Aller au contenu

Bureau RDP et personnalisation

Activation et configuration de RDP natif, personnalisation du bureau Windows et création des utilisateurs VDI.

Rôle rdp

Ce rôle configuré :

  • L'accès RDP (Remote Desktop Protocol) natif
  • La personnalisation du bureau (fond d'écran, taskbar, icones)
  • La création d'utilisateurs locaux et leurs profils

Variables par défaut

Créez roles/rdp/defaults/main.yml :

rdp_enabled: true
rdp_port: 3389
rdp_nla_enabled: true
rdp_max_connections: 10
rdp_wallpaper: ""
rdp_users:
  - name: "vdi-user"
    password: "Ch@ngeme123!"
    groups:
      - "Remote Desktop Users"
      - "Users"
  - name: "vdi-admin"
    password: "Adm!n2026"
    groups:
      - "Remote Desktop Users"
      - "Administrators"

Tâches principales

Créez roles/rdp/tasks/main.yml :

---
- name: Activer Remote Desktop
  ansible.windows.win_regedit:
    path: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server
    name: fDenyTSConnections
    data: 0
    type: dword

- name: Configurer NLA (Network Level Authentication)
  ansible.windows.win_regedit:
    path: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
    name: UserAuthentication
    data: "{{ 1 if rdp_nla_enabled else 0 }}"
    type: dword

- name: Configurer le port RDP
  ansible.windows.win_regedit:
    path: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
    name: PortNumber
    data: "{{ rdp_port }}"
    type: dword
  when: rdp_port != 3389

- name: Ouvrir le firewall pour RDP
  community.windows.win_firewall_rule:
    name: "Remote Desktop (TCP-In)"
    localport: "{{ rdp_port }}"
    protocol: tcp
    direction: in
    action: allow
    enabled: true

- name: Limiter le nombre de connexions RDP
  ansible.windows.win_regedit:
    path: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server
    name: MaxInstanceCount
    data: "{{ rdp_max_connections }}"
    type: dword

- name: Creer les utilisateurs VDI
  ansible.windows.win_user:
    name: "{{ item.name }}"
    password: "{{ item.password }}"
    state: present
    password_never_expires: true
  loop: "{{ rdp_users }}"

- name: Ajouter les utilisateurs aux groupes
  ansible.windows.win_group_membership:
    name: "{{ item.1 }}"
    members:
      - "{{ item.0.name }}"
    state: present
  loop: "{{ rdp_users | subelements('groups') }}"

- name: Personnalisation du bureau
  ansible.builtin.include_tasks: customize.yml

- name: Validation du role
  ansible.builtin.include_tasks: validate.yml
  tags: [validate]

Personnalisation du bureau

Créez roles/rdp/tasks/customize.yml :

---
- name: Masquer les icones inutiles du bureau
  ansible.windows.win_regedit:
    path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\HideDesktopIcons\NewStartPanel
    name: "{{ item.clsid }}"
    data: 1
    type: dword
  loop:
    - { clsid: "{645FF040-5081-101B-9F08-00AA002F954E}", desc: "Corbeille" }

- name: Configurer la taskbar — masquer le champ de recherche
  ansible.windows.win_regedit:
    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\Explorer
    name: DisableSearchBoxSuggestions
    data: 1
    type: dword

- name: Desactiver les notifications au premier login
  ansible.windows.win_regedit:
    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows\OOBE
    name: DisablePrivacyExperience
    data: 1
    type: dword

- name: Configurer le fond d'ecran personnalise
  ansible.windows.win_regedit:
    path: HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\PersonalizationCSP
    name: "{{ item.name }}"
    data: "{{ item.data }}"
    type: "{{ item.type }}"
  loop:
    - { name: "DesktopImagePath", data: "{{ rdp_wallpaper }}", type: "string" }
    - { name: "DesktopImageStatus", data: 1, type: "dword" }
  when: rdp_wallpaper | length > 0

- name: Optimiser RDP pour les performances
  ansible.windows.win_regedit:
    path: HKLM:\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services
    name: "{{ item.name }}"
    data: "{{ item.data }}"
    type: dword
  loop:
    - { name: "AVCHardwareEncodePreferred", data: 1 }
    - { name: "bEnumerateHWBeforeSW", data: 1 }
    - { name: "AVC444ModePreferred", data: 1 }

Optimisations RDP

Les clés de registre AVC444ModePreferred et AVCHardwareEncodePreferred activent le codec H.264/AVC 4:4:4 pour une meilleure qualité d'image. Utile pour les écrans haute résolution et le multi-écran.

Assertions

Créez roles/rdp/tasks/validate.yml :

---
# --- Niveau 1 : technique ---
- name: "Assert : RDP active"
  ansible.windows.win_reg_stat:
    path: HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server
    name: fDenyTSConnections
  register: rdp_status
  failed_when: rdp_status.value != 0

- name: "Assert : Le service TermService est actif"
  ansible.windows.win_service:
    name: TermService
  register: term_status
  failed_when: term_status.state != "running"

# --- Niveau 2 : cas d'usage ---
- name: "Assert : RDP ecoute sur le port configure"
  ansible.windows.win_wait_for:
    port: "{{ rdp_port }}"
    timeout: 10

- name: "Assert : Les utilisateurs VDI existent"
  ansible.windows.win_user:
    name: "{{ item.name }}"
    state: present
  loop: "{{ rdp_users }}"
  check_mode: true
  register: user_check
  failed_when: user_check.changed

- name: "Assert : Les utilisateurs sont dans Remote Desktop Users"
  ansible.windows.win_shell: |
    (Get-LocalGroupMember -Group "Remote Desktop Users").Name -contains "{{ ansible_hostname }}\{{ item.name }}"
  loop: "{{ rdp_users }}"
  register: group_check
  failed_when: "'True' not in group_check.stdout"