Home/Toolchest

RDP failure triage script

A read-only RDP triage script pattern for DNS, TCP 3389, listener state, firewall evidence, sessions, and event logs.

Good For

  • RDP outage triage
  • VPN path checks
  • Windows Server remote access
  • firewall evidence
  • helpdesk escalation

How to Use It

  1. Start from the same network path as the affected user so VPN, VLAN, and firewall differences are visible.
  2. Resolve the hostname and record the address that the client is actually trying to reach.
  3. Test TCP 3389 before changing firewall policy or Remote Desktop settings.
  4. Collect TermService state, listener/session output, Remote Desktop firewall rule state, and recent Terminal Services events.
  5. If TCP fails but the service is healthy, compare network path, VPN split tunnel, NSG/firewall policy, and host profile scope.
  6. Export the evidence to CSV or ticket notes before escalating to server, network, or identity owners.

Execution Modes

  • local
  • remote-single-host
  • remote-host-list
  • ad-filtered

Inputs and Outputs

Inputs

  • computer name
  • CSV or TXT server list
  • Active Directory computer scope
  • affected client network path

Outputs

  • verbose-console
  • csv
  • operator-notes

Command Starter

Safe to run: read-only

Resolve-DnsName server01.contoso.com
Test-NetConnection server01.contoso.com -Port 3389 -InformationLevel Detailed
Invoke-Command -ComputerName server01 -ScriptBlock { Get-Service TermService; qwinsta; Get-NetFirewallRule -DisplayGroup "Remote Desktop" | Select-Object DisplayName, Enabled, Profile, Direction, Action }
Invoke-Command -ComputerName server01 -ScriptBlock { Get-WinEvent -LogName 'Microsoft-Windows-TerminalServices-LocalSessionManager/Operational' -MaxEvents 50 | Select-Object TimeCreated, Id, LevelDisplayName, Message }

Validation

  • The target name resolves to the expected address from the affected client path.
  • TCP 3389 reachability, service state, firewall rule state, and recent session events are all captured.
  • The escalation note separates client path failure, server listener failure, policy failure, and identity/session failure.

Reporting

  • export per-server RDP reachability and listener evidence to CSV
  • attach Terminal Services event snippets to the incident ticket
  • group failures by DNS, TCP path, service/listener, firewall profile, or session policy

Safety Notes

  • This triage pass is read-only and should not enable RDP, change firewall rules, or alter user rights.
  • Do not open TCP 3389 broadly without approval, scope review, and rollback planning.