RDS 2012 R2 – User Support via Shadowing

Hello World;

Today, we go back again on our favourite topic of the momement : Remote Desktop services. Again, we will speak about shadowing capabilities available within the product. Shadowing is not a new feature and was present in previous version of Windows Operating System. However, shadowing in Windows 2012 R2 has brought some nice improvements.

Overview

What’s shadowning ?

Shadowing feature allows an administrator to basically take over a remote desktop session from another user. Shadowing basically allows you to view or remote control a rdp session of a user (already connected through a supported Rdp client).

Shadowing can be useful in different situations and basically provide a way to provide remote support to a user. For example, if you have implemented a Remote Desktop infrastructure (based on windows 2012 R2), you have basically all the necessary tools to provide support to the user by either monitoring his actions or by taking control of the session and providing the necessary actions to fix the problem.

In the past, the recommendation for shadowing was to use it only against full remote desktop sessions. With Windows 2012 R2, you can also shadow remoteapp sessions (you will be hooked up to the running apps and not the full desktop…).

Another scenario where shadowing can be useful is when a delegated administrators is encountering some issues and you need to take actions in the same user session (for example during an installation process). Using shadowing, you could take control of the current session where the installation process is ongoing and you can perform the necessary actions…

You can see that shadowing can become really handy in certain situations…..

Shadowing in 2008 R2, 2012 and 2012 R2

In Windows 2008 R2, you could launch the Remote Desktop Service Manager Console (tsadmin.exe) and you could select a user session and decide to remote control this specific session (see screenshot below)

Click on Picture for better resolution

In Windows 2012 and Windows 2012 R2, we do not have this console anymore. Moreover, in Windows 2012, the shadowing feature was not available. Windows 2012 R2 re-introduced the shadowing feature.

Now the interesting thing is that in Windows 2008 R2, if you had installed or not installed the RDS infrastructure, you could use the Remote Desktop Service Manager to shadow user sessions. In Windows 2012 R2, you need to install the RDMS console in order to use the GUI to shadow sessions.

Click on Picture for better resolution

This means that if you have servers configured in administration mode (only 2 RDP sessions allowed) you cannot use the RDMS console. Luckily there is an alternative for such situation. You can start the shadowing process via the command line.

When you start the mstsc.exe you can provide additional switches that allows you to shadow a remote desktop session. You would use the switch /shadow:<sessionID> (to view session only) and /control (to take control of the rdp session)

Click on Picture for better resolution

How to use shadowing… 

Shadowing when RDS infrastructure has been deployed

If you have windows 2012 R2 deployed in your infrastructure and you have deployed a Remote Desktop Services infrastructure as well, you will be able to support remotely your users when they are using the published remoteapps or the remote desktop sessions made available to them.

To shadow into a session, it’s quite easy. Perform the following actions

Open Server Manager > go to Remote Desktop Services Nodes > Click on the Collections of interest > in the right side, under connections pane, right-click the session you would need to shadow into it and select the option shadow

Click on Picture for better resolution

You will then be prompted with which type of shadowing session you want start : View or control. Notice als the checkbox in this dialog box where you could choose to get the consent of the user connected before shadowing into his session.

Click on Picture for better resolution

If you have selected the view option, the user will get the following prompt on its screen. The user would need to press yes to grant you the right to monitor his session

Click on Picture for better resolution

If you have selected the control option, the user will get the following prompt on its screen. The user would need to press yes to grant you the right to control his session

Click on Picture for better resolution

Note :

If you decide to uncheck the box prompt for the user consent, you will get the following error message

Click on Picture for better resolution

By default, the group policy will allow shadowing actions but always with the consent of the users. You can modify the GPO in order to change that behavior. To create a shadowing gpo, you can open the gmpc console or the gpedit.msc console and go to

Computer settings >Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Host Session > Connections

In the right pane, select the option set rules for remote Control of the Remote Desktop services user sessions.

Click on Picture for better resolution

You can choose between multiple options : from no remote control allowed to full control without user’s consent.

Click on Picture for better resolution

We usually leave this feature default. The shadowing is a feature to provide support so we are expecting that the user would be in front of the computer and will consent the access.

Once connected, you can see the session of the user. If the user was using a remoteapp published applications, during your shadow session you should see only the running applications available to the user (see screenshot below)

Click on Picture for better resolution

Shadowing session on servers configured in administration mode

In the previous section, we have seen how shadowing could be used by helpdesk personnel in order to provide support to users when they encountered difficulties. This is a great feature because with no additional software or infrastructure you can provide remote support to your user community.

Now, we have encountered (not quite often) situations where we needed to provide support to delegated administrators during installation activities. In this specific situation, it was not possible to kill the installation and perform the remote desktop to re-initiate the installation process.

So, we tought that we could shadow into the session. As explained earlier, if you have configured your system in remote desktop administration mode, you do not really have a gui console such as the Remote Desktop service manager in Windows 2008 R2 where you could take over session (shadowing) to users even the server was not configured as a RDS Server role.

Luckily, Microsoft has introduced some new switches in the mstsc.exe tool. We can technically shadow to a remote session using the command line. With the command line tool, you can basically perform the same actions as the GUI (View or control).

So, to shadow into the remote session, you would issue the following command :

mstsc /v:servername /shadow:<sessionID> for monitoring purpose only or,

mstsc /v:servername /shadow:<sessionID> /control

Easy but wait….how to I know the value of sessionID ?

To find out the sessionID, you can use another command line tool called qwinsta. Using this command, you can query the remote server and find out the sessionID if the user needing help.

So, to summarize, first you need to find the sessionID. To do that, you issue the following command

qwinsta /server:<%servername%>

look for the user you need to help and the sessionid associated to it

Click on Picture for better resolution

then you type in the command prompt the following

mstsc /v:<%servername%> /shadow:<%sessionID%>

Click on Picture for better resolution

and you should be able to shadow the session of the admin in trouble

Note that the same principle applies here.  User need to grant you access to the session….

Click on Picture for better resolution

Note :

We didn’t use powershell to retrieve sessionId.  Again, in order to use the get-rdusersession information, you should have deployed a remote desktop Services infrastructure (with a connection broker). In admin mode, we do not have that so we cannot use powershell and used the command line qwinsta.exe…

Final Notes

In this post, we have quickly discussed the shadow feature that has been re-introduced in Windows 2012 R2. This feature can be really useful to provide support to the user community and provide them all the necessary help that might need when using your remoteapp infrastructure.

We have also seen how using some easy to remember command line tools, the shadow feature could be useful among system administrators when they need help in certain situation. All in all, this feature being part of Remote Desktop services provide a cost effective way to help users community and overcome all possible issues they might have….

Hope you enjoy this post

Till next time

See ya

Leave a Reply