User session management. Remote control of a Windows user session - using standard tools

cmd commands:
Query Session - list of sessions
Mstsc.exe/shadow:sessionID /control /noConsentPrompt

http://winitpro.ru/index.php/2014/02/12/rds-shadow-v-windows-2012-r2/

In addition, the RD Shadow mode and rdp client have a number of new interesting opportunities. Full list mstsc.exe client rdp options that determine the ability to remotely connect to an end user session:

Mstsc.exe ]

/shadow:ID- connect to a terminal session with the specified ID

/v:servername- terminal server name (if not specified, the current one is used)

/control- the ability to interact with the user session (if not specified, the user session viewing mode is used).

/noConsentPrompt- do not ask the user for confirmation to connect to the session

Limitations of RDS shadow sessions in Windows 2012 R2

• Only the server administrator can connect to other people's sessions. These rights cannot be delegated by a regular user.


• RDS Shadow will not work on workgroup-based networks

Remote Desktop Shadow - working in GUI

You can connect to a user session using the mstsc.exe utility or directly from the Server Manager console. To do this, in the Server Manager console, open the QuickSessionCollection.

By clicking on the session of the user you are interested in, select context menu Shadow.

The Shadow Connection Settings window will appear. Possible viewing ( View) and control ( Control) session. In addition, you can enable the option Prompt for user consent(request consent to connect from the user).

If the “Request confirmation” option is selected, the user will be asked in the session:

Winitpro\administrator is requesting to view your session remotely. Do you accept the request?

If the user confirms the connection, the administrator will see his desktop and will be able to interact with him.

Advice. To disconnect from the user session and exit shadow mode, press ALT+* at a workstation or Ctrl+* on the terminal server (unless alternative combinations are specified).

If the user rejects the connection, a window will appear:

Shadow Error:

If you try to connect to a user session without asking for confirmation, an error will appear indicating that this behavior is configured by group policy:

Shadow Error: The Group Policy setting is configured to require the user’s consent. Verify the configuration of the policy settings.

Parameters for remote management of user terminal sessions are configured by policies Set rules for remote control of Remote Desktop Services user sessions, which are located in the Policies -> Administrative Templates -> Windows components -> Remote Desktop Services -> Remote Session Host -> Connections section in the user and “computer” sections of the GPO.

This policy can configure the following connection options via RD Shadow:

• No remote contol allowed - remote control is prohibited


• Full Control with users’s permission - full control with user permission


• Full Control without users’s permission - full control without user permission


• View Session with users’s permission - session monitoring with confirmation


• View Session without users’s permission - monitoring a session without confirmation

If you have a workstation-centric infrastructure, then you know how difficult it can be to remotely diagnose and resolve problems for your users. You probably use tools such as Microsoft Systems Management Server (SMS) and Windows XP Remote Support to run on a user's PC, and you know how to remotely connect to a network registry to change your users' settings.

Terminal Services makes these tasks easier. Instead of searching for some workstation on a remote site on your network, you and your users are both logged on to the same computer. And since you're both using RDP to transfer KVM data, you can easily interfere. To show the different support techniques, let's first introduce support utilities.

Terminal Services Manager

When you run the Terminal Services Manger utility, a list of all servers on which Terminal Services is installed is displayed. With this utility, you can easily see which servers users are connected to and from which client devices, what processes and applications are running in their sessions.

If you are familiar with Win2K Terminal Services Manager, you will notice several improvements in the version included with WS2K3. Firstly, a new version contains a node This computer giving fast access to sessions of the server on which you are registered. Secondly, there is a node Favorite Servers, which allows you to access some of the terminal servers that you most often administer. Finally the node All Listed Servers is not initially disclosed, so you don't have to wait long to find all terminal servers before using this utility.

If you select a server, the utility will show a list of all user sessions on that server. The status of each session is also shown:

• Active - User in currently sends information from the keyboard or mouse to the server
• Idle (idle) - The user did not move the mouse or press any keys for a certain period of time
• Disconnected - The user has disconnected from the server, but left the session running for further connection.

If you select a user session in the left pane, the right pane will display a list of all processes running by the user on the server. In this panel you can terminate a stuck process.

Tab Information The right pane reports the client's device name and IP address, as well as the RDP client version, screen resolution, and encryption level. This information will help you troubleshoot problems. If you click right click in the user session, a context menu will appear:

• Connect - Allows you to connect to another session that you have established on the server
• Disconnect - Disconnects the user from the session, but leaves the session running on the server
• Remote Control - Allows you to view or interact with a user's session without disconnecting the user. The user sees any actions you perform, and you, in turn, can monitor the user’s actions.
• Reset - Kill session
• Status - Displays a status window showing network activity between the server and client.
• Log Off - Forced termination of the session

Option Log Off gracefully ends the session and uploads the user's profile to the central profile directory. However, it does not allow the user to save their work.

Remote control

When you select the Remote Control option, you are temporarily disconnected from your session and connected to the user's session. RDP now sends all video information to both your machine and the user's client device, and receives keystrokes and mouse movements from both of you (if you've set up interactive remote control).

During remote control, the user can watch you launch applications, change settings, etc., and you can watch the user's actions. It's important to remember that any restrictions you apply to a user using group policies, will also work during remote control, so if you have disabled registry editing, you will not be able to run REGEDIT during remote control.

Editing the Registry

Sometimes it is necessary to edit the user's registry. In the case of workstations, you needed to connect to the user's computer's remote registry. On a terminal server, you share the same registry with your users. There is only one HKEY_LOCAL_MACHINE key for all users, and the HKEY_CURRENT_USER key for each session can be found in HKEY_USERS.

Each user registry has its own SID. Most quick way find the desired user if you don't know its SID, is to view the subkey Volatile Environment for each user. This subkey contains the APPDATA variable, which contains the username. Any changes made become immediately visible to the user.

Need for forced termination User experience mainly occurs in the following cases:

• Updating the information base;
• Adding a new metadata object to the configuration;
• Carrying out preventive and repair work on the server;
• A hung user session is preventing the application from restarting.

In this article we will try to tell you how to end a user session, what tools an administrator has in his or her arsenal to complete this task, which termination options are provided by the file version and which by the client-server version of 1C.

It is important to remember that forcefully terminating a session may result in data loss. So, to avoid unpleasant situations, it is advisable to warn users in advance about the disconnection.

Closing sessions from the configurator

When changes are made to the database structure, dynamic configuration updates are no longer available. And an information window appears on the screen (Fig. 1).

The sequence of actions in this case is obvious:

1. You must click the “End sessions and repeat” button;
2. Wait for the database restructuring window;
3. Click "OK".

It should be noted that changes made to the program code do not require users to shut down, but they will not work on that device without restarting the application on each specific computer.

Ending sessions directly from the program

Most standard 1C products, version 8, have a mechanism that allows you to easily terminate a user's work remotely and provide the administrator with exclusive access to the database. This is the “Blocking connections from information base».

You can find it at one of two addresses:

1. In one of the submenus of the “Service” section;
2. Going to the Operations->Processing section.

Fig.2

Appearance processing is presented in Fig.2.

Features of this processing:

1. Checking or unchecking the box and clicking the Record button turns user blocking on and off, deleting sessions and preventing new connections from being created;
2. The blocking end time cannot be empty or less than its start time;
3. If the “Permission code” parameter is specified, it can be entered into the startup line to ignore the blocking by specifying “/UC” before the code;
4. If you do not specify the “Permission Code”, then it will be problematic to get into the database before the blocking period expires (in the file version of work, you can try to delete the 1CVcdn file from the database folder);
5. If instead of the parameter “/UC” and a password separated by a space, you specify “/CAllow Users to Work”, where C is Latin, you can completely disable blocking for all users;
6. Button press " Active users, calls up a window with a complete list of users (Fig. 3), from where you can open the “Registration Log” or end the session of each specific user.

Fig.3

The two options above work fine in both file and client-server mode. Further we will consider cases typical only for server work.

Removing users from rdp

It is important to remember that disconnecting user sessions from servers is only possible if you have certain rights to do this.

When working from a remote desktop, you can end user sessions using the standard task manager. Simply interrupting sessions is a little incorrect, but quite effective.

The second option is to use the task manager - remote connection with the ability to manage each specific session and exit the program according to all the rules. This method is long, and no one guarantees that while one user is logging out, the program will not be launched by any other worker.

Removing users via the server console

Having Administrator rights for a 1C server cluster, you must:

Very often, when working in server mode, hung user sessions are not visible through the platform tools; they can only be deleted through the console.

The most radical way to interrupt sessions

A situation where the above methods do not work is extremely rare. But if it occurs, there is another radical way to interrupt connections to the database: physically reboot the server.

Of course, users who did not have time to finish their work and save the data will be extremely outraged by such a shameless attitude, but it is fast and it is extremely effective.

On Windows 2012 R2 and Windows 8.1 Microsoft returned functionalityRemoteDesktopShadowing(shadow connection). Let us remind you that the Shadow mode (shadow session) can be used by the administrator to view and manage the existing RDP session of any user. This operating mode has been supported almost since the first versions of the terminal. Microsoft server and was suddenly removed to Windows Server 2012 (related to moving the rdp stack from kernel mode to custom mode). RDS Shadow functionality also works in the following OS versions: Windows Server 2016 / Windows 10.

In addition, the RDS Shadow connection mode and RDP client have a number of new interesting features. A complete list of mstsc.exe RDP client parameters that determine the ability to remotely shadow connect to an end user session:

Mstsc.exe ]

/shadow:ID– connect to the RDP session with the specified ID.

/v:servername– RDP/RDS name of the terminal server (if not specified, the current one is used).

/control– the ability to interact with the user session (if not specified, the user session viewing mode is used).

/noConsentPrompt– do not ask the user for confirmation to connect to the session.

/prompt – used to connect under different credentials. You are prompted for a username and password to connect to a remote computer.

Limitations of RDS shadow sessions in Windows 2012 R2

• Only the server administrator can connect to other people's sessions. These rights cannot be delegated by a regular user.
• RDSShadowwill not work on workgroup based networks

Using Remote Desktop Shadow from the Graphical GUI

You can connect to a user session using the mstsc.exe utility or directly from the Server Manager console. To do this, in the Server Manager console, open the QuickSessionCollection

By clicking on the session of the user you are interested in, select Shadow from the context menu.

The Shadow Connection Settings window will appear. Possible viewing ( View) and control ( Control) session. In addition, you can enable the option Promptforuserconsent(Request user consent to connect to the session).

If the “Prompt user consent” option is selected, the user will be asked in the session:

Request for remote monitoring

Winitpro\administrator requests remote viewing of your session. You accept this request.

Winitpro\administrator is requesting to view your session remotely. Do you accept the request?

If the user confirms the connection, in view mode the administrator will see his desktop, but will not be able to interact with it.

Advice. To disconnect from the user session and exit shadow mode, press ALT+* at a workstation or Ctrl+* on the terminal server (unless alternative combinations are specified).

If the user rejects the connection, a window will appear:

Shadow Error:

If you try to connect to a user session without asking for confirmation, an error will appear indicating that this is prohibited by group policy:

Shadow Error: The Group Policy setting is configured to require the user’s consent. Verify the configuration of the policy settings.

Parameters for remote management of user RDS sessions are configured by policy Set rules for remote control of Remote Desktop Services user sessions (Set remote control rules for Remote Desktop Services user sessions), which is located in the section Policies -> Administrative Templates -> Windows components -> Remote Desktop Services -> Remote Session Host -> Connections (Administrative Templates -> Windows components–> Remote Desktop Services – Remote Desktop Session Host –> Connections) in the user and “computer” sections of the GPO. This policy corresponds to the dword registry parameter Shadow in the thread HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services.

This policy can configure the following shadow connection options via the RD Shadow shadow connection::

• No remote contol allowed - remote control is not allowed (Shadow registry key value = 0);
• Full Control with users’s permission - full control with user permission (1);
• Full Control without users’s permission - full control without user permission (2);
• View Session with users’s permission – monitoring the session with user permission (3);
• View Session without users’ permission – monitoring the session without user permission (4).

RDS Shadow connection from PowerShell

You can also use the functionality of a shadow connection to a user session through a Remote Desktop Services shadow connection from Powershell.

First of all, we will show how to get a list of sessions on the terminal server (user sessions will be grouped into groups depending on their status):

Get-RDUserSession | ft Username, UnifiedSessionId, SessionState, HostServer, ApplicationType -GroupBy Sessionstate

On this server we found three active terminal sessions. Let's connect to the user session with session ID 3:
Mstsc /shadow:3 /control
You can also run the command to get a list of all sessions on the server

The screen will display a list of RDP sessions, their ID and status: active session (Active) or disconnected (Disconnected).

To get a list of sessions on a remote server, run the command:

query session /server:servername

For more convenient shadow connection to sessions, you can use the following script. The script will prompt you to enter a name remote computer and will display a list of all sessions and prompt you to specify the session to connect to:

shadow.bat

@echo off

query session /server:%rcomp%
set /P rid="Enter RDP user ID: "

Can be placed this file to the %Windir%\System32 directory, as a result, for a shadow connection, just run the command shadow.

To connect to a console session you can use the following script:

@echo off
set /P rcomp="Enter name or IP of a Remote PC: "
for /f "tokens=3 delims= " %%G in ("query session console /server:%rcomp%") do set rid=%%G
start mstsc /shadow:%rid% /v:%rcomp% /control

How to allow standard users to use a shadow connection

In the examples discussed above, to use shadow connection to terminal sessions, you need rights local administrator on the RDS server. However, you can allow the use of a shadow connection to connect to user sessions and ordinary users (without giving them local administrator rights on the server).

For example, if you want to allow members of the AllowRDSShadow group to shadow connections to user sessions, run the command:

wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "corp\AllowRDSShadow",2

In January 2018, after installing update KB4056898 (), users encountered that shadow access stopped working in Windows Server 2012 R2. When you try to make a shadow connection to someone else's session, the message “Unidentified error” appears (the error STATUS_BAD_IMPERSONATION_LEVEL is present in the logs). A similar problem occurred on an RDS farm based on Windows Server 2016.

To solve the problem you need to install separate updates:

• for Windows Server 2016 - KB4057142(from January 17, 2018)
• for Windows Server 2012 R2 - K.B.4057401 (from January 17, 2018)

It happens that system administrator need to manage one of user computers in remote mode, interacting with the user, having at his disposal rather weak hardware. In this case, the use of software such as Team Viewer is considered inappropriate due to their large appetite for processor resources, which provokes an increase in the processor load up to 98%. Using standard RDP most often leads to “knocking out” the current user, which required entering a password to log in account locally. In this case, the shadow command is an excellent solution. Actually, we’ll talk about how to use it in this situation today.

To monitor other Remote Desktop Services sessions, you will need the following settings:

SHADOW (<имя ceaнса> | }

< имя ceaнса >Session name.

< ID ceaнса >Session ID.

/SERVER: Terminal server (current default).

/V Display information about completed actions.

So, for example, in order to manage console sessions and, that is, current users, which sit directly behind the working machine, within the terminal server, you need to execute - shadow0. On regular computers alt* is used to exit, and ctrl* on the terminal server.

There are some unpleasant nuances here. One of these is that this command can work exclusively within RDP sessions.

In the case of cars under Windows control XP may need to expand its capabilities by turning it into a terminal server. At the same time, the task is significantly simplified - you can connect from any user account with administrator rights via RDP and, by running the command, execute - shadow0. Thus, we end up in a console session, which is what we needed to prove. In order to reduce hardware loads, when creating an RDP connection, select the item to launch the next program when connecting, and then enter shadow0 there. In this case, we will get only two running processes.

In order for the scheme to work, you need to connect RemoteRPC, which can be done through the registry:

“AllоwRemoteRPС”=dword:00000001

Next, using the “Remote Desktop Services Manager”, you can view information about which users are logged into the computer, what processes were running on the local machine, and what ID each user has.

The user will be asked about management permissions by default. This can be disabled or monitoring can be done remotely. To do this, again go to the registry:

"Shadow"=dword:0000000x

In this case, “x” can take the following values:

1 – possibility of full control with the client’s permission;

2 – absolute control without a request for permission from the client;

3 – observe the session (with permission);

4 – observe the session (without the client’s permission)

Initially, this line is not in the registry, and it must be created from scratch.

Through local policies you can include domain or local ones. In case of local connection you need to run gpedit.msc, then select administrative templates, then go to “Add and remove templates” and add System.adm from the WINDOWS\inf folder. After this, you can configure the local machine by going to administrative templates, then to “Windows Components” - “Terminal Services”, and set management rules in remote mode. (Windows XP)

For Windows 7, “Administrative Templates” - “Remote Desktop Services Components” - then “Remote Desktop Session Host” - “Connections” 0 set the rules for remotely managing user sessions of Remote Desktop Services.

Within the terminal server, through the RDP properties, we can set remote control rights for any user, setting up the management of remote sessions and interaction with them separately.