Allow RDS Shadowing without Domain Admin Rights

Microsoft’s Remote Desktop Services have taken center stage in the technology spotlight as of late. If your organization did not have an RDS platform before the work from home revolution, it probably does now.  The effort to build so many of them in such a short time reminded me of Y2K remeditation efforts.

The shadowing function built-in to RDS allows one remote user to view and interact with another’s session. A form of remote control. Starting with the 2012 edition, Microsoft made changes to the RDS role that required Domain Administrator rights to use shadowing.

The feature is quite popular with the help desk, training staff, and onboarding teams. Today’s need to help users with RDS desktops and remote apps is greater than ever. However, making that many people domain administrators is nightmare fuel for your average system admin.

As with many of the limitations found in Microsoft’s products, this one can be overcome, just not via the GUI controls. MS has a programmatic class and method to control these permissions named “Win32_TSPermissionsSetting AddAccount.” 

Unfortunately, this solution is not perfect. Shadowing a session still requires local administrator rights on the session host. Still, local admin rights on single systems is better than domain admin rights. So, create a group for your shadow users in AD, like “Domain\RDS Shadow”. Then, add that group to each session host’s local administrator group.

Once that is done, open an elevated CMD prompt on each session host. Special Note: normally you can run almost any CMD in a PowerShell console and it will execute correctly. This is one of the few cases where that is not true. It has to be CMD prompt, unless recent patches have changed the outcome.

In the CMD console run (replace Domain\RDS_Shadow with your domain and group names):

wmic /namespace:\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “Domain\RDS_Shadow”,2 

Now, users who are members of the RDS Shadow group will be able to RDP to a session host and shadow another person’s session.

The shadowing session can take a long time to initialize, and all you see is a black screen while the output stream is mirrored. Be patient; if you didn’t receive an error, it eventually works.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s