Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Windows Server 2016 / How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

February 22, 2021 Windows 10Windows Server 2016Windows Server 2019

How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

Shadow session mode allows RDS administrators to view and interact with the user’s desktop. Remote Desktop Shadowing mode works on all modern versions of Windows starting from Windows Server 2012 R2 and Windows 8.1 (except for Windows Server 2012, due to the transfer of the RDP stack from kernel to user mode). In this article, we’ll look at how to configure and use RDS Shadowing to connect and manage active RDP user sessions on Windows Server 2016 and Windows 10.

Contents:
  • Shadow Connection Options in the Windows RDP Client (mstsc.exe)
  • Using Remote Desktop Shadow from the Windows GUI
  • Configuring RDS Shadow Rules on Windows Using GPO
  • Shadowing RDP Session with PowerShell
  • How-to Allow Non-admin Users to Shadow RDS Sessions?

Shadow Connection Options in the Windows RDP Client (mstsc.exe)

On Windows Server 2016/Windows 10, the built-in RDP client (mstsc.exe) has several special options that can be used to remotely shadow connect to an active RDP session of any user:

Mstsc.exe [/shadow:sessionID [/v:Servername] [/control] [/noConsentPrompt] [/prompt]]

mstsc.exe - rdp shadow connection options on windows 10

  • /shadow:ID – connect to the user’s RDP session with the specified ID;
  • /v:servername – you can specify the hostname or IP address of the remote RDP/RDS host. If not set, connections are made to local user sessions on the current host;
  • /control – allows to interact with the user session (desktop). The administrator can control the user’s mouse, input data from the keyboard. If this parameter is not set, the user’s session view mode is used;
  • /noConsentPrompt – the option allows the administrator to force the connection to any session without asking the user to confirm the connection;
  • /prompt – allows to connect with other credentials. The user name and password are requested to connect to the remote computer.

Shadow sessions can be used to connect to user sessions on computers and servers in both an Active Directory domain and a workgroup. In addition, it is not necessary to have administrator privileges on the RDS host on this the user’s RDP session is running . Administrators can delegate RDS Shadowing permissions to any user account, even for non-admins (more on this below).

Using Remote Desktop Shadow from the Windows GUI

You can connect to a user session using mstsc.exe or directly from Server Manager graphical console. To do it, open the Server Manager console on the RDS server, go to the Remote Desktop Services section -> select your collection, for example QuickSessionCollection.

RDS 2012 R2 - QuickSessionCollection

The list on the right will contain a list of users who have sessions on this RDS server. Right-click on the user session you want, select Shadow from the drop-down menu.

Shadowing user session

You can only connect to an active user session. If the session is in a disconnected state (due to the RDS session limit/timeout settings), you cannot connect to such a session:

Shadow Error - The specified session is not connected.

Shadow Error - The specified session is not connected.

A window with Shadow connection parameters will appear. You can either View or Control a user’s RDP session. You can also check Prompt for user consent option.

shadow connection to user remote desktop session on windows server 2016

If this option is checked, the following request appears in the user’s RDP session:

Remote Monitoring Request
woshub\administrator is requesting to view your session remotely. Do you accept the request?

rds shadow Remote Monitoring Request in a user RDP session

If the user confirms the connection, the administrator will see his desktop in View mode, but won’t be able to interact with it.

testing shadow connection to rdp user session

Tip. To disconnect from a user session and exit the Shadow mode, press ALT+* on the workstation or Ctrl+* on the RDS server (if no alternative combinations are not set).

If a user rejects the administrative Shadow RDS connection, the following message appears:

Shadow Error: The operator or administrator has refused the request.

Shadow Error: The operator or administrator has refused the request

You cannot use the tsadmin.msc graphical snap-in from Windows Server 2008 R2 for shadow connections to RDP sessions on newer versions of Windows Server.

If you attempt to connect to a user’s session without prompting for confirmation, you receive an error message:

Shadow Error: The Group Policy setting is configured to require the user’s consent. Verify the configuration of the policy settings.

mstsc shadow noncosentpropmt - The Group Policy setting is configured to require the user’s consent

If you need to audit RDS shadow connection events for user sessions, use the following filtered events from the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational log:

  • Event ID 20508: Shadow View Permission Granted;
  • Event ID 20503: Shadow View Session Started;
  • Event ID 20504: Shadow View Session Stopped.

audit shadow session events in windows server event viewer

Configuring RDS Shadow Rules on Windows Using GPO

The settings for remote connections to RDS user sessions are configured using the Group Policy parameter Set rules for remote control of Remote Desktop Services user sessions, which is located under the User and Computer sections of the GPO:  Policies -> Administrative Templates -> Windows components -> Remote Desktop Services -> Remote Session Host -> Connections. This policy corresponds to the DWORD Shadow parameter under the registry key HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services (the values of this parameter corresponding to the policy settings are specified in brackets).

This policy can be used to configure the following RD Shadow connection options:

  • No remote control allowed (corresponds to the value of the registry parameter Shadow = 0);
  • Full Control with user’s permission (1);
  • Full Control without user’s permission (2);
  • View Session with user’s permission (3);
  • View Session without user’s permission (4).
To set the parameter of this policy directly through the registry, you can use the command:

reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v Shadow /t REG_DWORD /d 4

rdp shadow GPO: Set rules for remote control of Remote Desktop Services user sessions

After changing the session shadow behavior, update the Group Policy settings on the RDP/RDS host.

You can configure rules for remote shadow connections in the AD domain from the gpmc.msc console using the policy parameter described above, or by using Group Policy Preferences, which directly modify the registry parameter (the latter option allows you to more accurately target the policy to specific computers using the Group Policy Item Level Targeting).

Shadowing RDP Session with PowerShell

You can also use the Remote Desktop Services Shadow features to connect to a user’s session from PowerShell. First of all, you need to get a list of sessions on the RDS host (user sessions will be grouped according to their state):
Get-RDUserSession | ft Username, UnifiedSessionId, SessionState, HostServer, ApplicationType -GroupBy Sessionstate
Get-RDUserSession

There are three active RDP user sessions on this server. Let’s connect to the user session with the session ID 3:
Mstsc /shadow:3 /control

Also, to get a list of all RDP sessions on the server (or on the Windows 10 desktop to which multiple RDP connections are allowed), you can use the command:

quser

or

qwinsta

The screen will display a list of RDP user sessions, their IDs and states: Active or Disconnected.

qwinsta - list remote sessions on RDS

To show the list of sessions on a remote server, run the following command:

query session /server:servername

To connect to a user session on a remote server, use the command:

mstsc /v:rdsh2:3389 /shadow:3 /control

The dynamic port range (RPC) 49152 to 65535 is used to establish a remote shadow connection session instead of the default TCP/3389 RDP port.

For more convenient shadow connection to RDP user sessions, you can use the following batch script. It prompts you to enter the name of the remote RDS server, displays a list of all sessions and prompts you to specify the session (ID) to which you want to connect to:

shadow.bat

@echo off
set /P rcomp="Enter name or IP of a Remote PC: "
query session /server:%rcomp%
set /P rid="Enter RDP user ID: "
start mstsc /shadow:%rid% /v:%rcomp% /control

You can save this bat file in the %Windir%\System32 directory. As a result, you just need to run the shadow command to start the shadow connection.

To connect to the console session, you can use this script:
shadow_console.bat
@echo off
set /P rcomp="Enter name or IP of a Remote PC: "
for /f "tokens=3 delims= " %%G in ('query session console /server:%rcomp%') do set rid=%%G
start mstsc /shadow:%rid% /v:%rcomp% /control

You can also use the following PowerShell script with a simple GUI (shadow_user_rdp_session.ps1) for shadow connection:

Add-Type -assembly System.Windows.Forms
$Header = "SESSIONNAME", "USERNAME", "ID", "STATUS"
$gForm = New-Object System.Windows.Forms.Form
$gForm.Text ='Shadow Session Connect'
$gForm.Width = 400
$gForm.AutoSize = $true
$dBttn = New-Object System.Windows.Forms.Button
$dBttn.Text = 'Control'
$dBttn.Location = New-Object System.Drawing.Point(15,10)
$gForm.Controls.Add($dBttn)
$dList = New-Object System.Windows.Forms.ListView
$dList.Location = New-Object System.Drawing.Point(0,50)
$dList.Width = $gForm.ClientRectangle.Width
$dList.Height = $gForm.ClientRectangle.Height
$dList.Anchor = "Top, Left, Right, Bottom"
$dList.MultiSelect = $False
$dList.View = 'Details'
$dList.FullRowSelect = 1;
$dList.GridLines = 1
$dList.Scrollable = 1
$gForm.Controls.add($dList)
foreach ($column in $Header){
$dList.Columns.Add($column) | Out-Null
}
$(qwinsta.exe | findstr "Active") -replace "^[\s>]" , "" -replace "\s+" , "," | ConvertFrom-Csv -Header $Header | ForEach-Object {
$dListItem = New-Object System.Windows.Forms.ListViewItem($_.SESSIONNAME)
$dListItem.Subitems.Add($_.USERNAME) | Out-Null
$dListItem.Subitems.Add($_.ID) | Out-Null
$dListItem.Subitems.Add($_.STATUS) | Out-Null
$dList.Items.Add($dListItem) | Out-Null
}
$dBttn.Add_Click(
{
$SelectedItem = $dList.SelectedItems[0]
if ($SelectedItem -eq $null){
[System.Windows.Forms.MessageBox]::Show("Select a user session to connect ")
}else{
$session_id = $SelectedItem.subitems[2].text
$(mstsc /shadow:$session_id /control)
#[System.Windows.Forms.MessageBox]::Show($session_id)
}
}
)
$gForm.ShowDialog()

This script displays a simple graphical form with a list of active RDP sessions on the local host. You just need to select a user account and click the Connect button.

To run PowerShell scripts (*.ps1) on the computer, you need to configure the PowerShell Execution policy.

You can use the shadow user connection not only on Windows Server with the Remote Desktop Services role, but also to connect to users’ desktops running Windows 10 (Using Remote Desktop Session Shadowing Mode in Windows 10).

How-to Allow Non-admin Users to Shadow RDS Sessions?

In the examples above, using the shadow connection to RDS user sessions requires local administrator privileges on the RDS server. However, you can allow a non-admin user to shadow RDP sessions without granting local admin permissions on the computer/server.

For instance, you want to allow members of the AllowRDSShadow group to use a shadow connection to RDP user sessions. Open the elevated command prompt (cmd.exe) and run the command:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “woshub\AllowRDSShadow”,2

15 comments
8
Facebook Twitter Google + Pinterest
previous post
Configuring PowerShell Script Execution Policy
next post
Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Allow Multiple RDP Sessions in Windows 10 and 11?
  • How to Repair EFI/GPT Bootloader on Windows 10 or 11?
  • How to Restore Deleted EFI System Partition in Windows?
  • Network Computers are not Showing Up in Windows 10/11
  • Updating List of Trusted Root Certificates in Windows
  • How to Create a Wi-Fi Hotspot on your Windows PC?
  • How to Sign an Unsigned Device Driver in Windows?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top