Wilco van Bragt - LinkeIn Wilco van Bragt - Twitter rssa 


If you have a big Terminal Server infrastructure environment you probably like to configure all settings at one place and settings are propagated to all the servers in your environment in stead of configure those settings manually. If you take a look at Citrix many settings can be configured using Citrix Management Console and since Windows 2003 you can configure a lot of settings using GPO's (but read this article if you would like to configure RDP settings on a server where also Citrix is installed).

One of things that is not fully implemented in the Citrix Management Consoles (via policies) are the settings within the Citrix Connection Configuration. The guys of Login Consultants developed a ADM template where most of these settings can be configured using GPO's like client mapping, timeouts for disconnection, etcetera.

But for settings the permissions on the protocols itself could only be done via manual intervention. Therefore Bas Blauw developed the tool TSConSec to solve this problem.

No Installation

TSConSec is a stand-alone utility so no installation is needed. The tool can be started from any machine, if the Terminal Server is reachable by that machine and the user on the machine has enough rights to change this permission (local administrator rights on that server).

The parameters

TSConSec is deliverd with a nice set of parameters where you can configure all settings concerning permissions on the ICA and RDP protocol.

Required are the following parameters

  •  /t, this parameter specifies on which protocol the permissions should be changed. Possibilities are RDP-TCP, ICA-TCP or a custom made listener. If you do not specify a protocol RDP-TCP will be used automatically.

  • /d, domain for the user or group you are specifying the permissions (default is local).

  • /a, followed by the user- or groupname for which you would like to specify permissions for.

  • /p, behind this parameter you are specifying which permissions are applied to the above mentioned user or group.
    Permissions can be

    F=Full Control
    U = User Access
    G = Guest Access
    Q = Query Information
    I = Set Information
    R = Reset
    S = Shadow (Remote Control)
    L = LogON
    O = LogOFF
    M = Message
    C = Connect
    D = Disconnect
    V = Virtual Channels

  • /x, behind this parameters the permissions can be specified which should be denied to the specified user.

With the parameter /o, the current settings for the specified protocol are displayed, while /r resets the configuration of the protocol to the default settings. If you would like to change the settings on a different machine, you should use the /m:<servername> switch. The /q switch will not ask for a confirmation for the settings you are providing with the tool.

Some examples:

Give the group Helpdesk Shadow permissions on the ICA-TCP protocol
TSConSec /t:ICA-TCP /d:VanBragt /a:Helpdesk /p:QS
Deny access to the RDP protocol for normal users
TsConSec /t:RDP-TCP /a:Users /x:UGF
Give Full Control to group PS4Adminitrators
TSConSec /t:ICA-TCP /d:VanBragt /a:PS4Administrators /p:F


TSConSec is the only utility available which can configure the permissions on the ICA and RDP protocol. TSConSec those exactly where it build for with a good set of parameters. The tool will become very useful if you have a considerable amount of Terminal Servers in your infrastructure where you would manage these settings without logging on every server. TsConSec is easy to implement in (unattended) scripts to arrange the settings automatically.

The latest version of TSConSec can be downloaded from Thincomputing.net.