Microsoft KB Archive/259129

{|
 * width="100%"|

HOWTO: Modify or Query the RDP Connection Permissions for Terminal Services

 * }

Q259129

-

The information in this article applies to:


 * Microsoft Win32 Application Programming Interface (API), included with:
 * Microsoft Windows NT Server version 4.0
 * Microsoft Windows NT Workstation version 4.0
 * the operating system: Microsoft Windows 2000

-

SUMMARY
The Microsoft Terminal Services configuration application allows you to change the Remote Desktop Protocol-Transmission Control Protocol (RDP-TCP) connection permissions. These permissions determine which users can perform actions (connect, disconnect, logoff, query, and so on) against a Terminal Services session. An application can programmatically change the RDP-TCP connection permissions through the Windows registry.

MORE INFORMATION
The security descriptor is stored in self-relative format within the registry. In order to obtain or modify the security descriptor, you must convert it to absolute format. Once you modify the security descriptor, you must convert it back to self-relative format and resave.

The default security settings are stored in the DefaultSecurity registry value under the following key:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations" If you modify the security settings, they are stored in the Security value under the following key:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" If you modify the default security descriptor and the Security value does not exist under the RDP-Tcp key, you must create the value.

Sample Code
The following code demonstrates how to modify the current RDP-TCP connection permissions. This code checks for a modified security descriptor under the RDP-Tcp key. If none is found, it opens the default security descriptor under the WinStations key. After you modify the descriptor, it is saved under the RDP-Tcp key.

#include 
 * 1) include 
 * 2) include 


 * 1) define USER_ACCESS 0x1A1
 * 2) define GUEST_ACCESS 0x20
 * 3) define FULL_CONTROL 0xF03FF

void _tmain(void) {

BYTE  buffer[4096]; BYTE  acl[1024]; DWORD dwAcl = sizeof(acl); BYTE  sacl[1024]; DWORD dwSacl = sizeof(sacl); BYTE  sidOwner[1024]; DWORD dwSidOwner = sizeof(sidOwner); BYTE  sidGroup[1024]; DWORD dwSidGroup = sizeof(sidGroup); DWORD dwSize = sizeof(buffer); HKEY  hKey = NULL; LONG  lResult; BYTE  AbsSD[4096]; BYTE  AbsModifiedSD[4096]; DWORD dwAbsMod = sizeof(AbsModifiedSD);

// Open the rdp-tcp key lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE,        TEXT(&quot;system\\currentcontrolset\\control&quot;)         TEXT(&quot;\\terminal server\\winstations\\rdp-tcp&quot;),         0, KEY_QUERY_VALUE | KEY_SET_VALUE, &hKey); if (lResult != ERROR_SUCCESS) { _tprintf(TEXT(&quot;RegOpenKeyEx failed with error %u\n&quot;), lResult); return; }

// Query the Security value lResult = RegQueryValueEx(hKey, TEXT(&quot;Security&quot;), NULL, NULL, buffer,        &dwSize);

// Close the rdp-tcp key RegCloseKey(hKey);

if (lResult != ERROR_SUCCESS && lResult != ERROR_FILE_NOT_FOUND) { _tprintf(TEXT(&quot;RegQueryValueEx failed with error %u\n&quot;),           lResult); return; }

// If the value was not present, get the default security descriptor if (lResult == ERROR_FILE_NOT_FOUND) {

// Open the WinStations key lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE,            TEXT(&quot;system\\currentcontrolset\\control&quot;)            TEXT(&quot;\\terminal server\\winstations&quot;),             0, KEY_QUERY_VALUE | KEY_SET_VALUE, &hKey); if (lResult != ERROR_SUCCESS) { _tprintf(TEXT(&quot;RegOpenKeyEx failed with error %u\n&quot;),              lResult); return; }

// Query the DefaultSecurity value lResult = RegQueryValueEx(hKey, TEXT(&quot;DefaultSecurity&quot;), NULL,           NULL, buffer, &dwSize);

// Close the WinStations key RegCloseKey(hKey);

if (lResult != ERROR_SUCCESS) { _tprintf(TEXT(&quot;RegQueryValueEx failed with error %u\n&quot;),              lResult); return; }  }

// Convert the self-relative security descriptor to the absolute form dwSize = sizeof(AbsSD); if (!MakeAbsoluteSD((PSECURITY_DESCRIPTOR) buffer, AbsSD, &dwSize, (PACL) acl, &dwAcl, (PACL) sacl, &dwSacl, (PSID) sidOwner, &dwSidOwner, (PSID) sidGroup, &dwSidGroup)) { _tprintf(TEXT(&quot;MakeAbsoluteSD failed with error %u\n&quot;),            GetLastError); return; }

//   // TODO: Your code to modify the dacl goes here //   // Convert the security descriptor back to the self-relative form if (!MakeSelfRelativeSD(AbsSD, AbsModifiedSD, &dwAbsMod)){ _tprintf(TEXT(&quot;MakeSelfRelativeSD failed with error %u\n&quot;),           GetLastError); return; }

// Open the rdp-tcp key lResult = RegOpenKeyEx(HKEY_LOCAL_MACHINE,        TEXT(&quot;system\\currentcontrolset\\control&quot;)         TEXT(&quot;\\terminal server\\winstations\\rdp-tcp&quot;),         0, KEY_QUERY_VALUE | KEY_SET_VALUE, &hKey); if (lResult != ERROR_SUCCESS) { _tprintf(TEXT(&quot;RegOpenKeyEx failed with error %u\n&quot;), lResult); return; }

// Save the modified security value lResult = RegSetValueEx(hKey, TEXT(&quot;Security&quot;), 0, REG_BINARY,         AbsModifiedSD, dwAbsMod); if (lResult != ERROR_SUCCESS){ _tprintf(TEXT(&quot;RegSetValueEx failed with %u\n&quot;), lResult); return; }

// Close the rdp-tcp key RegCloseKey(hKey); } Additional query words:

Keywords : kbAPI kbKernBase kbOSWinNT400 kbOSWin2000 kbSDKWin32 kbDSupport kbGrpDSKernBase

Issue type : kbhowto

Technology : kbAudDeveloper kbWin32sSearch kbWin32API