Shadowing RDS 2012 Sessions


Server 2012 R2 Remote Desktop Services brings a new feature called shadowing, which allows administrators to view sessions.

This can be done through the GUI or through the use of Command Line.

Capture

As you can see from the MSTSC Connection Usage help Window, there are three new commands that we can use for connecting to end user sessions. There are two types of Shadowing ( view & control) and the option to select “No Consent” which means you don’t need the end user’s approval/permission before connecting to their session.

Here is the command line for Shadowing:

Mstsc.exe [/shadow:sessionID [/v:Servername] [/u:[Username]] [/control] [/noConsentPrompt]]

/shadow:ID Starts shadow with the specified sessionID.

/v:servername If not specified, will use the current server as the default.

/u:username If not specified, the currently logged on user is used.

/control If not specified, will only view the session.

/noConsentPrompt Attempts to shadow without prompting the shadowee to grant permission.

RDS GUI Shadowing:

SessionCollection_shadowin

As you can see from the screenshot provided above, there are three users showing in the connections task pane. By right clicking on the user, you will be presented with the following options:

Shadowing Option

Select Shadow and you will be presented with a Shadowing options box.

Shadowing Option2

As mentioned earlier, you have the option of viewing , controlling and prompting for user consent. For this example we are going view and request the users permission to shadow their screen.

Shadowing 1

Once the request has been sent, you will see the Remote Desktop Connection loading box.

Shadowingrequest

The requester will see this box until the end user actions the request.

UserdenShadow

If the end user refuses the connection, you will see the above error.

When the user selects yes, you will then be able to view their screen.

Shadowing 2

As you can see from the screenshot, we are now viewing the user’s screen.

If we try and access the User’s session with out their permission, we are presented with the following error message.

Shadowing GP Setting required

This is an out of the box feature and to disable it,  you will need to apply a Group policy.

Shadowing GP Setting required 1-4

The Group Policy that needs to be changed is located under  Administrative Templates>Windows components>Remote Desktop Services>Remote Session Host>Connections. “Set rules for remote control of Remote Desktop Services user sessions”

Shadowing GP Setting required computer policy

This can be applied as a user or computer policy.

PowerShell RDS Shadowing:

To shadow User sessions using PowerShell, we first need to Find the session ID’s of our users.

For this I will use the following:

Get-RDUserSession | ft Username, UnifiedSessionId, SessionState, HostServer, ApplicationType -GroupBy Sessionstate -Wrap

The following Cmd organises User Active and Disconnected RDS sessions. This is also useful for reporting.

PowerShellRDS1

Once you have obtained the Session ID’s , you can then connect to that session.

PowerShellRDS2

mstsc /shadow:<ID> /Control

If you don’t want to request the user’s permission add the /noconsentprompt

PowerShellRDS4

For more information on shadowing please see the articles from TechNet and Freek Berson RDS MVP:
http://blogs.technet.com/b/askperf/archive/2013/10/22/windows-8-1-windows-server-2012-r2-rds-shadowing-is-back.aspx

http://microsoftplatform.blogspot.co.uk/2013/06/what-new-in-windows-server-2012-r2.html

2 thoughts on “Shadowing RDS 2012 Sessions

  1. Whenever I setup the shadowing via Group policy the shadowing feature is reset after each use. For instance when an administrator logs on and connects with another user using the shadowing feature it works. As soon as the shadowing session ends the shadowing feature is no longer available for use unless the server is restarted. How can I keep the shadowing feature turned on? What is making it disconnect after each session?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s