Part I of this blog post series describes the benefits of using a Kerberos Identity for Remote Desktop Session Host (Terminal Server) farms and provides information on how to create and manage this Kerberos Identity using Remote Desktop Services provider for Windows PowerShell.
You can achieve finer control over the farm account in Active Directory by using the Win32_SessionBrokerFarmAccount WMI class. This class allows you to set or change account’s password, change the password update rules, set or change the DNS name associated with the account, or disassociate the account from the farm without deleting it from Active Directory.
The Win32_SessionBrokerFarmAccount class is defined as following:
Win32_SessionBrokerFarmAccount Class
Provides properties for creating, deleting, viewing and modifying the properties of a farm account in Remote Desktop Connection Broker (RD Connection Broker).
[dynamic, provider("Win32_WIN32_SESSIONBROKERFARMACCOUNT_Prov)]
class Win32_SessionBrokerFarmAccount
{
[key, read]
string FarmName;
[read, write]
boolean Manual;
[read, write]
string AccountName;
[read, write]
string AccountDomain;
[write]
string AccountPassword;
[read]
string AccountSPN1;
[read]
string AccountSPN2;
[write]
string ComputerDNSName;
[Implemented]
uint32 DeleteEx( [In] boolean DeleteComputerObject );
};
MethodsThe Win32_SessionBrokerFarmAccount class defines the following methods.
DeleteEx
Deletes a farm account. Unlike SWbemObject.Delete_ method this method provides an option of not deleting the farm account from Active Directory (SWbemObject.Delete_ always deletes the account from Active Directory).
PropertiesThe Win32_SessionBrokerFarmAccount class defines the following properties.
FarmName
Data type:
string
Access type: Read-only
Qualifiers:
Key
Name of the farm in RD Connection Broker.
Manual
Data type:
boolean
Access type: Read and write
Determines whether or not farm account’s password is managed automatically by the RD Connection Broker. If this value is set to true Connection Broker will not be updating the account’s password. It is strongly recommended to set this value to false , in order to allow Connection Broker to periodically update the farm account’s password.
AccountName
Data type:
string
Access type: Read and write
User name of the farm account.
AccountDomain
Data type:
string
Access type: Read and write
Domain name of the farm account.
AccountPassword
Data type:
string
Access type: Write-only
Password of the farm account.
AccountSPN1
Data type:
string
Access type: Read-only
First SPN associated with the farm account. This SPN corresponds to the account’s NetBIOS name.
AccountSPN2
Data type:
string
Access type: Read-only
Second SPN associated with the farm account. This SPN corresponds to the account’s FQDN.
ComputerDNSName
Data type:
string
Access type: Write-only
DNS name to be associated with the farm account.
RemarksWin32_SessionBrokerFarmAccount supports SWbemObject methos: Delete_ and Put_ . Use SWbemObject.Put_ method to create a new farm account or modify an existing one.
Sample JScript codeTo run this sample, in the code below replace ”MyFarm”, “MyFarmAccount” and “MyDomain.com” with the appropriate farm, farm account and domain names, place the code into a “FarmAccount.js” file, start cmd.exe as administrator on the Connection Broker and then run the following command:
“cscript FarmAccount.js”.
Important! To be able to run this script successfully you need to be a domain user having “Add workstations to domain” user right and a member of Administrators group on the Connection Broker. The script must run locally on the Session Broker. Win32_SessionBrokerFarmAccount does not support calls from remote clients.
Important! Kerberos identity is not supported if the Connection Broker runs as a node in a Failover Cluster.
var WbemAuthenticationLevelPktPrivacy = 6;
var Locator = new ActiveXObject("WbemScripting.SWbemLocator");
var strComputer = ".";
var strNamespace = "rootCIMV2";
Locator.Security_.AuthenticationLevel = WbemAuthenticationLevelPktPrivacy;
var Service = Locator.ConnectServer (strComputer, strNamespace);
//
// Creating a new farm account
//
Object = Service.Get("Win32_SessionBrokerFarmAccount.FarmName="MyFarm"");
WScript.Echo ("Service.Get: OK");
Object.AccountName = "MyFarmAccount";
Object.AccountDomain = "MyDomain.com";
Object.Manual = false;
var ObjectPath = Object.Put_(2);
//
// Enumerating existing farm accounts
//
var objSet = Service.InstancesOf("Win32_SessionBrokerFarmAccount");
WScript.Echo ("objSet.Count : " + objSet.Count );
var Objects = new Enumerator (objSet);
var Object;
for(; !Objects.atEnd(); Objects.moveNext() )
{
Object = Objects.item();
WScript.Echo ("Object.FarmName : " + Object.FarmName );
WScript.Echo ("Object.AccountName : " + Object.AccountName );
WScript.Echo ("Object.AccountDomain : " + Object.AccountDomain );
WScript.Echo ("Object.AccountSPN1 : " + Object.AccountSPN1 );
WScript.Echo ("Object.AccountSPN2 : " + Object.AccountSPN2 );
WScript.Echo ("Object.Manual : " + Object.Manual );
WScript.Echo ("Object.AccountPassword : " + Object.AccountPassword );
WScript.Echo ("Object.ComputerDNSName : " + Object.ComputerDNSName );
WScript.Echo ("==========");
}
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.