Server 2012 R2 Remote Desktop Services brings a new feature called shadowing, which allows administrators to view sessions.
This can be done through the GUI or through the use of Command Line.
As you can see from the MSTSC Connection Usage help Window, there are three new commands that we can use for connecting to end user sessions. There are two types of Shadowing ( view & control) and the option to select “No Consent” which means you don’t need the end user’s approval/permission before connecting to their session.
Here is the command line for Shadowing:
Mstsc.exe [/shadow:sessionID [/v:Servername] [/u:[Username]] [/control] [/noConsentPrompt]]
/shadow:ID Starts shadow with the specified sessionID.
/v:servername If not specified, will use the current server as the default.
/u:username If not specified, the currently logged on user is used.
/control If not specified, will only view the session.
/noConsentPrompt Attempts to shadow without prompting the shadowee to grant permission.
RDS GUI Shadowing:
As you can see from the screenshot provided above, there are three users showing in the connections task pane. By right clicking on the user, you will be presented with the following options:
Select Shadow and you will be presented with a Shadowing options box.
As mentioned earlier, you have the option of viewing , controlling and prompting for user consent. For this example we are going view and request the users permission to shadow their screen.
Once the request has been sent, you will see the Remote Desktop Connection loading box.
The requester will see this box until the end user actions the request.
If the end user refuses the connection, you will see the above error.
When the user selects yes, you will then be able to view their screen.
As you can see from the screenshot, we are now viewing the user’s screen.
If we try and access the User’s session with out their permission, we are presented with the following error message.
This is an out of the box feature and to disable it, you will need to apply a Group policy.
The Group Policy that needs to be changed is located under Administrative Templates>Windows components>Remote Desktop Services>Remote Session Host>Connections. “Set rules for remote control of Remote Desktop Services user sessions”
This can be applied as a user or computer policy.
PowerShell RDS Shadowing:
To shadow User sessions using PowerShell, we first need to Find the session ID’s of our users.
For this I will use the following:
Get-RDUserSession | ft Username, UnifiedSessionId, SessionState, HostServer, ApplicationType -GroupBy Sessionstate -Wrap
The following Cmd organises User Active and Disconnected RDS sessions. This is also useful for reporting.
Once you have obtained the Session ID’s , you can then connect to that session.
mstsc /shadow:<ID> /Control
If you don’t want to request the user’s permission add the /noconsentprompt
For more information on shadowing please see the articles from TechNet and Freek Berson RDS MVP: