none
Shadowing not working for Domain Admin RRS feed

  • Question

  • Hi,

    I have a domain user with domain admin rights who is unable to shadow Windows 2016 RDP Sessions with "Access Denied" message. He is already added in the local administrators group on RDP Server. If he logs in to the RDP Server using local administrator account, he can shadow.

    Any suggestions?

    Monday, November 4, 2019 1:11 AM

All replies

  • Hi,

    >By default, a shadowee must explicitly give permission to allow their session to be shadowed. To be able to shadow without permission, the administrator must intentionally override this with a group policy set to allow shadowing without user permission.

    So, please check below group policy configuration, make sure that it has been configured to allow shadow: 
    <Computer Configuration> |<User Configuration> \Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Set rules for remote control of Remote Desktop Services user sessions

    Please note that, if you choose the option such as full control with user’s permission or view session with user’s permission, once you establish the shadow, the session user has the permission to deny the shadow request. 

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 4, 2019 8:46 AM
    Moderator
  • Yes i already did the Group Policy configuration before posting. I think it could be due to the user domain i am using because the domain of shadowee is different than my user domain. There is a trust between two domains. I will try to use the same domain user as shadowee.

    Thanks.

    Wednesday, November 6, 2019 11:47 PM
  • Hi,

    On session host, try command line to manila grant specific user group the shadow permission and check the result:
    wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName=”RDP-Tcp”) CALL AddAccount “domain\group”,2

    Reference below link for detail information:
    https://dynamicdatacenter.wordpress.com/2015/06/24/rds-2012-r2-shadowing-rdproud/

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 11, 2019 8:32 AM
    Moderator
  • Hi,

    How things are going there on this issue?

    Please let me know if you would like further assistance.

    Best Regards,
    Eve Wang   



    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 14, 2019 1:28 AM
    Moderator
  • Hi,

    Is there any update?

    Please click “Mark as answer” if any of above reply is helpful. It would make this reply to the top and easier to be found for other people who has the similar problem.

    Best Regards,
    Eve Wang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, November 19, 2019 2:07 AM
    Moderator
  • I got this message after entering the command but still cannot shadow.

    Method execution successful.
    Out Parameters:
    instance of __PARAMETERS
    {
            ReturnValue = 0;
    };

    Thanks.

    Wednesday, November 20, 2019 7:25 PM