The question has it straightforward. I have 4 technicians, and ~ 300 end-users with up to 70 RDPs at any one time. I would like my techs to be able to remote shadow the end-users to resolve the most common issues, rather than have to send them out to one of our 5 office locations. I don't mind giving them some roles, but I don't want to have to make each one of them a Domain Admin, for what should be obvious reasons. Is there a role on Windows Server 2022 that will allow them access to the option to Shadow sessions? Or is there another solution in common use?
Asked
Active
Viewed 1,698 times
2
-
Why do you think they need to be _Domain_ Admins, as opposed to local Administrators? – u1686_grawity May 09 '22 at 15:22
-
There are many options you can go here, though I won't go into pricing at this point. You can use TeamViewer corporate with a Quick Support. The client who needs help can open a TeamViewer Quick Support, and the tech can then connect to them by entering the ID number. Client or tech closes the quick support at the end. Tech cannot use functions that require admin though. Another option would be Splashtop Streamer. Install it on the server, tech can connect to it remotely and then shadow any of the users. No warning to the user that they are being watched though. Interaction possible. – LPChip May 09 '22 at 15:33
-
Also Galinette Sandée will allow you to use the normal shadow functionality of terminal server. But I do think you need to be a local admin for this one. – LPChip May 09 '22 at 15:35
-
@user1686 in this case local admin still has too many privileges for these techs to have. Even though it is a Hyper-V machine. So in order to keep them from getting too much, we can't make them admins. We've found other solutions built in to server 2022 for other issues, such as printer installation for example, that can be assigned out as simple roles attached to differeing security groups. Which is what we are hoping to do here. – Christopher J. Joubert May 09 '22 at 16:09
1 Answers
1
On the server with the RDS role, you can configure permissions on a per-connection basis following the steps here: Configure Permissions for Remote Desktop Services Connections.
To configure permissions for a connection
- On the RD Session Host server, open Remote Desktop Session Host Configuration. To open Remote Desktop Session Host Configuration, click Start, point to Administrative Tools, point to Remote Desktop Services, and then click Remote Desktop Session Host Configuration.
- Under Connections, right-click the name of the connection, and then click Properties.
- In the Properties dialog box for the connection, on the Security tab, configure the permissions as appropriate for your environment, and then click OK.
You could also apply to the whole host by adding users/groups to the terminal-services permissions settings via the AddAccount(AccountName,PermissionPreSet) method described here :
# cmd
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName ="RDP-Tcp") CALL AddAccount "domain\group",2
# or powershell
$group = 'DOMAIN\groupname'
Get-CimInstance -Namespace root\CIMV2\TerminalServices -ClassName Win32_TSPermissionsSetting -Filter 'TerminalName ="RDP-Tcp"' |
Invoke-CimMethod -MethodName AddAccount -Arguments @($group,2)
There are three settings you can assign with this method:
- 0 The account has logon permission (same as remote desktop users group by default)
- 1 Logon, Query Information, Send Message, and Connect permissions. (basically view-only shadow permission)
- 2 full control
Cpt.Whale
- 4,501
- 2
- 13
- 25
-
Thank you much, this was exactly what I was looking for, but couldn't find via google. – Christopher J. Joubert May 09 '22 at 18:59