Remove From My Forums

Shadowing not working for Domain Admin

Question
0

Sign in to vote

Hi,

I have a domain user with domain admin rights who is unable to shadow Windows 2016 RDP Sessions with "Access Denied" message. He is already added in the local administrators group on RDP Server. If he logs in to the RDP Server using local administrator account, he can shadow.

Any suggestions?

Monday, November 4, 2019 1:11 AM

Reply

|

Quote

All replies

0

Sign in to vote

Hi,

>By default, a shadowee must explicitly give permission to allow their session to be shadowed. To be able to shadow without permission, the administrator must intentionally override this with a group policy set to allow shadowing without user permission.

So, please check below group policy configuration, make sure that it has been configured to allow shadow:
<Computer Configuration> |<User Configuration> \Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Set rules for remote control of Remote Desktop Services user sessions

Please note that, if you choose the option such as full control with user’s permission or view session with user’s permission, once you establish the shadow, the session user has the permission to deny the shadow request.

Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Monday, November 4, 2019 8:46 AM

Reply

|

Quote

Moderator
0

Sign in to vote

Yes i already did the Group Policy configuration before posting. I think it could be due to the user domain i am using because the domain of shadowee is different than my user domain. There is a trust between two domains. I will try to use the same domain user as shadowee.

Thanks.

Wednesday, November 6, 2019 11:47 PM

Reply

|

Quote
0

Sign in to vote
Hi,

On session host, try command line to manila grant specific user group the shadow permission and check the result:
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “domain\group”,2

Reference below link for detail information:
https://dynamicdatacenter.wordpress.com/2015/06/24/rds-2012-r2-shadowing-rdproud/

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.
- Proposed as answer by Eve WangMicrosoft contingent staff, Moderator Tuesday, November 19, 2019 2:07 AM
Monday, November 11, 2019 8:32 AM

Reply

|

Quote

Moderator
0

Sign in to vote

Hi,

How things are going there on this issue?

Please let me know if you would like further assistance.

Best Regards,
Eve Wang

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Thursday, November 14, 2019 1:28 AM

Reply

|

Quote

Moderator
0

Sign in to vote

Hi,

Is there any update?

Please click “Mark as answer” if any of above reply is helpful. It would make this reply to the top and easier to be found for other people who has the similar problem.

Best Regards,
Eve Wang
Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Tuesday, November 19, 2019 2:07 AM

Reply

|

Quote

Moderator
0

Sign in to vote

I got this message after entering the command but still cannot shadow.

Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
ReturnValue = 0;
};

Thanks.

Wednesday, November 20, 2019 7:25 PM

Reply

|

Quote