Part I of this blog post series describes the benefits of using a Kerberos Identity for Remote Desktop Session Host (Terminal Server) farms and provides information on how to create and manage this Kerberos Identity using Remote Desktop Services provider for Windows PowerShell.
You can achieve finer control over the farm account in Active Directory by using the Win32_SessionBrokerFarmAccount WMI class. This class allows you to set or change account’s password, change the password update rules, set or change the DNS name associated with the account, or disassociate the account from the farm without deleting it from Active Directory.
The Win32_SessionBrokerFarmAccount class is defined as following:
Provides properties for creating, deleting, viewing and modifying the properties of a farm account in Remote Desktop Connection Broker (RD Connection Broker).
uint32 DeleteEx( [In] boolean DeleteComputerObject );
The Win32_SessionBrokerFarmAccount class defines the following methods.
Deletes a farm account. Unlike SWbemObject.Delete_ method this method provides an option of not deleting the farm account from Active Directory (SWbemObject.Delete_ always deletes the account from Active Directory).
The Win32_SessionBrokerFarmAccount class defines the following properties.
Data type: string Access type: Read-only Qualifiers: Key
Name of the farm in RD Connection Broker.
Data type: boolean Access type: Read and write
Determines whether or not farm account’s password is managed automatically by the RD Connection Broker. If this value is set to true Connection Broker will not be updating the account’s password. It is strongly recommended to set this value to false, in order to allow Connection Broker to periodically update the farm account’s password.
Data type: string Access type: Read and write
User name of the farm account.
Domain name of the farm account.
Data type: string Access type: Write-only
Password of the farm account.
Data type: string Access type: Read-only
First SPN associated with the farm account. This SPN corresponds to the account’s NetBIOS name.
Second SPN associated with the farm account. This SPN corresponds to the account’s FQDN.
DNS name to be associated with the farm account.
Win32_SessionBrokerFarmAccount supports SWbemObject methos: Delete_ and Put_. Use SWbemObject.Put_ method to create a new farm account or modify an existing one.
To run this sample, in the code below replace ”MyFarm”, “MyFarmAccount” and “MyDomain.com” with the appropriate farm, farm account and domain names, place the code into a “FarmAccount.js” file, start cmd.exe as administrator on the Connection Broker and then run the following command:
Important! To be able to run this script successfully you need to be a domain user having “Add workstations to domain” user right and a member of Administrators group on the Connection Broker. The script must run locally on the Session Broker. Win32_SessionBrokerFarmAccount does not support calls from remote clients.
Important! Kerberos identity is not supported if the Connection Broker runs as a node in a Failover Cluster.
var WbemAuthenticationLevelPktPrivacy = 6;
var Locator = new ActiveXObject("WbemScripting.SWbemLocator");
var strComputer = ".";
var strNamespace = "\\root\\CIMV2";
Locator.Security_.AuthenticationLevel = WbemAuthenticationLevelPktPrivacy;
var Service = Locator.ConnectServer (strComputer, strNamespace);
// Creating a new farm account
Object = Service.Get("Win32_SessionBrokerFarmAccount.FarmName=\"MyFarm\"");
WScript.Echo ("Service.Get: OK");
Object.AccountName = "MyFarmAccount";
Object.AccountDomain = "MyDomain.com";
Object.Manual = false;
var ObjectPath = Object.Put_(2);
// Enumerating existing farm accounts
var objSet = Service.InstancesOf("Win32_SessionBrokerFarmAccount");
WScript.Echo ("objSet.Count : " + objSet.Count );
var Objects = new Enumerator (objSet);
for(; !Objects.atEnd(); Objects.moveNext() )
Object = Objects.item();
WScript.Echo ("Object.FarmName : " + Object.FarmName );
WScript.Echo ("Object.AccountName : " + Object.AccountName );
WScript.Echo ("Object.AccountDomain : " + Object.AccountDomain );
WScript.Echo ("Object.AccountSPN1 : " + Object.AccountSPN1 );
WScript.Echo ("Object.AccountSPN2 : " + Object.AccountSPN2 );
WScript.Echo ("Object.Manual : " + Object.Manual );
WScript.Echo ("Object.AccountPassword : " + Object.AccountPassword );
WScript.Echo ("Object.ComputerDNSName : " + Object.ComputerDNSName );
PingBack from http://blogs.msdn.com/rds/archive/2009/05/20/creating-kerberos-identity-for-rd-session-host-farms-part-i-using-the-remote-desktop-services-provider-for-windows-powershell.aspx
Nice posting,....thanks for usefull information sharing
Using WMI is a lot easier in PowerShell. check Get-WMIObject cmdlet
I need to change the account, I created it with a different name and need to change it. I thought I could rerun the script and it would create a new account but I get the following error:
Cannot Create a file when that file already exists.
When I search the web for Win32_SessionBrokerFarmAccount, every TechNet & MSDN hit except this blog starts with this text: "The Win32_SessionBrokerFarmAccount class is no longer available for use as of Windows Server Developer Preview."
Evidently it's still available because people are using it; I was just referred to it by an RDS MVP. Is it available but unsupported?