Thursday, July 28, 2005

Shadowing the Console Session on SBS

For those of you who've been using Windows Small Business Server 2003 (or even Windows Server 2003) you know you have 3 Terminal Service sessions. One is the console, and two are available remotely.

You probably also know by this time if there are two people connected to remote sessions on the server, one session can Shadow the other. This means that you have two users sharing the keyboard & mouse input. Seems odd, but hey, it's great for showing people how to do something, so they don't have to keep asking you.

To do this, you simply right click the session you want to use and select Remote Control. Then use CTRL+* to release the control to drop back to your own session.

I thought it worked great, until Jimbo, an Enterprise Admin type guy (I know, we don't normally like to consult with these types of scary people, but he's nice, I promise!). Jim's problem was that the lab guys (4 floors up from his office) sometimes need help. Jim wanted to leverage the Windows Server 2003 investment his firm had made so he didn't have to walk up 4 flights of stairs, but this remote control functionality didn't cover the console (which was where his techs were using the computer from).

Of course, Windows Server 2003 is super cool (and hence so is SBS), Jim had to make a simple Group Policy change on his server with the following:

  1. On the computer you want to shadow the console, click Start, Run and type in GPEdit.msc and hit Enter

  2. Expand Computer Configuration, Administrative Templates, Windows Components and select Terminal Services.

  3. In the right-hand pane double-click Sets rules for remote control of Terminal Services user sessions and on the Settings tab, select Enabled. Change the options to Full Control with users' permission and click OK

  4. To have changes take effect immediately, make sure you run gpupdate /force from the command window on that server

Now this particular server is ready to have it's console shadowed. Alternatively, Jim could create a Group Policy Object that filters on OS type so all the servers in his domain (I think he said 40?) have this functionality.

Connecting to the Session
Now, because Jim is in an Enterprise, depending on the firewall policies on all his Servers (if RPC ports are open or not), he has two options:

  1. The first is what us SBS'rs will do, because we are absolutely not going to open the RPC port on the external network card or poke the RPC hole in our network firewalls. Simply TS into the server using the mstsc client, or Remote Web Workplace, and in the command prompt type Shadow 0 (where 0 is a zero). This will prompt the user (since that's what you said in the policy) and when they click yes, you have a joint TS session.

  2. Depending on Jim's firewall configuration for his servers, from his XP client, he can also type shadow 0 /server:{servername or ip}. Better yet, he could make icons using shortcuts on his desktop so he can just double click on it

That's all there is to it. Oh, and don't forget that CTRL+* is your way out of the shadow session.

More information on the topics are available on the Microsoft website: