The GPO to allow or deny (silent) shadow/control can be found under:
|\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Connections\Set rules for remote control of Remote Desktop Services user sessions
By default, you may shadow/control with the user’s consent or access is denied.
Before we can view or control a session, we’ll need to get the session ID of the user we want to shadow. To do this, run the command:
query session /server:
Initiate Remote Connection
To shadow without control, run the following command in an elevated command prompt:
mstsc.exe /v: /shadow:
To control, run the following command in an elevated command prompt:
mstsc.exe /v: /shadow: /control
Both of the above can be ran with the /noConsentPrompt argument, which will allow you to connect silently, provided you have configured GPO to do so.
Wait For User to Accept
The user must agree to the connection. Once this is done, the connection will be established, and an RDP window will pop up.
There are two places that things can go wrong.
Query session (step 2):
The common issue that occurs during this step is an access denied error. Make sure that you are running the commands from an account that is either a domain admin or has local admin rights on the target computer. Also make sure HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\AllowRemoteRPC is set to 1. The target computer must be rebooted after changing this key. I recommend setting via GPO if this is an issue.
If running this command against an RDP server, the account running the command needs to have Query Information permission rights on the RDP server.
MSTSC (step 3):
The most common error during this step is also an access denied error. Make sure that you’re running as a domain admin or has local admin or remote desktop user rights on the target computer.
Everything Looks Too Small
In shadow mode, MSTSC will ignore span, width, and height arguments. The RDP window can be resized by dragging the edge of it. Any screens displayed within the RDP window will be resized automatically.
Can I set it to display only 1 screen?