Article ID: 290720 - Last Review: December 3, 2007 - Revision: 9.2

How to add a user to Terminal Services RDP permissions by using WMI

View products that this article applies to.
System TipThis article applies to a different operating system than the one you are using. Article content that may not be relevant to you is disabled.
This article was previously published under Q290720

On This Page

Expand all | Collapse all

SUMMARY

This article describes three methods to add users or groups to Terminal Services Remote Desktop Protocol (RDP) permissions, two of which use Windows Management Instrumentation (WMI). One method is through the graphical user interface (GUI), and the other two methods use WMI by using a script and the WMI command line utility, wmic.
Back to the top

MORE INFORMATION

To add users or groups to Terminal Services RDP permissions, use one of the following methods:
Back to the top

Using the GUI

  1. Open Terminal Services Configuration.
  2. In the Connections folder, right-click RDP-Tcp.
  3. Click Properties.
  4. On the Permissions tab, click Add, and then add the desired users and groups.
Note You cannot use the GUI to configure permissions to log on to the console session with RDP. To change permissions for the console session (session zero), you must use the WMI methods below, and specify Console instead of RDP-Tcp for the terminal name.
Back to the top

Using WMI in a script

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure. However, they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. Create a script by using the following code sample: 
set RDPObj = GetObject("winmgmts:{impersonationLevel=impersonate}!Win32_TSPermissionsSetting.TerminalName='RDP-Tcp'")
RDPobj.AddAccount "Domain\User", X
Where "Domain\User", X:
  • Domain\User: Target domain and account (user or group) to which permissions are to be granted. For local accounts, replace Domain\User with only User, where User is a local account on the computer on which you are running the command.
  • X: The type of access to be granted:
    0 = WINSTATION_GUEST_ACCESS
    1 = WINSTATION_USER_ACCESS
    2 = WINSTATION_ALL_ACCESS
To change permissions for the console session, change the terminal name to Console instead of to RDP-Tcp.
set RDPObj = GetObject("winmgmts:{impersonationLevel=impersonate}!Win32_TSPermissionsSetting.TerminalName='Console'")RDPobj.AddAccount "Domain\User", X
To revert the permissions back to the default permissions, specify the relevant terminal name. Then, call the RestoreDefaults method. 
set RDPObj = GetObject("winmgmts:{impersonationLevel=impersonate}!Win32_TSPermissionsSetting.TerminalName='Console'")RDPobj.RestoreDefaults
Back to the top

Using the WMI command-line utility: WMIC

  1. At a command prompt, type wmic. Note: If it is not in the path, add %SystemRoot%\System32\Wbem\, or change to that directory and run wmic.
  2. At the wmic:root\cli> prompt, type the following command:
    PATH WIN32_TSPermissionsSetting.TerminalName="RDP-TCP" call AddAccount "Domain\user",X
    Where "Domain\User", X:
    • Domain\User: Target domain and account (user or group) to which permissions are to be granted. For local accounts, replace Domain\User with only User, where User is a local account on the computer on which you are running the command.
    • X: The type of access to be granted:
      0 = WINSTATION_GUEST_ACCESS
      1 = WINSTATION_USER_ACCESS
      2 = WINSTATION_ALL_ACCESS
    To change permissions for the console session, change the terminal name to Console instead of to RDP-Tcp.
    PATH WIN32_TSPermissionsSetting.TerminalName="Console" call AddAccount "Domain\user",X
    To revert the permissions back to the default permissions, specify the relevant terminal name. Then, call the RestoreDefaults method. 
    PATH WIN32_TSPermissionsSetting.TerminalName="Console" call RestoreDefaults
  3. The following information is an example of the text that you will see after you run wmic and input the command:
    C:\WINDOWS\system32\wbem>wmic
wmic:root\cli>
wmic:root\cli> PATH WIN32_TSPermissionsSetting.TerminalName="RDP-TCP" call AddAccount "Domain\User", 2

Execute (\\<ComputerName>\\root\vimv2: WIN32_TSPermissionsSetting.TerminalName="RDP-TCP")->AddAccount() (Y/N/?)

Method Execution Successful.
Out Parameters:
instance of _PARAMETERS
{
RetureValue=0;
};
  4. Type quit to exit the wmic prompt and to return to the command prompt.
Back to the top
APPLIES TO
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Small Business Server 2003 Premium Edition
  • Microsoft Windows Small Business Server 2003 Standard Edition
Back to the top
Keywords: 
kbhowto KB290720
Back to the top