All our testboxes run on VMs (windows server 2003/08) and testers access them via remote desktop only.

Some maintenance steps require to kick all users from the system and deactivate access via remote desktop.

I started to write the maintenance scripts in powershell and am looking for a way to temporarily deactivate remote desktop. Is that possible, any straight-forward solutions to this?

What I have tried so far:

• A colleague recommended turning-off the netlogon-service, but I can still logon with remote-desktop.
• Another colleague recommended disabling blocking the port for
  remote-desktop with the firewall, but somehow that does not feel
  right to me (?) because I don't want to change one part of a system to affect another part. Am I too picky ... ? ;)

Any hints highly appreciated.

Cheers, Tobi

Now I have found a solution that works perfect for me. Windows Server 2008 comes with a feature called "Terminal Services Server Drain Mode"

... the TS Server Drain Mode prevents new users from logging onto the server, while allowing currently logged on users to reconnect to their existing sessions. By waiting for existing users to save their work and log off, the administrator can take a terminal server down for maintenance without causing user data loss.

Before I activate the drain mode I ensure that no one is logged in and then I active the drain mode with the following code:

Invoke-Command -ComputerName myServerHostName -ScriptBlock
{
   Set-ItemProperty -Path "HKLM:\SYSTEM\Currentcontrolset\control\Terminal Server" -Name TSServerDrainMode -Value 1
}

Although I am changing a registry key, I am not required to reboot the server for the changes to be effective. This works without a reboot.

When I am done performing maintenance work I deactive drain mode with "-Value 0" and users are able to log in again.

Works like a charm!

My original answer was:

My perferred solution that I have found through extensive web search is as follows (also untested):

$Terminal = Get-WmiObject Win32_Terminal –Computer “ComputerName”
$Terminal.Enable($True)

Other possible and interesting code snippets, or variations on the topic, that I have found:

$myWmiObject = Get-WmiObject -namespace “rootCIMV2TerminalServices” -class Win32_Terminal -Computer “ComputerName” -Authentication PacketPrivacy

or

Set-WmiInstance -namespace “rootCIMV2TerminalServices” -class Win32_Terminal -ComputerName “ComputerName” -Authentication PacketPrivacy -Argument @{fEnableTerminal=0}

or

Get-WmiObject -ComputerName “ComputerName” -namespace root/cimv2/terminalservices -class Win32_Terminal -Authentication PacketPrivacy

You need to set

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\fDenyTSConnections 

value to 1 by default to disable remote desktop but needs to reboot.

Another way that seem not needing reboot (NOT TESTED):

$ts=get-WMIObject Win32_TerminalServiceSetting  -computername remotemachinename

$ts.SetAllowTSConnections(0)

Now I have found a solution that works perfect for me. Windows Server 2008 comes with a feature called "Terminal Services Server Drain Mode"

... the TS Server Drain Mode prevents new users from logging onto the server, while allowing currently logged on users to reconnect to their existing sessions. By waiting for existing users to save their work and log off, the administrator can take a terminal server down for maintenance without causing user data loss.

Before I activate the drain mode I ensure that no one is logged in and then I active the drain mode with the following code:

Invoke-Command -ComputerName myServerHostName -ScriptBlock
{
   Set-ItemProperty -Path "HKLM:\SYSTEM\Currentcontrolset\control\Terminal Server" -Name TSServerDrainMode -Value 1
}

Although I am changing a registry key, I am not required to reboot the server for the changes to be effective. This works without a reboot.

When I am done performing maintenance work I deactive drain mode with "-Value 0" and users are able to log in again.

Works like a charm!

My original answer was:

My perferred solution that I have found through extensive web search is as follows (also untested):

$Terminal = Get-WmiObject Win32_Terminal –Computer “ComputerName”
$Terminal.Enable($True)

Other possible and interesting code snippets, or variations on the topic, that I have found:

$myWmiObject = Get-WmiObject -namespace “rootCIMV2TerminalServices” -class Win32_Terminal -Computer “ComputerName” -Authentication PacketPrivacy

or

Set-WmiInstance -namespace “rootCIMV2TerminalServices” -class Win32_Terminal -ComputerName “ComputerName” -Authentication PacketPrivacy -Argument @{fEnableTerminal=0}

or

Get-WmiObject -ComputerName “ComputerName” -namespace root/cimv2/terminalservices -class Win32_Terminal -Authentication PacketPrivacy

I use this gWmi code frequently :

#Remote change logon /disable
$TS_Connector = gwmi Win32_TerminalServiceSetting -N "root/cimv2/terminalservices" -computername $ServerName -Authentication PacketPrivacy
$TS_Connector.Logons=1
$TS_Connector.Put()

and for enable logons

#Remote change logon /enable
$TS_Connector = gwmi Win32_TerminalServiceSetting -N "root/cimv2/terminalservices" -computername $ServerName -Authentication PacketPrivacy
$TS_Connector.Logons=0
$TS_Connector.Put()

instead of Invoke-command() because nead RCP openned, and RPC connexion are disabled by default on windows

Looking for something else this morning (coincidentally) I saw this: "Checking and enabling Remote Desktop with PowerShell".

Summary: involves registry manipulation.