Creating Kerberos Identity for RD Session Host Farms Part II: using a WMI Script

Creating Kerberos Identity for RD Session Host Farms Part II: using a WMI Script

  • Comments 6

Part I of this blog post series describes the benefits of using a Kerberos Identity for Remote Desktop Session Host (Terminal Server) farms and provides information on how to create and manage this Kerberos Identity using Remote Desktop Services provider for Windows PowerShell.

You can achieve finer control over the farm account in Active Directory by using the Win32_SessionBrokerFarmAccount WMI class. This class allows you to set or change account’s password, change the password update rules, set or change the DNS name associated with the account, or disassociate the account from the farm without deleting it from Active Directory.

The Win32_SessionBrokerFarmAccount class is defined as following:

Win32_SessionBrokerFarmAccount Class

Provides properties for creating, deleting, viewing and modifying the properties of a farm account in Remote Desktop Connection Broker (RD Connection Broker).

[dynamic, provider("Win32_WIN32_SESSIONBROKERFARMACCOUNT_Prov)]

class Win32_SessionBrokerFarmAccount

{

    [key, read]

    string FarmName;

    [read, write]

    boolean Manual;

    [read, write]

    string AccountName;

    [read, write]

    string AccountDomain;

    [write]

    string AccountPassword;

    [read]

    string AccountSPN1;

    [read]

    string AccountSPN2;

    [write]

    string ComputerDNSName;

    [Implemented]

    uint32 DeleteEx( [In] boolean DeleteComputerObject );

};

Methods

The Win32_SessionBrokerFarmAccount class defines the following methods.

DeleteEx

Deletes a farm account. Unlike SWbemObject.Delete_ method this method provides an option of not deleting the farm account from Active Directory (SWbemObject.Delete_ always deletes the account from Active Directory).

Properties

The Win32_SessionBrokerFarmAccount class defines the following properties.

FarmName

Data type: string
Access type: Read-only
Qualifiers: Key

Name of the farm in RD Connection Broker.

Manual

Data type: boolean
Access type: Read and write

Determines whether or not farm account’s password is managed automatically by the RD Connection Broker. If this value is set to true Connection Broker will not be updating the account’s password. It is strongly recommended to set this value to false, in order to allow Connection Broker to periodically update the farm account’s password.

AccountName

Data type: string
Access type: Read and write

User name of the farm account.

AccountDomain

Data type: string
Access type: Read and write

Domain name of the farm account.

AccountPassword

Data type: string
Access type: Write-only

Password of the farm account.

AccountSPN1

Data type: string
Access type: Read-only

First SPN associated with the farm account. This SPN corresponds to the account’s NetBIOS name.

AccountSPN2

Data type: string
Access type: Read-only

Second SPN associated with the farm account. This SPN corresponds to the account’s FQDN.

ComputerDNSName

Data type: string
Access type: Write-only

DNS name to be associated with the farm account.

Remarks

Win32_SessionBrokerFarmAccount supports SWbemObject methos: Delete_ and Put_. Use SWbemObject.Put_ method to create a new farm account or modify an existing one.

Sample JScript code

To run this sample, in the code below replace ”MyFarm”, “MyFarmAccount” and “MyDomain.com” with the appropriate farm, farm account and domain names, place the code into a “FarmAccount.js” file, start cmd.exe as administrator on the Connection Broker and then run the following command:

“cscript FarmAccount.js”.

Important! To be able to run this script successfully you need to be a domain user having “Add workstations to domain” user right and a member of Administrators group on the Connection Broker. The script must run locally on the Session Broker. Win32_SessionBrokerFarmAccount does not support calls from remote clients.

Important! Kerberos identity is not supported if the Connection Broker runs as a node in a Failover Cluster.

var WbemAuthenticationLevelPktPrivacy = 6;

var Locator = new ActiveXObject("WbemScripting.SWbemLocator");

var strComputer = ".";

var strNamespace = "\\root\\CIMV2";

Locator.Security_.AuthenticationLevel = WbemAuthenticationLevelPktPrivacy;

var Service = Locator.ConnectServer (strComputer, strNamespace);

//

// Creating a new farm account

//

Object = Service.Get("Win32_SessionBrokerFarmAccount.FarmName=\"MyFarm\"");

WScript.Echo ("Service.Get: OK");

Object.AccountName = "MyFarmAccount";

Object.AccountDomain = "MyDomain.com";

Object.Manual = false;

var ObjectPath = Object.Put_(2);

//

// Enumerating existing farm accounts

//

var objSet = Service.InstancesOf("Win32_SessionBrokerFarmAccount");

WScript.Echo ("objSet.Count : " + objSet.Count );

var Objects = new Enumerator (objSet);

var Object;

for(; !Objects.atEnd(); Objects.moveNext() )

{

    Object = Objects.item();

    WScript.Echo ("Object.FarmName : " + Object.FarmName );

    WScript.Echo ("Object.AccountName : " + Object.AccountName );

    WScript.Echo ("Object.AccountDomain : " + Object.AccountDomain );

    WScript.Echo ("Object.AccountSPN1 : " + Object.AccountSPN1 );

    WScript.Echo ("Object.AccountSPN2 : " + Object.AccountSPN2 );

    WScript.Echo ("Object.Manual : " + Object.Manual );

    WScript.Echo ("Object.AccountPassword : " + Object.AccountPassword );

    WScript.Echo ("Object.ComputerDNSName : " + Object.ComputerDNSName );

    WScript.Echo ("==========");

}

Leave a Comment
  • Please add 1 and 4 and type the answer here:
  • Post
Page 1 of 1 (6 items)