I have recently been involved with a 2008R2 Remote Desktop Services.One of the goals of the project was to make the infrastructure easy toexpand and contract. If there was a snow day and 100 extra users decided to log in via RDS, we would need to be able to quickly deploy enough servers to cope.They would also need to be easy to remove.To achieve this goal we have only used PS Scripts or GPOs to configure the Servers and roles.

One of the hardest things I found, was trying to set shadowing permissions.Luckily Powershell has a provider for this. the below script will set the permissions on RDP-TCP to allow the members of the specified AD group shadow RDS users.

The first line “Import-module.” is simple, it loads the active RDS PS module, if this fails, make sure you installed the RDS components from the RSAT tools.

The second line sets the location as the PSDrive RDS:, it also drills down to where we need to be

The thirdline, gets the current value of the security descriptor (write that down).

Now that you have this value, manually add the permissions to RDP-TCP via the GUIand then run the Get-item line again.this will give you the security descriptor with your added group.

Update the 4th line with this new value and your ready to run this script on the rest of your RDS farm.

import-module remotedesktopservices

set-location RDS:RDSConfigurationConnectionsRDP-TCPSecuritySettingspermissions

get-item StringSecurityDescriptor | format-list

set-item StringSecurityDescriptor "O:SYG:SYD:(A;;0xf03bf;;;SY)(A;;CCSWLOSDRCWDWO;;;LS)(A;;CCLO;;;NS)(A;;0xf03bf;;;BA)(A;;CCWPCR;;;RD)(A;;CC;;;IU)(A;;0xf03bf;;;S-1-5-21-5851626-727382964-36686460-1113)S:NO_ACCESS_CONTROL"