RDS 2012 R2 Shadowing


 

Hello,

I really like the rds 2012 session based environment. Recently we had to implement a way for a specific helpdesk group to be able to assist users in their rds sessions.

So, what are the possibilities for achieving this :

· Mstsc /shadow

· Server Manager

· Remote assistance

Option 1 : mstsc /shadow

You can use the default mstsc ( from windows 8.1 ) with the shadow option.

You have to supply servername and session id.

Log on to the server and query sessions using query session command, you’ll need the id.

clip_image002

Next up you can shadow a sessions using mstsc /v: servername /shadow:id /control

clip_image004

User will recieve a prompt and will accept or deny the request. ( This is Polish by the way, love multi language environments 🙂 )

clip_image006

So you need to be an admin on the rds host server in order to perform the shadowin or you can set the required remote control rights using a command prompt

clip_image008

This command will set them full control on rdp protocol.

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “domain\group”,2

Or by using the Terminal Services Configuration tool from a 2008 ( R2 ) server and connecting to your 2012 R2 rds hosts.

clip_image010

Grant required rights.

clip_image012

There are also some gpo’s to modify some of the security settings

<Computer Configuration> |<User Configuration>

\Administrative Templates\Windows Components\Remote Desktop Services

\Remote Desktop Session Host\Connections

\Set rules for remote control of Remote Desktop Services user sessions

clip_image014

Okay so much for option 1, but this is not really user friendly for our helpdesk users, they need to connect to all server individually , query for the id and start mstsc with specific options. Sure, you can script it ( like https://rcmtech.wordpress.com/2014/05/01/rdsh-2012-r2-shadow-users-without-connection-broker-admin-rights/ ) but I like to hold on standard options whenever possible.

Option 2 : Server manager

You basically go through the same steps but you present the helpdesk group the server manager executable. You add all the RDS session hosts and the session broker , you’ll see all connections and can shadow from the console.

clip_image016

You’ll see the sessions when selecting a collection, you can rightclick and shadow a session.

clip_image018

Perfect you might say , but … in order to achieve this the helpdesk user needs to be part of the local admin group on the session broker server and have the remote control and query right on the rds session host servers.

See http://blogs.technet.com/b/askperf/archive/2013/10/22/windows-8-1-windows-server-2012-r2-rds-shadowing-is-back.aspx and https://technet.microsoft.com/en-us/library/hh831453.aspx.

So this is not ideal for delegation, I don’t want to give my helpdesk group local admin rights on the session broker server.

Option 3 : remote Assistance

Remote assistance ? Well yes why not ? It’s allready being used for taking control of physical machines , it can be delegated and you have view and control functionality.

First up , create a policy that configures the remote assistance settings :

clip_image020

And modify your auc settings in order to allow remote assistance to respond to uac prompts that normally appear in the secure desktop. ( otherwise your user will see the prompt, you’ll see a pause allways nice 🙂 )

clip_image022

Now I have noticed on the RDS2012 R2 session hosts that the group required for remote assistance users ( offer remote assistance helpers ) was not created automatically, if the group is not present your remote assistance will not work.

clip_image024

So the solution was to add the remote assistance feature to the server and then the group appeared after policy was recieved.

clip_image026

Then just connect to the server using msra /offerra and the remote assistance tool will query the available sessions and perform normal remote assistance behavior.

clip_image028

So there you have it, several possibilities to allow a helping hand to your users, my favorite is the remote assistance. Not as easy to use as the server manager but known technology that can be delegated using standard tools.

Enjoy.

Gino D

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s