Hello World;
Today, we go back again on our favourite topic of the momement : Remote Desktop services. Again, we will speak about shadowing capabilities available within the product. Shadowing is not a new feature and was present in previous version of Windows Operating System. However, shadowing in Windows 2012 R2 has brought some nice improvements.
Overview
What’s shadowning ?
Shadowing feature allows an administrator to basically take over a remote desktop session from another user. Shadowing basically allows you to view or remote control a rdp session of a user (already connected through a supported Rdp client).
Shadowing can be useful in different situations and basically provide a way to provide remote support to a user. For example, if you have implemented a Remote Desktop infrastructure (based on windows 2012 R2), you have basically all the necessary tools to provide support to the user by either monitoring his actions or by taking control of the session and providing the necessary actions to fix the problem.
In the past, the recommendation for shadowing was to use it only against full remote desktop sessions. With Windows 2012 R2, you can also shadow remoteapp sessions (you will be hooked up to the running apps and not the full desktop…).
Another scenario where shadowing can be useful is when a delegated administrators is encountering some issues and you need to take actions in the same user session (for example during an installation process). Using shadowing, you could take control of the current session where the installation process is ongoing and you can perform the necessary actions…
You can see that shadowing can become really handy in certain situations…..
Shadowing in 2008 R2, 2012 and 2012 R2
In Windows 2008 R2, you could launch the Remote Desktop Service Manager Console (tsadmin.exe) and you could select a user session and decide to remote control this specific session (see screenshot below)
Click on Picture for better resolution
In Windows 2012 and Windows 2012 R2, we do not have this console anymore. Moreover, in Windows 2012, the shadowing feature was not available. Windows 2012 R2 re-introduced the shadowing feature.
Now the interesting thing is that in Windows 2008 R2, if you had installed or not installed the RDS infrastructure, you could use the Remote Desktop Service Manager to shadow user sessions. In Windows 2012 R2, you need to install the RDMS console in order to use the GUI to shadow sessions.
Click on Picture for better resolution
This means that if you have servers configured in administration mode (only 2 RDP sessions allowed) you cannot use the RDMS console. Luckily there is an alternative for such situation. You can start the shadowing process via the command line.
When you start the mstsc.exe you can provide additional switches that allows you to shadow a remote desktop session. You would use the switch /shadow:<sessionID> (to view session only) and /control (to take control of the rdp session)
Click on Picture for better resolution
How to use shadowing…
Shadowing when RDS infrastructure has been deployed
If you have windows 2012 R2 deployed in your infrastructure and you have deployed a Remote Desktop Services infrastructure as well, you will be able to support remotely your users when they are using the published remoteapps or the remote desktop sessions made available to them.
To shadow into a session, it’s quite easy. Perform the following actions
Open Server Manager > go to Remote Desktop Services Nodes > Click on the Collections of interest > in the right side, under connections pane, right-click the session you would need to shadow into it and select the option shadow
Click on Picture for better resolution
You will then be prompted with which type of shadowing session you want start : View or control. Notice als the checkbox in this dialog box where you could choose to get the consent of the user connected before shadowing into his session.
Click on Picture for better resolution
If you have selected the view option, the user will get the following prompt on its screen. The user would need to press yes to grant you the right to monitor his session
Click on Picture for better resolution
If you have selected the control option, the user will get the following prompt on its screen. The user would need to press yes to grant you the right to control his session
Click on Picture for better resolution
Note :
If you decide to uncheck the box prompt for the user consent, you will get the following error message
Click on Picture for better resolution
By default, the group policy will allow shadowing actions but always with the consent of the users. You can modify the GPO in order to change that behavior. To create a shadowing gpo, you can open the gmpc console or the gpedit.msc console and go to
Computer settings >Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Host Session > Connections
In the right pane, select the option set rules for remote Control of the Remote Desktop services user sessions.
Click on Picture for better resolution
You can choose between multiple options : from no remote control allowed to full control without user’s consent.
Click on Picture for better resolution
We usually leave this feature default. The shadowing is a feature to provide support so we are expecting that the user would be in front of the computer and will consent the access.
Once connected, you can see the session of the user. If the user was using a remoteapp published applications, during your shadow session you should see only the running applications available to the user (see screenshot below)
Click on Picture for better resolution
Shadowing session on servers configured in administration mode
In the previous section, we have seen how shadowing could be used by helpdesk personnel in order to provide support to users when they encountered difficulties. This is a great feature because with no additional software or infrastructure you can provide remote support to your user community.
Now, we have encountered (not quite often) situations where we needed to provide support to delegated administrators during installation activities. In this specific situation, it was not possible to kill the installation and perform the remote desktop to re-initiate the installation process.
So, we tought that we could shadow into the session. As explained earlier, if you have configured your system in remote desktop administration mode, you do not really have a gui console such as the Remote Desktop service manager in Windows 2008 R2 where you could take over session (shadowing) to users even the server was not configured as a RDS Server role.
Luckily, Microsoft has introduced some new switches in the mstsc.exe tool. We can technically shadow to a remote session using the command line. With the command line tool, you can basically perform the same actions as the GUI (View or control).
So, to shadow into the remote session, you would issue the following command :
mstsc /v:servername /shadow:<sessionID> for monitoring purpose only or,
mstsc /v:servername /shadow:<sessionID> /control
Easy but wait….how to I know the value of sessionID ?
To find out the sessionID, you can use another command line tool called qwinsta. Using this command, you can query the remote server and find out the sessionID if the user needing help.
So, to summarize, first you need to find the sessionID. To do that, you issue the following command
qwinsta /server:<%servername%>
look for the user you need to help and the sessionid associated to it
Click on Picture for better resolution
then you type in the command prompt the following
mstsc /v:<%servername%> /shadow:<%sessionID%>
Click on Picture for better resolution
and you should be able to shadow the session of the admin in trouble
Note that the same principle applies here. User need to grant you access to the session….
Click on Picture for better resolution
Note :
We didn’t use powershell to retrieve sessionId. Again, in order to use the get-rdusersession information, you should have deployed a remote desktop Services infrastructure (with a connection broker). In admin mode, we do not have that so we cannot use powershell and used the command line qwinsta.exe…
Final Notes
In this post, we have quickly discussed the shadow feature that has been re-introduced in Windows 2012 R2. This feature can be really useful to provide support to the user community and provide them all the necessary help that might need when using your remoteapp infrastructure.
We have also seen how using some easy to remember command line tools, the shadow feature could be useful among system administrators when they need help in certain situation. All in all, this feature being part of Remote Desktop services provide a cost effective way to help users community and overcome all possible issues they might have….
Hope you enjoy this post
Till next time
See ya