How to connect in WIndows Server 2012/2016 shadow copy mode if Active Directory is on

Shadow mode

Shadow mode (session) can be used by the administrator to view and manage the active terminal session of any user.

It is possible to connect to a user session using  mstsc.exe utility or directly from the Server Manager. console.

For this purpose, the collection of sessions that are available after the installation of the remote desktops service need to be used.

To install the remote desktops service, it is necessary to ensure that your VPS running Windows Server 2012/2016 is entered in the domain.

For the purposes of this manual, the server is already in the domain EXAMPLE.COM

Installing RDP services

In the "Server Manager" select "Manage" and "Add roles and components":

Shadow Copy Mode in Active Directory--Add Roles

In the first step of "Add  roles and components" wizard and press "Next":

Shadow Copy Mode in Active Directory--Add Roles Wizard

In the second step, select "Remote Desktop Services installation":

Shadow Copy Mode in Active Directory--Inst Type

In the next step, you will be prompted to select the type of deployment. Select "Standard deployment" and press "Next":

Shadow Copy Mode in Active Directory--Deployment Type

Select the scenario "Session-based desktop deployment" and “Next”:

Shadow Copy Mode in Active Directory--Deployment Scenario

Press "Next":

Shadow Copy Mode in Active Directory--Role Services

Now it is required to select the server "RD Connection Broker", select the required server in "Server Pool" and press "Next".

Shadow Copy Mode in Active Directory--RD Connection Broker

On this stage, select the required server from the list  "Server Pool" and press "Next":

Shadow Copy Mode in Active Directory--RD Web Access

Specify server for "Remote desktop session host" by selecting a server from the list “Server pool” and press “Next”:

Shadow Copy Mode in Active Directory--RD Session Host

Check the box  "Restart the destination server automatically if required” and press "Deploy":

Shadow Copy Mode in Active Directory--Confirmation

Wait for the selected roles to be installed, following which the computer will restart. After the reboot, the "Add Roles and Features Wizard" will automatically start to configure the installed services. Wait until the settings are complete and click "Close":

Shadow Copy Mode in Active Directory--Completion

This is where the installation of "Remote desktops service" is complete.

Collection of sessions

Now let's create a collection of sessions.

In the section “General Information”, select “Create a collection of sessions":

Shadow Copy Mode in Active Directory--RDS Create Session

At the first step of the wizard, press "Next":

Specify the name of the collection and press "Next":

Shadow Copy Mode in AD--Create Collection--Collection Name

Specify server for “Remote desktop session host” from the list “Server pool” for adding to the collection and press "Next":

Shadow Copy Mode in AD--Create Collection--RDS Host

Here a user or group of users who need access to this collection of sessions can be added. In this example, all users of the domain have access to this collection of sessions. Then press "Next":

Shadow Copy Mode in AD--Create Collection--User Groups

If there are no user profile disks, uncheck “Enable user profile disk” and press “Next”:

Shadow Copy Mode in AD--Create Collection--User Profile Disks

At this step, press "Create":

Shadow Copy Mode in AD--Create Collection--Confirmation

Following successful creation, press "Close":

Shadow Copy Mode in AD--Create Collection--Finish

Now that all the necessary components are installed, it is possible to connect to the shadow session of any active user.

Connection to a session

In the "Server manager", go to the created collection ---> "Remote desktops service" ---> "Collections" and select your collection.

For the purposes of this manual, it is called "My collection":

Shadow Copy Mode in Active Directory--set shadow-1 step

In the "Connections" list, select a user you want to monitor or control, right-click on it and select "Shadow":

Shadow Copy Mode in Active Directory--set shadow-2 step

In the window that pops up select the function you need, i.e. "View" or "Manage":

Shadow Copy Mode in Active Directory--set shadow-3 step

You will see the following message:

SHADOW-connecting

At this point, a remote monitoring request box will pop up on vasya's display:

Shadow Copy Mode in Active Directory--shadow connection request

We get access once User accepts the request.

To connect without the request, it is necessary to change the remote control settings of a specific user, i.e. vasya in this example.

Click: "Server manager" ---> "Tools" ---> "Active Directory Users  and  Computers" :

Shadow Copy Mode in AD--Usesr propetries

Double-click on the user name and select the "Remote control" tab: In the "Require User's permission" parameter, uncheck the box and select the desired user session control level.

Press "Apply" --→ "Ок":

Shadow Copy Mode in AD--Usesr propetries permission

Now you can connect to, manage or monitor the the user's session without their knowledge.