We are working with a customer who needs to set some values for the Remote Desktop Services (RDS) Profile (formerly Terminal Services) attributes in Active Directory. Even after working with Active Directory and programming for it for more than 10 years, I’ve never had the need to access these attributes until now. Easy enough, right? We’ll just look up the attributes in the Active Directory schema and be off and running.
Alas, it’s not that easy to set the Remote Desktop Services Profile attribute values in Active Directory. All RDS parameters are stored in a BLOB (binary large object) in the Active Directory userParameters attribute. If you want to interact with this value directly through LDAP, you must decode and encode the attribute value to access the individual BLOB members that represent the values for the RDS Profile attributes. The encoding algorithm is a bit strange, though, and poorly documented. I found a fairly clear and precise reference for the BLOB encoding algorithm (ironically, for use by a Linux admin) and you can give it a try but there is a better option to interact with RDS profile attribute values if you have access to the COM API.
An article by Alejandro Campos Magencio does a nice job of spelling out the technical details needed to properly implement reading and writing RDS Profile attributes in Active Directory. Microsoft added AD schema extensions in Server 2008 to support this need with the msTSProfilePath, msTSHomeDrive and msTSHomeDirectory attributes. At this point, though, these attributes aren’t being used and you still must rely upon the userParameters BLOB. The Tsuserex.dll library provides an ADSI (Active Directory Service Interfaces) extension that allows you to work with RDS profile values through the IADsTSUserEx interface. The interface implements properties including TerminalServicesHomeDirectory, TerminalServicesHomeDrive and TerminalServicesProfilePath that allow you to read and modify RSD profile values in the userParameters BLOB.
This should help you get started with an implementation. I will explore this subject more in a later post and provide some PowerShell and C# code to help illustrate how to read and write RDS profile attributes in Active Directory.
Jason – Great post. Have you posted any C# code to illustrate how to read and write the RDS profile attributes??
We haven’t published any C# code to read and write RDS Profile attributes but you’ll likely want to begin with the DirectoryEntry’s InvokeGet (http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.invokeget%28v=vs.110%29.aspx) and InvokeSet (http://msdn.microsoft.com/en-us/library/system.directoryservices.directoryentry.invokeset(v=vs.110).aspx) methods. These are low-level methods that pretty much just wrap ADSI operations but they allow you to get and set RDS attributes quite easily.
Check out the C# code samples at http://chcalder.blogspot.com/2007/09/setting-terminal-service-properties-in.html and http://microsoft.public.adsi.general.narkive.com/cZhKfubJ/configuring-terminal-services-attributes-using-net for additional guidance. Good luck!