Windows VPS启用远程桌面及用户一键脚本

新的windows vps需要设置禁用管理员，新增独立的可以远程访问的用户，开启远程访问的脚本。

# -------------------------------
# 创建管理员用户 + 配置远程桌面
# -------------------------------

# 1️⃣ 创建新用户 darren123
$UserName = "darren123"

# 交互输入密码（更安全）：
$Password = Read-Host "请输入 $UserName 的密码" -AsSecureString

# 检查用户是否已存在
if (Get-LocalUser -Name $UserName -ErrorAction SilentlyContinue) {
    Write-Host "用户 $UserName 已存在，跳过创建。" -ForegroundColor Yellow
} else {
    New-LocalUser -Name $UserName -Password $Password -FullName "Darren Admin" -Description "Remote Admin User" -PasswordNeverExpires:$true
    Write-Host "已创建用户 $UserName。" -ForegroundColor Green
}

# 2️⃣ 添加到 Administrators 组
Add-LocalGroupMember -Group "Administrators" -Member $UserName -ErrorAction SilentlyContinue
Write-Host "已将 $UserName 添加到 Administrators 组。" -ForegroundColor Green

# 3️⃣ 启用远程桌面
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server' -Name "fDenyTSConnections" -Value 0
Write-Host "已启用远程桌面。" -ForegroundColor Green

# 4️⃣ 修改远程桌面端口（默认为 3389 → 改为 554567）
$NewPort = 554567
Set-ItemProperty -Path 'HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -Name "PortNumber" -Value $NewPort
Write-Host "远程桌面端口已修改为 $NewPort。" -ForegroundColor Green

# 5️⃣ 允许防火墙通过新的 RDP 端口
# 删除旧规则（如果存在）
Get-NetFirewallRule -DisplayName "Remote Desktop*" -ErrorAction SilentlyContinue | Remove-NetFirewallRule -ErrorAction SilentlyContinue

# 新建防火墙规则
New-NetFirewallRule -DisplayName "Remote Desktop - TCP $NewPort" -Direction Inbound -Protocol TCP -LocalPort $NewPort -Action Allow
Write-Host "已添加防火墙规则允许端口 $NewPort。" -ForegroundColor Green

# 6️⃣ 禁止 Administrator 远程登录
# 设置安全策略：拒绝通过 RDP 登录
$adminSID = (Get-LocalUser -Name "Administrator").Sid.Value
secedit /export /cfg "$env:TEMP\secpol.cfg" | Out-Null
(gc "$env:TEMP\secpol.cfg") -replace 'SeDenyRemoteInteractiveLogonRight = (.*)', "SeDenyRemoteInteractiveLogonRight = *S-1-5-21-0-0-0-500" | Out-File "$env:TEMP\secpol.cfg"
secedit /configure /db secedit.sdb /cfg "$env:TEMP\secpol.cfg" /areas USER_RIGHTS
Remove-Item "$env:TEMP\secpol.cfg" -ErrorAction SilentlyContinue
Write-Host "已禁止 Administrator 远程登录。" -ForegroundColor Green

# 7️⃣ 允许 darren123 远程登录
# 添加到 Remote Desktop Users 组
Add-LocalGroupMember -Group "Remote Desktop Users" -Member $UserName -ErrorAction SilentlyContinue
Write-Host "已允许 $UserName 进行远程桌面登录。" -ForegroundColor Green

# 8️⃣ 重启 RDP 服务使端口生效
Restart-Service -Name TermService -Force
Write-Host "已重启远程桌面服务。配置完成！" -ForegroundColor Cyan

Write-Host "`n请使用账户 $UserName 通过端口 $NewPort 进行远程桌面连接。" -ForegroundColor Yellow

英文版，防止在英文系统

# =============================
# Create Admin User & Enable RDP (port 13145)
# =============================

# 1️⃣ Prompt for password (安全起见建议输入)
$Password = Read-Host "Enter password for user darren123" -AsSecureString

# 2️⃣ Create user
Write-Host "Creating user darren123..."
New-LocalUser -Name "darren123" -Password $Password -FullName "Administrator Darren" -Description "Admin account for RDP access" -AccountNeverExpires:$true

# 3️⃣ Add to Administrators group
Write-Host "Adding user to Administrators group..."
Add-LocalGroupMember -Group "Administrators" -Member "darren123"

# 4️⃣ Enable Remote Desktop
Write-Host "Enabling Remote Desktop..."
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server" -Name "fDenyTSConnections" -Value 0

# 5️⃣ Enable Network Level Authentication (optional but recommended)
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "UserAuthentication" -Value 1

# 6️⃣ Change RDP port to 13145
Write-Host "Setting RDP port to 13145..."
Set-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" -Name "PortNumber" -Value 13145

# 7️⃣ Configure Windows Firewall for the new port
Write-Host "Configuring firewall..."
# Disable old RDP firewall rule
Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Set-NetFirewallRule -Enabled False
# Add new rule for custom port
New-NetFirewallRule -DisplayName "Remote Desktop 13145" -Direction Inbound -Protocol TCP -LocalPort 13145 -Action Allow

# 8️⃣ Restart RDP service to apply changes
Write-Host "Restarting Remote Desktop Services..."
Restart-Service -Name TermService -Force

# 9️⃣ Display result
Write-Host "`n✅ User 'darren123' created and added to Administrators."
Write-Host "✅ Remote Desktop enabled on port 13145."
Write-Host "⚠️ You can now connect via: mstsc /v:<ServerIP>:13145"