Menu

Windows Server 2012 Shadowing – Delegating Rights To Non-Admins

June 23, 2016 - Remote Desktop Scripts

UPDATE: This script is now included in the free Remote Desktop Commander Lite utility. Click here for more details.

Ahh, nothing like the upheaval of how Windows Server 2012 shadowing works to put more grey in every RDS administrator’s hair. Read this article on my corporate blog if you want to know all the sordid details, including how RDS shadowing was completely dropped in Windows Server 2012, only to be added back in Windows Server 2012 R2.

Most medium to larger shops running Microsoft Remote Desktop Services want the ability to delegate shadowing permissions to help desk technicians with out granting those folks full admin rights. There are two ways (I know of, at least) to do this:

  1. You can manipulate a WMI object programmatically on each Remote Desktop Session host with a PowerShell script
  2. For even more granular adjustments, you can load an old copy of the Remote Desktop Session Host Configuration Tool (tsconfig.msc) on a Windows Server 2008 system joined to the same domain, and then connect to a Windows Server 2012 R2 system running the Remote Desktop Services role.

 

Approach 1 – Using PowerShell To Delegate Windows Server 2012 Shadowing Rights To Non-Admins

Here’s the script I’ve written to perform this adjustment on Windows Server 2012 R2 Session Hosts. I’ve seen some examples on other blogs that reference how to do this for a specific domain group on a single session host, but I’ve expanded that concept so you can now pass a comma-delimited list of computer names (each one being a Server 2012 Session Host), and the script will walk the WMI object on each computer name and set the permissions for either a user account or group account that you supply when the script runs.

Server 2012 R2 Shadow Permissions Script Code

AddShadowingPerms.ps1 – Click to Download

param(
[string]$RDServers
)
$RDSArray = $RDServers -split ','
$AccountToAdd = Read-Host("Please enter the user name or group name who needs permission to shadow users" + "`r`n" + "(Format:  DOMAIN\User or DOMAIN\Group)")
foreach ($RDS in $RDSArray)
{
    $TempRDS = $RDS.replace("`"","")
    if($TempRDS)
    {
        
        $WMIHandles = Get-WmiObject -Class "Win32_TSPermissionsSetting" -Namespace "root\CIMV2\terminalservices" -ComputerName $TempRDS -Authentication PacketPrivacy -Impersonation Impersonate
        foreach($WMIHandle in $WMIHandles)
        {
            if($WMIHandle.TerminalName -eq "RDP-Tcp")
            {
                $retVal = $WMIHandle.AddAccount($AccountToAdd, 2)
                $opstatus = "succeeded"
                if($retVal.ReturnValue -eq 0)
                {
                    $opstatus = "succeeded"
                }
                else
                {
                    $opstatus = "failed"
                }
                Write-Host("The operation to grant shadowing permissions to " + $AccountToAdd + " on " + $TempRDS + " " + $opstatus + "`r`n")
            }
        }
        
    }
}

Approach 2 – Using TSConfig.msc To Granularly Delegate Windows Server 2012 Shadowing Rights To Non-Admins

The one downside of using the above script is that it grants the account in question FULL rights across all operations on the Remote Desktop Session Host server. This use (or group) can effectively logon, logoff, connect, disconnect, send messages, shadow users, query session information on the server, and set/configure RDP information on that server.

However, if we load TSConfig.msc on a Windows Server 2008 system, and then connect to a Windows Server 2012 R2 RDSH box, we can use a scalpel instead of a butter knife to delegate shadowing and other rights to help desk users. In fact, we can ONLY give a user or group the right to shadow a session, with no other powers. Here’s a series of screenshots that show how to do this:

1.)  Open up TSConfig.msc on a Windows 2008 server, and connect to your Windows Server 2012 R2 RDSH box.

1.) Open up TSConfig.msc on a Windows 2008 server, and connect to your Windows Server 2012 R2 RDSH box.

2.)  Enter in the name of your Windows Server 2012 R2 box, and click 'OK' to connect to it.

2.) Enter in the name of your Windows Server 2012 R2 box, and click ‘OK’ to connect to it.

3.)  Find the RDP-Tcp entry, right mouse click to show Properties, and then click Properties to bring up all configuration options.

3.) Find the RDP-Tcp entry, right mouse click to show Properties, and then click Properties to bring up all configuration options.

4.)  Click on the Security tab to view the DACL (Discretionary Access Control List) for RDP-Tcp.  Click the Advanced button.

4.) Click on the Security tab to view the DACL (Discretionary Access Control List) for RDP-Tcp. Click the Advanced button.

5.)  Add the user/group you want to add granular permissions for.  Click 'Edit' to view the detailed permissions you can grant in the DACL.  For shadowing, only the 'Remote Control' permission is required.

5.) Add the user/group you want to add granular permissions for. Click ‘Edit’ to change the granular permission set in the DACL. For shadowing, only the ‘Remote Control’ permission is required.

Finally, whether or not you run the PowerShell script or TSConfig.msc to adjust permissions, you may need to restart the Remote Desktop Session Hosts afterwards so that these new permissions will take effect.

Andy Milford is the CEO and Founder of RDPSoft, and is a Microsoft MVP in the Enterprise Mobility / Remote Desktop Services area. Prior to starting RDPSoft, Andy was the CEO and Founder of Dorian Software, a log management company acquired by Ipswitch in late 2009. He loves creating easy-to-use yet powerful software solutions for SMBs and emerging enterprise companies.

Leave a Reply

Your email address will not be published. Required fields are marked *