UPDATE: This script is now included in the free Remote Desktop Commander Lite utility. Click here for more details.
Ahh, nothing like the upheaval of how Windows Server 2012 shadowing works to put more grey in every RDS administrator’s hair. Read this article on my corporate blog if you want to know all the sordid details, including how RDS shadowing was completely dropped in Windows Server 2012, only to be added back in Windows Server 2012 R2.
Most medium to larger shops running Microsoft Remote Desktop Services want the ability to delegate shadowing permissions to help desk technicians with out granting those folks full admin rights. There are two ways (I know of, at least) to do this:
- You can manipulate a WMI object programmatically on each Remote Desktop Session host with a PowerShell script
- For even more granular adjustments, you can load an old copy of the Remote Desktop Session Host Configuration Tool (tsconfig.msc) on a Windows Server 2008 system joined to the same domain, and then connect to a Windows Server 2012 R2 system running the Remote Desktop Services role.
Approach 1 – Using PowerShell To Delegate Windows Server 2012 Shadowing Rights To Non-Admins
Here’s the script I’ve written to perform this adjustment on Windows Server 2012 R2 Session Hosts. I’ve seen some examples on other blogs that reference how to do this for a specific domain group on a single session host, but I’ve expanded that concept so you can now pass a comma-delimited list of computer names (each one being a Server 2012 Session Host), and the script will walk the WMI object on each computer name and set the permissions for either a user account or group account that you supply when the script runs.
Server 2012 R2 Shadow Permissions Script Code
AddShadowingPerms.ps1 – Click to Download
param( [string]$RDServers ) $RDSArray = $RDServers -split ',' $AccountToAdd = Read-Host("Please enter the user name or group name who needs permission to shadow users" + "`r`n" + "(Format: DOMAIN\User or DOMAIN\Group)") foreach ($RDS in $RDSArray) { $TempRDS = $RDS.replace("`"","") if($TempRDS) { $WMIHandles = Get-WmiObject -Class "Win32_TSPermissionsSetting" -Namespace "root\CIMV2\terminalservices" -ComputerName $TempRDS -Authentication PacketPrivacy -Impersonation Impersonate foreach($WMIHandle in $WMIHandles) { if($WMIHandle.TerminalName -eq "RDP-Tcp") { $retVal = $WMIHandle.AddAccount($AccountToAdd, 2) $opstatus = "succeeded" if($retVal.ReturnValue -eq 0) { $opstatus = "succeeded" } else { $opstatus = "failed" } Write-Host("The operation to grant shadowing permissions to " + $AccountToAdd + " on " + $TempRDS + " " + $opstatus + "`r`n") } } } }
Approach 2 – Using TSConfig.msc To Granularly Delegate Windows Server 2012 Shadowing Rights To Non-Admins
The one downside of using the above script is that it grants the account in question FULL rights across all operations on the Remote Desktop Session Host server. This use (or group) can effectively logon, logoff, connect, disconnect, send messages, shadow users, query session information on the server, and set/configure RDP information on that server.
However, if we load TSConfig.msc on a Windows Server 2008 system, and then connect to a Windows Server 2012 R2 RDSH box, we can use a scalpel instead of a butter knife to delegate shadowing and other rights to help desk users. In fact, we can ONLY give a user or group the right to shadow a session, with no other powers. Here’s a series of screenshots that show how to do this:
Finally, whether or not you run the PowerShell script or TSConfig.msc to adjust permissions, you may need to restart the Remote Desktop Session Hosts afterwards so that these new permissions will take effect.
Leave a Reply