Terminal Services - Enabling shadowing for non-admin

Hi, I'm trying to enable shadowing (remote monitoring/control of existing session) in 2K3 terminal services for a group of non-admins.  The only information I could find suggested granting full rights within the RDP-Tcp connection in tscc.msc.  Tried that, didn't work.  Are there other permissions I need to check?

Fairly urgent, so offering the full point value.  Thanks!  Joe
jprestoAsked:
Who is Participating?
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Error 5 is an insufficient permission level error.

There are a few things to consider... does the shadower have local permissions?  You could add the shadower's group to the local administrator's group.

Or, try making that group the "administered by" for the MACHINE instead of the USER... (same basic premise as above).  I can't test that at the moment, but I'm fairly sure that's how I was able to do it before.  

Lastly, make sure that the user that you want to shadow has "remote control enabled" on the "remote control" tab of their user properties.

Jeff
TechSoEasy
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Shadowing is only available through the Terminal Services Manager, and was basically disabled by XP SP2 if you're trying to shadow a WindowsXP machine.  To fix that, you need to make the following registry entry:

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server"
Add a value named "AllowRemoteRPC", type "REG_DWORD" and Value Data = "1"

Remote control/monitoring should be able to be done by any "supervisor" of another user.  Add your non-admins to a new security group and then make that group the "supervised by" setting in the to-be-controlled's user properties dialogue.  (note that this setting will also allow a "supervisor" to open that person's exchange mailbox).

If the remote is to be done via a non-server machine, install the Server 2003 management tools to that machine which will include TS Manager.

Jeff
TechSoEasy
0
 
jprestoAuthor Commented:
Thanks for the note, but I'm not sure that is the case here - it is a permissions issue.  Members of administrators *can* remote shadow, but non-admins (even with the permisisons tweak above) receive "Session remote control failied (Error 5 - Access is denied) when trying to shadow.

Thanks - Joe
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
jprestoAuthor Commented:
The problem "fixed itself" - I think I was on the right track, but rights may not have replicated out..? I need to brush up more on Windows Server.
0
 
Beta99Commented:
Bringing this back from the dead...
I've tried the above options and still can't get a non local admin user to shadow sessions on the terminal server.
Anyone has an input on this?

Thanks
0
 
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
This question was asked a number of years ago... since then there have been many changes and new options available for desktop sharing technology.

What exactly are you wanting users to share/shadow?

Jeff
TechSoEasy
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.