"Take Aim, Even Badly" 🙂

How to shadow Remote Desktop Sessions on Windows Server 2012R2.

With Windows Server 2012 R2, Remote Desktop Services allows you to “shadow” users that are remoted into the server.
 
When shadowing, you can either view or view and control a user’s session. You can choose the option for “No Consent” allowing you to bypass user permission when connecting to their session.
 
This can be done through the command line or through the Server Manager.
 
Command Line
 
Mstsc.exe [/shadow:sessionID [/v:Servername] [/u:[Username]] [/control] [/noConsentPrompt]]
 
/shadow:ID Starts shadow with the specified sessionID.
 
/v:servername If not specified, will use the current server as the default.
 
/u:username If not specified, the currently logged on user is used.
 
/control If not specified, will only view the session.
 
/noConsentPrompt Attempts to shadow without prompting the shadowee to grant permission.
 
Below are the steps to do it through server manager.
 
Open the Server Manager and click on the icon for Remote Desktop Services. Here you should see your deployed remote environments. In my example, we have a remote app deployed to domain users.
 
One you have selected your remote environment, on the right hand side you will see CONNECTIONS listing all of the users connected to it. Right-click on one of the active users and slick Shadow.
 
image 798316
 
Next it will prompt you to ask how you would like to shadow the users. Choose View or Control and whether or not to Prompt for user consent.
 

image 700810

 
This is the message the user will see. It will say Remote Monitoring Request: domainuser is requesting to view/control your session remotely. Do you accept the request? prompting them to select Yes or No. If the user selects Yes, you will be able to view or view and control their session.
 
image 702288
 
In the previous step, had I chosen not to Prompt for user consent, I likely would have received this error message stating The Group Policy setting is configured to require the user’s consent. Verify the configuration of the policy setting. This is by default. 
 
 
image 703494
 
If you would like to be able to view or view and control a remote session without their consent, you must change the following Group Policy Setting and apply it to the preferred User Group.
 
Create a new group policy or change an existing policy and go to User Configuration –> Policies –> Administrative Templates –>  Windows Components –> Remote Desktop Services –> Remote Desktop Session Host –> Connections
 
The only available setting to change here is Set rules for remote control of Remote Desktop Services user sessions
 
image 705771

Right-click the setting and choose Edit. A new window will open allow you to select Enabled and the option for how you would like to allow administrators to interact without user consent.
 
image 706948
 
 
Assuming you changed the setting correctly and applied it to the correct user group, wait for a group policy refresh or force a gpupdate on the Remote Desktop server and you should now be able to do this.

Sign Me Up For The Free Assessment!

Sign up here and I will reach out to you to schedule your free assessment.

Thank you for requesting your Free Assessment!