Deny log on through Remote Desktop via powershell

powershellremote desktopwindows

I have to deny log on through windows RDP. I know, I can do it by gpedit.msc in

 Computer Configuration --> Windows Settings --> Security Settings -->        
 Local Policies --> User rights assignment 

But I have to do it by powershell.

Is it possible?

Best Answer

But why not just use GPO?

If this is an enterprise environment, that is why it's there and the recommended way to do this sort of thing and much of Windows enterprise central management. Oh well, orgs have their reasons for what things are.

Anyway, there are many resources and samples on how to do this all over the web. Using you post title in any search engine, would return many hits on the topic.

For example:

MS PowerShell gallery scritps

Get, Set, Remove NT Rights Privileges for example, adding "Logon As Service" right to User Account. Get, Set, Remove NT Rights Privileges on local and remote computers

https://gallery.technet.microsoft.com/Get-Set-Remove-NT-Rights-0a8a36db

How to Remotely Enable and Disable (RDP) Remote Desktop

By default on a Windows Server Product Windows Remote Management (WinRM) is enabled, but Remote Desktop (RDP) is Disabled. On workstation operating systems neither is enabled by default, so if you want to be able to accomplish the following you will need to enable WinRM on the workstations.

https://www.interfacett.com/blogs/how-to-remotely-enable-and-disable-rdp-remote-desktop/

How to enable Remote Desktop using Powershell

If you are using Windows 2012 R2 Core or if you just like using Powershell, then you may want to know how to enable Remote Desktop.

To do this, you should go into your Core server where you should see a command box. In here, type in Powershell and press enter. This will open up the Powershell console for you to use.

https://blog.techygeekshome.info/2014/07/how-to-enable-remote-desktop-using-powershell

PowerShell Problem Solver: Active Directory Remote Desktop Settings

During my recent PowerShell workshop in Finland, an attendee asked about Active Directory cmdlets from Microsoft in regards to remote desktop user settings. Although you can readily see the settings in Active Directory Users and Computers, Get-ADUser doesn’t retrieve them. I haven’t worked with Remote Desktop Services in quite a while, but I told him I’d look into this long-standing problem.

https://www.petri.com/powershell-problem-solver-active-directory-remote-desktop-settings

Then there is NTRights tool from the WiNTResKit.

The Microsoft® Windows® Server 2003 Resource Kit Tools are a set of tools to help administrators streamline management tasks such as troubleshooting operating system issues, managing Active Directory®, configuring networking and security features, and automating application deployment.

https://www.microsoft.com/en-us/download/details.aspx?id=1765

Yes, it and viraully all the tools in the Reskit still work, even on Win01/WS2K16.

So, doing something like this....

$ADUser = [ADSI]"LDAP://CN=UserName,OU=Users,DC=TestDomain,DC=com"
$ADUser.SamAccountName #to check the account
$ADUser.psbase.invokeSet("allowLogon",0)
$ADUser.setinfo()