2014/04/powershell-getset-network-level

[lazywinadmin]

PowerShell - Get/Set the Network Level Authentication Remotely (RDP Setting)

https://lazywinadmin.com/2014/04/powershell-getset-network-level.html

[lazywinadmin]

joelcottrell

Posted on: 2014-05-16T20:36:33Z

Is there a way to modify this to pull the servername info from a txt file, then process this txt file to see if NLA is enabled? Then pipe the results (whether its enabled or not) into another txt file? Thanks.

_{disqus profile}

[lazywinadmin]

François-Xavier Cat (@lazywinadmin)

Posted on: 2014-05-16T21:04:21Z

Hi Joel,

It's pretty easy, something like this should do it:

Output to a txt file
Get-NetworkLevelAuthentication -ComputerName (Get-Content d:\serverlist.txt) | Out-File d:\result.txt

Output to a csv file
Get-NetworkLevelAuthentication -ComputerName (Get-Content d:\serverlist.txt) | Export-Csv d:\result.csv

In this example, all your servers need to be listed in the serverlist.txt

Hope this help

_{disqus profile}

[lazywinadmin]

joelcottrell

Posted on: 2014-05-16T22:02:43Z

I believe this should work. Thanks for the quick response.

_{disqus profile}

[lazywinadmin]

François-Xavier Cat (@lazywinadmin)

Posted on: 2014-05-16T22:08:38Z

No pb, let me know if you have other question.

note: I updated the blog post to add the example

_{disqus profile}

[lazywinadmin]

joelcottrell

Posted on: 2014-05-16T22:55:46Z

Have you seen this error message before (via powershell v3.0):

PS C:\powershell> . .\Get-Set-NetworkLevelAuthentication.ps1
At C:\powershell\Get-Set-NetworkLevelAuthentication.ps1:56 char:32
+ [Parameter(ValueFromPipeline)=]
+ ~
Missing ] at end of attribute or type literal.
At C:\powershell\Get-Set-NetworkLevelAuthentication.ps1:56 char:32
+ [Parameter(ValueFromPipeline)=]
+ ~
Parameter declarations are a comma-separated list of variable names with optional initializer expressions.
At C:\powershell\Get-Set-NetworkLevelAuthentication.ps1:56 char:32
+ [Parameter(ValueFromPipeline)=]
+ ~
Missing ')' in function parameter list.
+ CategoryInfo : ParserError: (:) [], ParseException
+ FullyQualifiedErrorId : EndSquareBracketExpectedAtEndOfAttribute

_{disqus profile}

[lazywinadmin]

François-Xavier Cat (@lazywinadmin)

Posted on: 2014-05-17T02:20:37Z

Hey Joel,

Interesting, never saw this message before.

Which version of PowerShell do you run ? ($psversiontable will tell you)

The functions requires at least version 3.

Give a try with the version available on github

https://github.com/lazywina...

_{disqus profile}

[lazywinadmin]

joelcottrell

Posted on: 2014-05-19T13:50:16Z

I've seemed to have success with just running the "Getting the NLA information" command. Any chance you can point me in the direction as to how to output the servername (or IP address) along with the result (whether it 0 = no, or 1 = yes (NLA enabled) )? Thanks.

$ComputerName = (Get-Content c:\powershell\serverlist.txt)

# Getting the NLA information

(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired

Export-Csv c:\powershell\result.csv

_{disqus profile}

[lazywinadmin]

François-Xavier Cat (@lazywinadmin)

Posted on: 2014-05-19T16:57:48Z

I guess you are running v2.

Anyway, you can do this way (I tested in v2)

Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName (Get-Content c:\powershell\serverlist.txt) -Filter "TerminalName='RDP-tcp'"| Select-Object __SERVER,@{name="NLAEnabled";Expression={$_.UserAuthenticationRequired -as [bool]}} | Export-Csv c:\powershell\result.csv

_{disqus profile}

[lazywinadmin]

Haim Chibotero

Posted on: 2014-07-28T12:57:07Z

Thanks for the article

what will be needed to "fix" the citrix side so you can't connect from it instead of disabling the NLA on the client side ?

Haim

_{disqus profile}

[lazywinadmin]

rykerabel

Posted on: 2014-08-06T00:00:57Z

To pass credentials for non-domain member server:

$ComputerName = "servername"
$Credential = "servername\adminname"
# Getting the NLA information
(Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -ComputerName $ComputerName -Credential $Credential -Filter "TerminalName='RDP-tcp'").UserAuthenticationRequired

However, now i get this message:

the connection cannot proceed because authentication is not enabled and the remote computer requires that authentication be enabled to connect

_{disqus profile}

[lazywinadmin]

François-Xavier Cat (@lazywinadmin)

Posted on: 2014-08-06T22:05:17Z

Hey Haim, Sorry no idea... my citrix knowledge are $null :-)

_{disqus profile}

[lazywinadmin]

François-Xavier Cat (@lazywinadmin)

Posted on: 2014-09-06T14:57:15Z

Hey RykeAbel,
Never tried that. Looks like this guys did some work with a WorkGroup box:
http://www.mcbsys.com/techb...

Hope this help

_{disqus profile}

[lazywinadmin]

Magik11

Posted on: 2014-09-25T16:03:50Z

See http://blogs.technet.com/b/... if you are getting Access Denied responses.

_{disqus profile}

[lazywinadmin]

eswaran

Posted on: 2015-01-12T10:32:43Z

how to use the remote option only me not other person allow in my system

_{disqus profile}

[lazywinadmin]

François-Xavier Cat (@lazywinadmin)

Posted on: 2015-01-12T16:58:54Z

Hum... where is this setting ?

_{disqus profile}

[lazywinadmin]

Noah Stahl

Posted on: 2015-03-18T15:19:25Z

Well-documented, thanks!

_{disqus profile}

[lazywinadmin]

François-Xavier Cat (@lazywinadmin)

Posted on: 2015-03-18T16:45:01Z

Thanks Noah!

_{disqus profile}

[lazywinadmin]

wags4321

Posted on: 2015-06-04T16:09:45Z

Strange. Your answer to connecting to an NLA-enabled RDS is to disable NLA?

NLA is supposed to add security, so should remain on. However, it seems to have issues with allowing connections on reboot. It seems to be an issue when the "server" (e.g. Win 8.1 personal machine) is part of a domain, but is not connected to the domain when a client tries to login as a user in that domain. It fails the NLA authentication in that case.

However, if you first locally login to the "server" machine (which is not connected to a domain), then it authenticates against stored credentials and lets you locally login. After that initial local login, then remote clients can connect with that username. I guess it's slightly more secure if you have a local login before a remote login - but sort of defeats the purpose of RDC in the first place.

The problem with that workaround is that if the "server" machine then gets rebooted, the NLA errors occur again.

_{disqus profile}

[lazywinadmin]

turb0chrg

Posted on: 2015-10-09T20:47:56Z

In my case Clientless SSLVPN RDP Plug-in on our Cisco ASA 5510 running 8.4(3) did not support NLA so it had to be disabled. Attempting connect simply failed, no error was shown making this a difficult one to track down.

_{disqus profile}