RDS:\GatewayServe ... + ~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : PermissionDenied : (:) [New-Item], AccessViolationException + FullyQualifiedErrorId : PermissionDenied,Microsoft.PowerShell.Commands.NewItemCommand

编辑:我根据建议和挫折尝试过的事情:

在有人指出它们在我的 -UserGroup 变量字符串的前面和后面实际上不是同一件事之后,我已经将所有 " 字符统一了 - 没有错误变化。

我已经尝试将 $NetBiosDomainName 作为简单的单字 NetBIOS 版本 (DOMAIN) 以及完整的域 (domain.company.com) - 没有错误更改。

我尝试将“$AdministratorsGroupName@$NetBiosDomainName”字符串更改为 $AdminGroup (= $AdministratorsGroupName + "@" + $NetBiosDomainName") 以简化对 -UserGroups 参数的输入 - 无错误更改

我以域管理员和本地管理员帐户的身份运行此脚本 - 没有错误更改

4

1 回答 1

0

我能够使用以下脚本在非域 Windows 2019/2016 服务器上配置远程访问网关。这包括 CAP、RAP 和 ManagedComputerGroup。

Install-WindowsFeature -Name "RDS-Gateway" -IncludeAllSubFeature -IncludeManagementTools > $null
Import-Module -Name RemoteDesktopServices

#=============User Modifiable=============#
$GroupName="SG_RemoteUsers@$env:COMPUTERNAME"
# No Restrictions
#$GroupName="Users@BUILTIN"
$ManagedComputers="RDG_RDCBComputers"
# Managed Computer Groups
$MCGComputers=@($env:COMPUTERNAME,"<target machines>")
$MCGs=@(@{Name="RDG_RDCBComputers";Desc="All RDCB Computers in the deployment";Computers=$MCGComputers})
# Connection Authorization Policies
$CAPs=@(@{Name="RDG_CAP_AllUsers";UserGroups=$GroupName;AuthMethod=1;Status=1})
# Resrouce Authorization Policies
$RAPs=@(@{Name="RDG_AllComputers";UserGroups=$GroupName;ComputerGroupType=2;ComputerGroup=$null})

# If you already have a certificate, skip this part.
<#region Certificate
$FilePath="C:\temp\export.cer"
$SelfSigned=New-SelfSignedCertificate -CertStoreLocation "Cert:\LocalMachine\My" -DnsName $env:COMPUTERNAME -FriendlyName $env:COMPUTERNAME -KeyAlgorithm "RSA" -HashAlgorithm "SHA256" -KeyDescription "RDG Key" -KeyLength 4096 -KeyUsage KeyEncipherment,DataEncipherment -KeyUsageProperty All
$CertPassword=ConvertTo-SecureString -String “password” -Force –AsPlainText
Export-PfxCertificate -Cert $SelfSigned.PSPath -FilePath $FilePath -Password $CertPassword > $null
Import-PfxCertificate -CertStoreLocation "Cert:\LocalMachine\Root" -FilePath $FilePath -Password $CertPassword > $null
Remove-Item -Path $FilePath
$Certificate=$SelfSigned
#endregion
#>
$Certificate=Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } | Sort-Object -Property NotAfter -Descending | Select-Object -Last 1

#=============Do not modify=============#
$CAPPath="RDS:\GatewayServer\CAP"
$RAPPath="RDS:\GatewayServer\RAP"
$MCGPath="RDS:\GatewayServer\GatewayManagedComputerGroups"

#=============Script=============#
# Add the certificate to RDS
Set-Item -Path "RDS:\GatewayServer\SSLCertificate\Thumbprint" -Value $Certificate.Thumbprint

try { Get-LocalGroup -Name $GroupName -ErrorAction Stop > $null }
catch { New-LocalGroup -Name $GroupName > $null }

try { Get-LocalGroupMember -Group $GroupName -Member "<user that should have access>" -ErrorAction Stop > $null }
catch { Add-LocalGroupMember -Group $GroupName -Member "<user that should have access>" > $null }

# Remove existing items (must be done in the order of CAP and/or RAP first, then GatewayManagedComputerGroups
$CAPs | ForEach-Object { if (Test-Path -Path "$CAPPath\$($_.Name)") { Remove-Item -Path "$CAPPath\$($_.Name)" -Recurse } }
$RAPs | ForEach-Object { if (Test-Path -Path "$RAPPath\$($_.Name)") { Remove-Item -Path "$RAPPath\$($_.Name)" -Recurse } }
$MCGs | ForEach-Object { if (Test-Path -Path "$MCGPath\$($_.Name)") { Remove-Item -Path "$MCGPath\$($_.Name)" -Recurse } }

$MCGs | ForEach-Object { New-Item -Path $MCGPath -Name $_.Name -Description $_.Desc -Computers $_.Computers > $null }
$CAPs | ForEach-Object { New-Item -Path $CAPPath -Name $_.Name -UserGroups $_.UserGroups -AuthMethod $_.AuthMethod -Status $_.Status > $null }
$RAPs | ForEach-Object { New-Item -Path $RAPPath -Name $_.Name -UserGroups $_.UserGroups -ComputerGroupType $_.ComputerGroupType > $null }

# Stop redirection of Serial Ports
$CAPs | ForEach-Object { Set-Item -Path "$CAPPath\$($_.Name)\DeviceRedirection\SerialPorts" -Value 0 }

Restart-Service -Name "TSGateway"

这个脚本与之前的脚本有很大的相似之处,是我用来在作为 AD 域成员的服务器上配置相同的脚本。这不是唯一的方法,但希望它能给你一个良好的开端。

该脚本的一部分创建了必要的 AD 组。

唯一缺少的部分是证书必须放在要连接的 PC 上的受信任的根存储中。

Install-WindowsFeature -Name "RDS-Gateway" -IncludeAllSubFeature -IncludeManagementTools > $null
Import-Module -Name RemoteDesktopServices
Add-Type -AssemblyName System.DirectoryServices.AccountManagement 

#=============User Modifiable=============#
$GroupName="SG_RemoteUsers"
$ManagedComputers="RDG_RDCBComputers"
# Managed Computer Groups
$MCGComputers=@($env:COMPUTERNAME,"<target machines>")
$MCGs=@(@{Name=$ManagedComputers;Desc="All RDCB Computers in the deployment";Computers=$MCGComputers})
# Connection Authorization Policies
$CAPs=@(@{Name="RDG_CAP_AllUsers";UserGroups="$GroupName@$env:USERDOMAIN";AuthMethod=1;Status=1})
# Resrouce Authorization Policies
$RAPs=@(@{Name="RDG_AllDomainComputers";UserGroups="$GroupName@$env:USERDOMAIN";ComputerGroupType=1;ComputerGroup="Domain Computers@$env:USERDOMAIN"},
        @{Name="RDG_RDConnectionBrokers";UserGroups="Domain Users@$env:USERDOMAIN";ComputerGroupType=0;ComputerGroup=$ManagedComputers})

# If you already have a certificate, skip this part.
<#region Certificate
$FilePath="C:\temp\export.cer"
$SelfSigned=New-SelfSignedCertificate -CertStoreLocation "Cert:\LocalMachine\My" -DnsName "$env:COMPUTERNAME.$env:USERDNSDOMAIN" -FriendlyName $env:COMPUTERNAME -KeyAlgorithm "RSA" -HashAlgorithm "SHA256" -KeyDescription "RDG Key" -KeyLength 4096 -KeyUsage KeyEncipherment,DataEncipherment -KeyUsageProperty All
$CertPassword=ConvertTo-SecureString -String “password” -Force –AsPlainText
Export-PfxCertificate -Cert $SelfSigned.PSPath -FilePath $FilePath -Password $CertPassword > $null
Import-PfxCertificate -CertStoreLocation "Cert:\LocalMachine\Root" -FilePath $FilePath -Password $CertPassword > $null
Remove-Item -Path $FilePath
$Certificate=$SelfSigned
#endregion
#>
$Certificate=Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object { $_.Thumbprint -eq "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" } | Sort-Object -Property NotAfter -Descending | Select-Object -Last 1

#=============Do not modify=============#
$CAPPath="RDS:\GatewayServer\CAP"
$RAPPath="RDS:\GatewayServer\RAP"
$MCGPath="RDS:\GatewayServer\GatewayManagedComputerGroups"

#=============Script=============#
# Add the certificate to RDS
Set-Item -Path "RDS:\GatewayServer\SSLCertificate\Thumbprint" -Value $Certificate.Thumbprint

$ADGroup=[System.DirectoryServices.DirectorySearcher]::new("(&(objectCategory=Group)(samAccountName=$GroupName))").FindOne()
if ($ADGroup -ne $null) {
  $ADGroup=$ADGroup.GetDirectoryEntry()
  $Parent=[System.DirectoryServices.DirectoryEntry]::new($ADGroup.Parent)
  $Parent.Children.Remove($ADGroup)
  $Parent.CommitChanges()
  $Parent.Close()
}

$ADGroup=[System.DirectoryServices.AccountManagement.GroupPrincipal]::new([System.DirectoryServices.AccountManagement.PrincipalContext]::new([System.DirectoryServices.AccountManagement.ContextType]::Domain),$GroupName)
$ADGroup.Description="Remote Gateway Users Group"
$ADGroup.GroupScope=[System.DirectoryServices.AccountManagement.GroupScope]::Global
$ADGroup.IsSecurityGroup=$true
$Member=[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity([System.DirectoryServices.AccountManagement.PrincipalContext]::new([System.DirectoryServices.AccountManagement.ContextType]::Domain),"Administrator")
$ADGroup.Members.Add($Member)
$Member=[System.DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity([System.DirectoryServices.AccountManagement.PrincipalContext]::new([System.DirectoryServices.AccountManagement.ContextType]::Domain),"admin_jeberhardt")
$ADGroup.Members.Add($Member)
$ADGroup.DisplayName=$ADGroup.SamAccountName
$ADGroup.Save()
$OU=[System.DirectoryServices.DirectoryEntry]::new("LDAP://$($ADGroup.DistinguishedName)")
$NewOU=[System.DirectoryServices.DirectoryEntry]::new("LDAP://OU=<target OU>,DC=<domain name>,DC=com")
$OU.MoveTo($NewOU)
$OU.CommitChanges()
$OU.Close()
$NewOU.Close()

# Remove existing items (must be done in the order of CAP and/or RAP first, then GatewayManagedComputerGroups
$CAPs | ForEach-Object { if (Test-Path -Path "$CAPPath\$($_.Name)") { Write-Verbose "Removing $($_.Name)"; Remove-Item -Path "$CAPPath\$($_.Name)" -Recurse } }
$RAPs | ForEach-Object { if (Test-Path -Path "$RAPPath\$($_.Name)") { Write-Verbose "Removing $($_.Name)"; Remove-Item -Path "$RAPPath\$($_.Name)" -Recurse } }
$MCGs | ForEach-Object { if (Test-Path -Path "$MCGPath\$($_.Name)") { Write-Verbose "Removing $($_.Name)"; Remove-Item -Path "$MCGPath\$($_.Name)" -Recurse } }

$MCGs | ForEach-Object { Write-Verbose "Creating $($_.Name)"; New-Item -Path $MCGPath -Name $_.Name -Description $_.Desc -Computers $_.Computers > $null }
$CAPs | ForEach-Object { Write-Verbose "Creating $($_.Name)"; New-Item -Path $CAPPath -Name $_.Name -UserGroups $_.UserGroups -AuthMethod $_.AuthMethod -Status $_.Status > $null }
$RAPs | ForEach-Object { Write-Verbose "Creating $($_.Name)"; New-Item -Path $RAPPath -Name $_.Name -UserGroups $_.UserGroups -ComputerGroup $_.ComputerGroup -ComputerGroupType $_.ComputerGroupType > $null }

# Stop redirection of Serial Ports
$CAPs | ForEach-Object { Set-Item -Path "$CAPPath\$($_.Name)\DeviceRedirection\SerialPorts" -Value 0 }

Restart-Service -Name "TSGateway"
于 2021-03-22T14:35:15.333 回答