RDS session remote control for users


  • Our case is simple: we have a domain with a Windows 2008 R2 domain controller and a Remote Desktop Services server with Windows 2008 R2.

    Domain users who were added to a security group can connect and use RDS without any problems with their RDP clients (client versions may differ slightly).

    RDS session remote control is configured at Remote Desktop Session Host Configuration, so Administrator user can remote control RDP sessions without any problems.

    We must grant the option to remote control RDP sessions to some of the domain users too, so we added them to the ACL on the security tab in "RDP-Tcp properties" with "Remote Control" rights.

    The added domain users still can not remote control other users, if they try they get a "remote control failed" error message. if they try to use the "shadow" command they get a more detailed error message:

    Your session may appear frozen while the remote control approval is being negotiated.
    Please wait...
    Controlling session ID 10 remotely
    Remote control failed. Error code 5
    Error [5]:Access is denied.

    We even tried to add users to domain Administrators group or grant them Full Control rights without any success.

    What else should we do to let some users to remote control RDP sessions?

    Thursday, January 13, 2011 5:58 PM


All replies

  • What you are trying to configure shoud work. Just a quick thought: After you made the changes, did you logoff the user in question and try it again afterwards?

    Quote from the 2008R2 RDS Resource Toolkit:

    "...By default, only members of the Administrators or Domain Administrators group are allowed to shadow sessions on the RD Session Host server, so you don’t need to worry about users spying on each other. The Shadow command and Remote Control option in RD

    Session Manager don’t work for users unless you specifically give them permissions to use them by assigning them the Remote Control permission on the RDP listener. This setting gives a user the ability to shadow any session controlled by those listener properties, so use it with discretion..."

    Thursday, January 13, 2011 6:17 PM
  • Yes, I've tried logoff and login every time after setting rights.
    Friday, January 14, 2011 9:12 AM
  • And any addition info in the Eventlog at the time of the remote control?
    Friday, January 14, 2011 9:24 AM
  • Unfortunately I couldn't find any related log entries.

    I've checked all of the logs, but I am not sure where exactly should I check logs related to this case. Security? System?

    Friday, January 14, 2011 9:29 AM
    • Marked as answer by feheris Friday, January 14, 2011 2:25 PM
    Friday, January 14, 2011 9:35 AM
  • I wouldn't think that a compression GP setting solves the problem but it did. Thank you!
    Friday, January 14, 2011 2:27 PM
  • I had the same problem and none of your suggested settings worked. But I figured out that when I hit CTRL+SHITF+ESC to open taskmgr.exe I could not remote control or log off users, which lead me to believe it wasn't an RDP issue. Simple solution for me. Switch to processes tab and click show processes for all users, which in effect restarts the taskmgr.exe in administrative mode. Now I can remote control and log off users.

    To sum it all up:

    Start the Task Manager in Administrative mode.

    Asbjørn Vang Jacobsen
    • Proposed as answer by RickkeeC Friday, July 20, 2018 5:29 PM
    Tuesday, May 24, 2011 11:31 AM
  • Genius.  Absolute Genius.  The undocumented enable Remote Shadowing button.   View all users under processes tab.   Who'd of thunk it?
    Friday, July 20, 2018 5:31 PM