RDS 2012 R2 Shadowing



I really like the rds 2012 session based environment. Recently we had to implement a way for a specific helpdesk group to be able to assist users in their rds sessions.

So, what are the possibilities for achieving this :

· Mstsc /shadow

· Server Manager

· Remote assistance

Option 1 : mstsc /shadow

You can use the default mstsc ( from windows 8.1 ) with the shadow option.

You have to supply servername and session id.

Log on to the server and query sessions using query session command, you’ll need the id.


Next up you can shadow a sessions using mstsc /v: servername /shadow:id /control


User will recieve a prompt and will accept or deny the request. ( This is Polish by the way, love multi language environments 🙂 )


So you need to be an admin on the rds host server in order to perform the shadowin or you can set the required remote control rights using a command prompt


This command will set them full control on rdp protocol.

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “domain\group”,2

Or by using the Terminal Services Configuration tool from a 2008 ( R2 ) server and connecting to your 2012 R2 rds hosts.


Grant required rights.


There are also some gpo’s to modify some of the security settings

<Computer Configuration> |<User Configuration>

\Administrative Templates\Windows Components\Remote Desktop Services

\Remote Desktop Session Host\Connections

\Set rules for remote control of Remote Desktop Services user sessions


Okay so much for option 1, but this is not really user friendly for our helpdesk users, they need to connect to all server individually , query for the id and start mstsc with specific options. Sure, you can script it ( like https://rcmtech.wordpress.com/2014/05/01/rdsh-2012-r2-shadow-users-without-connection-broker-admin-rights/ ) but I like to hold on standard options whenever possible.

Option 2 : Server manager

You basically go through the same steps but you present the helpdesk group the server manager executable. You add all the RDS session hosts and the session broker , you’ll see all connections and can shadow from the console.


You’ll see the sessions when selecting a collection, you can rightclick and shadow a session.


Perfect you might say , but … in order to achieve this the helpdesk user needs to be part of the local admin group on the session broker server and have the remote control and query right on the rds session host servers.

See http://blogs.technet.com/b/askperf/archive/2013/10/22/windows-8-1-windows-server-2012-r2-rds-shadowing-is-back.aspx and https://technet.microsoft.com/en-us/library/hh831453.aspx.

So this is not ideal for delegation, I don’t want to give my helpdesk group local admin rights on the session broker server.

Option 3 : remote Assistance

Remote assistance ? Well yes why not ? It’s allready being used for taking control of physical machines , it can be delegated and you have view and control functionality.

First up , create a policy that configures the remote assistance settings :


And modify your auc settings in order to allow remote assistance to respond to uac prompts that normally appear in the secure desktop. ( otherwise your user will see the prompt, you’ll see a pause allways nice 🙂 )


Now I have noticed on the RDS2012 R2 session hosts that the group required for remote assistance users ( offer remote assistance helpers ) was not created automatically, if the group is not present your remote assistance will not work.


So the solution was to add the remote assistance feature to the server and then the group appeared after policy was recieved.


Then just connect to the server using msra /offerra and the remote assistance tool will query the available sessions and perform normal remote assistance behavior.


So there you have it, several possibilities to allow a helping hand to your users, my favorite is the remote assistance. Not as easy to use as the server manager but known technology that can be delegated using standard tools.


Gino D


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s