How to Shadow a user’s remote desktop session on Windows Server 2016 in workgroup mode

This post is about how to shadow a user session if the Windows Remote Desktop Server is not connected to a domain. If the server is connected to a domain, you can go to server manager, RDS Manager, and right click on current sessions to shadow and connect. When the server is in Workgroup mode (not connected to domain) the Remote Desktop Services Manager page is not accessible in Server Manager. To shadow another user’s sessions in Windows Server 2016 in Workgroup mode, use the following steps:

1) Open command window by clicking start, CMD. You must be using an account with administrative privileges. If you are using an account with administrative privileges that isn’t the named Administrator account, you must run in administrator mode (right click on cmd and click run as administrator)

2) Type quser.exe to determine the session number of the user session you want to shadow.
C:\Users\administrator.computer>quser.exe (note: typing “>qwinsta” without .exe will show similar information)
USERNAME SESSIONNAME ID STATE
administrator rdp-tcp#0 1 Active
user1 rdp-tcp#1 3 Active

3) In this example, the Administrator is going to shadow the user1 session which is session 3. You need to know the session number (“3”) for the next step.

4) Start shadow session by typing “mstsc /shadow:# /control” where # is the session number to shadow and /control allows you to control the session.
C:\Users\administrator.computer>mstsc /shadow:3 /control

5) The other user (user1 in this example) will get a popup called “remote control request” and must press Yes before shadow session will open.

6) The shadow session will open and you’ll be able to view the user1 session desktop screen.

IF YOU WANT TO SHADOW A USER SESSION WITHOUT NEEDING THEIR CONSENT FOR THE SHADOW SESSION TO OPEN:

  • Enable the following group policy by going to gpedit.msc and then Local Computer Policy, Computer Configuration, Administrative Templates, Windows Components, Remote Desktop Services, Remote Desktop Session Host, Connections.
  • Enable the setting “set rules for remote control of Remote Desktop Services user sessions” and select the option for “Full Control without user’s permission” in the dropdown.
  • Reboot the server to make the group policy take effect (or open elevated command prompt and type in gpupdate.exe /force)
  • Then using the same command as in the section above add “/noconsentprompt” like this:
  • mstsc /shadow:3 /control /noconsentprompt
  • It will still prompt the user to authorize control but if they don’t within 5-10 seconds, the shadow session will open even without their authorization.