Programmatically Determining Terminal Server Mode on Windows Server 2008

A question on the terminal services newsgroup brought this topic to my attention: how can be determined programmatically if a Windows Server 2008 system is a terminal server and whether it runs in application server or remote administration mode?

With Windows Server 2008 “terminal server” is a role that can be installed with the GUI tool Server Manager. If the role “terminal server” is installed then the system runs in application server mode. If not, it runs in remote administration mode. It is as simple as that. RDP connections can, however, be disallowed or limited to clients with Network Level Authentication (NLA). This is configured in the system’s properties, accessible via:

SystemPropertiesAdvanced.exe -> Remote -> Remote Desktop

Now, how can these settings be queried programmatically?

Roles and features can be managed with the command line tool ServerManagerCmd.exe. Use the switch -query to get a listing of all roles and features and their current status (installed or not).

Finding out how to query the Remote Desktop settings was a little harder. I used Process Monitor to spy on the registry activity of SystemPropertiesAdvanced.exe when settings were applied and found the location where the relevant settings are stored. Here is a list of the three modes that can be set in the GUI and their corresponding registry values:

Don’t allow connections to this computer

HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections = 1
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication = 0
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer = 1

Allow connections from computers running any version of Remote Desktop (less secure)

HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections = 0
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication = 0
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer = 1

Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)

HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections = 0
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\UserAuthentication = 1
HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\SecurityLayer = 1

Wrapping it all up

I wrote a batch script that uses the techniques I described above and outputs the mode the terminal services on the local machine run in. The script was developed and tested on the June CTP release of Windows Server 2008. Feel free to use it in your own environment.

@echo off

::
:: QueryTSMode.cmd
::
:: Author: Helge Klein
::
:: Version: 1.0
::
:: Date: 2007-09-08
::
:: Description:
::
:: Query whether terminal services are installed and in which mode they operate.
::

setlocal

::
:: Determine whether the role "terminal server" is installed
::
echo.
servermanagercmd -query | find /i "[X] Terminal Server [TS-Terminal-Server]" 1>nul
if %ERRORLEVEL%==0 (
echo The role "Terminal Server" is installed. The system operates in application server mode
) else (
echo The role "Terminal Server" is not installed. The system operates in remote administration mode
)
echo.

::
:: Determine terminal server connection configuration
::
call :RegReadValue HKLM "System\CurrentControlSet\Control\Terminal Server" FDENYTSCONNECTIONS fDenyTSConnections
call :RegReadValue HKLM "System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" USERAUTHENTICATION UserAuthentication
call :RegReadValue HKLM "System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" SECURITYLAYER SecurityLayer

if %FDENYTSCONNECTIONS%==1 (
echo Connections to this computer are not allowed
exit /b
)

if %USERAUTHENTICATION%==0x0 (
echo Connections are allowed from computers running any version of Remote Desktop
) else (
echo Connections are allowed only from computers running Remote Desktop with Network Level Authentication
)

goto :eof

::
:: Subroutines
::

:RegReadValue

set RegReadValueName=%~4
if defined RegReadValueName (
:: Read a named value
set RegReadValueCmd=/v "%RegReadValueName%"
) else (
:: Read the default value
set RegReadValueCmd=/ve
)

for /f "usebackq tokens=*" %%i in (`reg query "%~1\%~2" %RegReadValueCmd% ^| find /i /v "%~1\%~2" ^| find /i "%RegReadValueName%"`) do @set RegReadValueTemp=%%i
for /f "tokens=1,*" %%i in ("%RegReadValueTemp:*REG_=%") do @set %3=%%j

set RegReadValueName=
set RegReadValueCmd=
set RegReadValueTemp=

goto :eof

Script output

This is what the script QueryTSMode.cmd outputs on my test system:

C:\temp>QueryTSMode.cmd
The role "Terminal Server" is installed. The system operates in application server mode
Connections are allowed from computers running any version of Remote Desktop

A side note about remote administration mode

As with earlier Windows server OSs, two concurrent connections are allowed without the need for TS CALs. A connection to the server’s console (using mstsc /console), however, is not possible any more. Thus the effective number of connections is reduced from three to two.

Application Server ModeRemote Administration ModeScriptTerminal Services

Comments

Related Posts

Script Deletes Orphaned Printer Ports

The script published in this article was kindly contributed by Bo Riis, a sysadmin working at Danish hosting company dandomain. Here is what he writes about it: Recently I had some issues with MS Office getting really slow on some of our customers’ terminal servers. After some intensive debugging we came to the conclusion that when users disconnected a session they left behind their open printer ports. It seems like that these ports don’t get cleaned up after a while, like the session they belong to. These ghost ports linger and use more and more resources in the print spooler and Office does not react well to a busy print spooler. One of our servers had more than 3000 of these orphaned ports. [Whoa!]
Citrix/Terminal Services/Remote Desktop Services

Taming Black Holes: Parallel Session Creation

Have you ever tried to log on to a terminal server and, after entering your credentials, been forced to stare at a grey screen for a lengthy period of time wondering what the machine might actually be doing? Of course you have, along with a few million other terminal server users. Being a technical guy (you would not be reading this otherwise) you have checked CPU / memory / hard disk utilization and the current session count when users complain that logons are slow. You will probably have noticed that all relevant metrics are in the green and logons are the slower, the more users try to log on to a server concurrently. It turns out that parallel logons are the root cause of the problem. Why?
Citrix/Terminal Services/Remote Desktop Services

Latest Posts

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage

Fast & Silent 5 Watt PC: Minimizing Idle Power Usage
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In the first post, I showed how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In this second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding

Fast & Silent 5 Watt PC: Lenovo ThinkCentre M90t Modding
This micro-series explains how to turn the Lenovo ThinkCentre M90t Gen 6 into a smart workstation that consumes only 5 Watts when idle but reaches top Cinebench scores while staying almost imperceptibly silent. In this first post, I’m showing how to silence the machine by replacing and adding to Lenovo’s CPU cooler. In a second post, I’m listing the exact configuration that achieves the lofty goal of combining minimal idle power consumption with top Cinebench scores.
Hardware