Hello again AskPerf! I’m happy to report that Windows Server 2012 R2 reinstates Remote Desktop Shadowing.
This functionality lived in kernel mode through Windows Server 2008 R2, but was removed from the product in Windows Server 2012 when the RDP stack was moved to user mode.
We’ve strived for feature-parity with 2008 R2, with the main visual change being accessibility through Server Manager.
So, where can I find it?
The shadow UI is located in Server Manager under Remote Desktop Services / Collections.
Simply right-click a user’s session and choose Shadow from the context menu, then choose to view or control the session with or without consent.
You may also access shadowing from the command line:
Mstsc.exe [/shadow:sessionID [/v:Servername] [/u:[Username]] [/control] [/noConsentPrompt]]
/shadow:ID Starts shadow with the specified sessionID.
/v:servername If not specified, will use the current server as the default.
/u:username If not specified, the currently logged on user is used.
/control If not specified, will only view the session.
/noConsentPrompt Attempts to shadow without prompting the shadowee to grant permission.
By default, a shadowee must explicitly give permission to allow their session to be shadowed. To be able to shadow without permission, the administrator must intentionally override this with a group policy set to allow shadowing without user permission.
You’ll find the shadow group policies in the following path (gpedit.msc):
[<Computer Configuration> |<User Configuration>
\Administrative Templates\Windows Components\Remote Desktop Services
\Remote Desktop Session Host\Connections
\Set rules for remote control of Remote Desktop Services user sessions
There are a couple of key limitations that you should be aware of:
- Only an administrator may shadow sessions. The ability to shadow sessions cannot be delegated to users that are not part of the administrators group.
- Shadowing is not available in workgroup configurations.
I hope everyone is able to (re)integrate this extremely helpful tool in their remote desktop environments and get those older deployments moved to Windows Server 2012 R2.