Remote Desktop permissions menu

1. #Requires -Version 3.0
2. #Requires -RunAsAdministrator
3.  
4. # Created by Dan from danit.nl, version 2020/06/17.
5.  
6. $global:perms = @()
7.  
8. function Show-CurrentPermissions()
9. {
10.     $global:perms = @(); $count = 0
11.     foreach($entry in (Get-WmiObject -Namespace "root\cimv2\terminalservices" -Query "SELECT * FROM Win32_TSAccount"))
12.     {
13.         $row = "" | Select Index,Connection,Group,Type,Permissions
14.         $row.Index = $count
15.         $row.Connection = $entry.TerminalName
16.         $row.Group = $entry.AccountName
17.         if(!$entry.PermissionsDenied)
18.         {
19.             $row.Type = "Allow"
20.             $row.Permissions = Convert-Permissions($entry.PermissionsAllowed)
21.         }
22.         else
23.         {
24.             $row.Type = "Deny"
25.             $row.Permissions = Convert-Permissions($entry.PermissionsDenied)
26.         }
27.         $global:perms += $row
28.         $count ++
29.     }
30.     $global:perms | Format-Table -AutoSize
31. }
32.  
33. function Convert-Permissions([int]$bits)
34. {
35.     $permissions = @{
36.         0x001 = "Query"
37.         0x002 = "Set"
38.         0x004 = "Logoff"
39.         0x010 = "Shadow"
40.         0x020 = "Logon"
41.         0x040 = "Reset"
42.         0x080 = "Message"
43.         0x100 = "Connect"
44.         0x200 = "Disconnect"
45.         0xF0008 = "Virtual Channels"
46.     }
47.  
48.     foreach($bitmask in $permissions.Keys | Sort-Object)
49.     {
50.         if(($bits -band $bitmask) -eq $bitmask)
51.         {
52.             $output += $permissions[$bitmask] + ", "
53.         }
54.     }
55.     if($output) { $output = $output.Substring(0, $output.Length-2) }
56.     return $output
57. }
58.  
59. function Add-Account
60. {
61.     Write-Host "Enter the name of the group you want to add: " -ForegroundColor Yellow -NoNewline; $account = Read-Host
62.     Write-Host "Enter the connection you want to add this group to (leave empty for all): " -ForegroundColor Yellow -NoNewline; $terminal = Read-Host
63.  
64.     foreach($object in (Get-WmiObject -Class "Win32_TSPermissionsSetting" -Namespace "root\cimv2\terminalservices"))
65.     {
66.         if(!$terminal -or $object.TerminalName -eq $terminal)
67.         {
68.             Invoke-WmiMethod -InputObject $object -Name "AddAccount" -ArgumentList $account,3
69.         }
70.     }
71.  
72.     Write-Host "The user/group has now been added, please add permissions!" -ForegroundColor Green
73.     Menu
74. }
75.  
76. function Delete-Account
77. {
78.     Write-Host "Select the index of the group you want to delete: " -ForegroundColor Yellow -NoNewline; $index = Read-Host
79.  
80.     $entry = Get-WmiObject -Namespace "root\cimv2\terminalservices" -Query ("SELECT * FROM Win32_TSAccount WHERE TerminalName='"+$perms[$index].Connection+"' AND AccountName='"+$perms[$index].Group+"'").Replace("\", "\\")
81.     Write-Host $entry -ForegroundColor Red
82.     $entry.Delete()
83.  
84.     Write-Host "The user/group has now been deleted from the permissions!" -ForegroundColor Green
85.     Menu
86. }
87.  
88. function Edit-Permissions
89. {
90.     Write-Host "Select the index, or enter the group name for multiple connections: " -ForegroundColor Yellow -NoNewline; $index = Read-Host
91.     Write-Host "[0] Query`n[1] Set`n[2] Logoff`n[3] Virtual Channels`n[4] Shadow`n[5] Logon`n[6] Reset`n[7] Message`n[8] Connect`n[9] Disconnect"
92.     Write-Host "Select what permission you want to edit: " -ForegroundColor Yellow -NoNewline; $permission = Read-Host
93.     Write-Host "Select [0] to deny or [1] to allow this permission: " -ForegroundColor Yellow -NoNewline; [int]$allow = Read-Host
94.  
95.     if($index -match "^\d+$") { $query = "SELECT * FROM Win32_TSAccount WHERE TerminalName='"+$perms[$index].Connection+"' AND AccountName='"+$perms[$index].Group+"'" }
96.     else { $query = "SELECT * FROM Win32_TSAccount WHERE AccountName='"+$index+"'" }
97.  
98.     foreach($object in Get-WmiObject -Namespace "root\cimv2\terminalservices" -Query $query.Replace("\", "\\"))
99.     {
100.         $object.ModifyPermissions($permission, $allow)
101.     }
102.  
103.     Write-Host "The permissions of this user/group are now changed!" -ForegroundColor Green
104.     Menu
105. }
106.  
107. function Restore-Permissions
108. {
109.     $object = Get-WmiObject -Class "Win32_TSPermissionsSetting" -Namespace "root\cimv2\terminalservices"
110.     foreach($entry in $object) { Invoke-WmiMethod -InputObject $entry -Name "RestoreDefaults" }
111.  
112.     Write-Host "All Remote Desktop permissions have been reset to default!" -ForegroundColor Green
113.     Menu
114. }
115.  
116. function Menu
117. {
118.     Show-CurrentPermissions
119.     Write-Host "Select an option; [A] Add a group, [D] Delete a group, [E] Edit permissions, [R] Restore to default: " -ForegroundColor Yellow -NoNewline; $option = Read-Host
120.  
121.     if($option -eq "A") { Add-Account }
122.     if($option -eq "D") { Delete-Account }
123.     if($option -eq "E") { Edit-Permissions }
124.     if($option -eq "R") { Restore-Permissions }
125. }
126.  
127. Menu