RDSH 2012 R2: Shadow Users without Connection Broker admin rights

It seems as though the only way to use the PowerShell Get-RDUserSession cmdlet against the Connection Broker is if the user running the command is a member of the  Administrators group on the Connection Broker server. This might be undesirable…!

This is a workaround that allows you to get a list of active sessions from your Remote Desktop deployment without granting users admin rights on the Connection Broker(s).

Note that you still have to give them administrator rights on the RDSH servers to allow the Remote Desktop Client shadowing process to work (which might also be undesirable!). EDIT: Or perhaps not… Not tried this myself though.

I’m running my Connection Broker in high availability mode, which means I have a shared SQL database, and it is this SQL database that is what I’m using at the root of my workaround.

We’re going to create a SQL View to pull together the session and host information from the database, then use this to launch a basic GUI to fire off the RDP client in shadowing mode. You need to have created a group, probably in active directory, to add the shadowing users to – this is used to grant limited permissions to the Connection Broker SQL database. A potential benefit of this is that you don’t need to have the Windows Remote Server Admin Tools installed on your helpdesk PCs (which you would need in order to use Get-RDUserSession).

Modify and then run the following SQL against your connection broker SQL server (maybe backup your connection broker database first in case you mess up!):

USE [master]
USE [CBR2012]
CREATE USER [RCMTECH\Shadow Users 2012] FOR LOGIN [RCMTECH\Shadow Users 2012]
CREATE VIEW [dbo].[Shadowing]
SELECT Session.UserName, Pool.DisplayName AS PoolName, Target.Name AS ServerName, Session.SessionId
FROM rds.Session AS Session
INNER JOIN rds.Target AS Target ON Target.Id = Session.TargetId
INNER JOIN rds.Pool AS Pool ON Target.PoolId = Pool.Id
WHERE (Session.State = 0)
GRANT SELECT ON [dbo].[Shadowing] TO [RCMTECH\Shadow Users 2012]

and now here’s the PowerShell that the shadowing users run to pull that data and present it via the Out-GridView GUI:

$CBSQLServer = "SQL05.rcmtech.co.uk"
$CBDB = "CBR2012"
# Open connection to Connection Broker DB
$CBDBConnection = New-Object -TypeName System.Data.SqlClient.SqlConnection -ArgumentList "Server=$CBSQLServer;Database=$CBDB;Integrated Security=SSPI"
# Get Shadowing View
$SQLCommand = $CBDBConnection.CreateCommand()
$SQLCommand.CommandText = ("SELECT * FROM Shadowing")
$SQLReader = $SQLCommand.ExecuteReader()
$ShadowingView = New-Object System.Data.DataTable
$Session = $ShadowingView | Out-GridView -Title "Remote Desktop Shadowing - Active Sessions" -OutputMode Single
if($Session -eq $null){
    # No session selected, user probably clicked Cancel
mstsc /v:($Session.ServerName) /shadow:($Session.SessionId) /control | Out-Null

Just pick a session and click OK to launch mstsc with the correct command line switches – /v:<servername> /shadow:<sessionid> /control

This entry was posted in Remote Desktop, Windows and tagged , , , , , , , , , , , , , . Bookmark the permalink.

2 Responses to RDSH 2012 R2: Shadow Users without Connection Broker admin rights

  1. Pingback: RDS 2012 R2 Shadowing #rdproud | System Center Solutions

  2. In Win08R2 you could just set the RDP rights to shadow on the protocol. In Win12R2 this seems possible only through CLI. I expect it to work the same in Win12R2, because much in win12R2 is the same. So you could try this: http://www.360ict.nl/blog/ever-wondered-how-to-set-security-on-the-rdp-protocol-through-script/

    I haven’t tried this (yet) myself.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.