Windows Server 2012

How to Shadow a Remote Desktop session in Windows Server 2012 R2

How can I use shadowing during a Remote Desktop session in WS2012 R2?

Windows Server 2012 R2 reinstates Remote Desktop shadowing so that administrators can view a user’s session when they are connected to a Remote Desktop. Due to some changes in how Remote Desktop worked in Windows Server 2012, shadowing was removed from the feature stack. By popular demand, shadowing is back in Windows Server 2012 R2 and can be found in Server Manager. Only administrators can shadow Remote Desktop sessions, and the Remote Desktop Session Host must be part of an Active Directory domain.

RDS Shadowing in Windows Server 2012 R2

You can shadow a Remote Desktop session either by specifying the /shadow switch from the mstsc command like, or from Server Manager.

  • Open Server Manager in Windows Server 2012 R2 from the Start screen, or by clicking the icon on the desktop Taskbar.
  • Click the Remote Desktop Services and then Collections in the left pane of Server Manager.
  • Under Connections in the bottom right of Server Manager, right-click the connection that you want to shadow and select Shadow from the menu.

In the Shadow dialog box you can choose to connect with View or Control permission and decide whether the user needs to give their consent. Alternatively, you can use the following command line to shadow a session:

mstsc.exe /shadow:sessionID /control /noConsentPrompt

Sponsored Content

Passwords Haven’t Disappeared Yet

123456. Qwerty. Iloveyou. No, these are not exercises for people who are brand new to typing. Shockingly, they are among the most common passwords that end users choose in 2021. Research has found that the average business user must manually type out, or copy/paste, the credentials to 154 websites per month. We repeatedly got one question that surprised us: “Why would I ever trust a third party with control of my network?

The /control and /noConsentPrompt switches are optional and correspond to the settings available in the Shadow GUI dialog seen in Server Manager.

Shadowing Permissions

By default, Windows is configured such that users must give consent for an administrator to shadow a Remote Desktop session. This behavior can be overridden by setting the Set rules for remote control of Remote Desktop Services user sessions Group Policy setting under Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections. The same setting also appears under User Configuration.


Shadowing permissions in Windows Server 2012 R2

Related Topics:

IT consultant, Contributing Editor @PetriFeed, and trainer @Pluralsight. All about Microsoft, Office 365, Azure, and Windows Server.
Live Webinar - Thursday, December 2nd! Active Directory Masterclass: AD Configuration Strategies for Stronger SecurityREGISTER NOW - Thursday, December 2, 2021 @ 1 pm ET

Active Directory (AD) is leveraged by over 90% of enterprises worldwide as the authentication and authorization hub of their IT infrastructure—but its inherent complexity leaves it prone to misconfigurations that can allow attackers to slip into your network and wreak havoc. 

Join this session with Microsoft MVP and MCT Sander Berkouwer, who will explore:

  • Whether you should upgrade your domain controllers to Windows Server
    2019 and beyond
  • Achieving mission impossible: updating DCs within 48 hours
  • How to disable legacy protocols and outdated compatibility options in
    Active Directory

Sponsored by: