Shadowing in a Domain Environment..

[Shenan Stanley]

Looking over the following articles:

http://ask.slashdot.org/comments.pl?sid=126314&cid=10574052
and
http://snipurl.com/b7v0

The implications are that in a Domain environment, with the correct registry
settings on the domain computers:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
Value Name: AllowRemoteRPC
Value Type: DWORD Value
Value Data: 1

One could initiate a shadow session with a domain member without permission
from the logged on user. This is accomplished (correct me if I am wrong) by
the following steps:

1. From a Windows XP/2003 computer in the domain, use remote desktop to
connect to any other Windows XP/2003 computer in the domain.

2. From the remote desktop, issue this command:
shadow 0 /server:COMPUTERNAME
(Where COMPUTERNAME is the NetBIOS name, IP or FQDN of the computer you
wish to connect to and help the user who is locally logged onto it.)

3. Shortly, you should have a shadow'd session with the third computer.

My understanding was that if the above was followed, it should work as
advertised.

I would like to ask if there are other caveats I left out or if there are
steps I took to the extreme?

For example:

- Is it necessary for the first computer you are remoting WITH to be in the
domain?
- If the user on the third (to be shadowed) computer is an administrator,
will they be asked for permission?
- Does "Offer Remote Assistance" also need to be enabled on the domain to
accomplish the shadow or does that have no bearing on the outcome?

My experience so far has been (admittedly, I just finally tried it today)
that even though I can offer remote assistance on my domain and it asks the
end-user for their permission - when I try the shadowing trick, it is still
asking the end-user for their permission.

Not that I see anything WRONG with the above scenario - in most cases,
asking permission is the way it likely should happen, for legal reasons.
However, I would like comments from people using the shadowing now without
it asking permission.

 

[Bill Sanderson]

Hmm - I'm going to have to test, and haven't yet. Thanks for putting both
those links together.

I see some issues with the information presented. I believe the whole
shadowing discussion is in relation to Remote Desktop, and not Remote
Assistance--I expect Remote Assistance to ALWAYS require an assent from the
user at the workstation you are assisting--Offer Remote Assistance just
removes the need for the invitation token, not the assent.

Whether a second RD session is possible in XP SP2 is controversial--my
understanding is that such a session is used by Media Center Extender
devices, but that it is carefully restricted in some way so that it isn't
useful unless you are such a device. I've never met one of these critters,
so I don't know more.

I'm interested in this, but can't guess when I'll get to actually trying it
out--I've got meetings tonight and a childe home sick.

 

[Shenan Stanley]

Looking over the following articles:

http://ask.slashdot.org/comments.pl?sid=126314&cid=10574052
and
http://snipurl.com/b7v0

The implications are that in a Domain environment, with the correct
registry settings on the domain computers:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server Value Name: AllowRemoteRPC
Value Type: DWORD Value
Value Data: 1

One could initiate a shadow session with a domain member without
permission from the logged on user. This is accomplished (correct
me if I am wrong) by the following steps:

1. From a Windows XP/2003 computer in the domain, use remote desktop
to connect to any other Windows XP/2003 computer in the domain.

2. From the remote desktop, issue this command:
shadow 0 /server:COMPUTERNAME
(Where COMPUTERNAME is the NetBIOS name, IP or FQDN of the computer
you wish to connect to and help the user who is locally logged onto
it.)
3. Shortly, you should have a shadow'd session with the third
computer.
My understanding was that if the above was followed, it should work
as advertised.

I would like to ask if there are other caveats I left out or if
there are steps I took to the extreme?

For example:

- Is it necessary for the first computer you are remoting WITH to be
in the domain?
- If the user on the third (to be shadowed) computer is an
administrator, will they be asked for permission?
- Does "Offer Remote Assistance" also need to be enabled on the
domain to accomplish the shadow or does that have no bearing on the
outcome?
My experience so far has been (admittedly, I just finally tried it
today) that even though I can offer remote assistance on my domain
and it asks the end-user for their permission - when I try the
shadowing trick, it is still asking the end-user for their
permission.
Not that I see anything WRONG with the above scenario - in most
cases, asking permission is the way it likely should happen, for
legal reasons. However, I would like comments from people using the
shadowing now without it asking permission.

Hmm - I'm going to have to test, and haven't yet. Thanks for putting
both those links together.

I see some issues with the information presented. I believe the whole
shadowing discussion is in relation to Remote Desktop, and not Remote
Assistance--I expect Remote Assistance to ALWAYS require an assent
from the user at the workstation you are assisting--Offer Remote
Assistance just removes the need for the invitation token, not the
assent.
Whether a second RD session is possible in XP SP2 is controversial--my
understanding is that such a session is used by Media Center Extender
devices, but that it is carefully restricted in some way so that it
isn't useful unless you are such a device. I've never met one of
these critters, so I don't know more.

I'm interested in this, but can't guess when I'll get to actually
trying it out--I've got meetings tonight and a childe home sick.

Hey.. I appreciate the response. Whenever you get to it, that would be
great.. I may be able to do further testing tomorrow myself. I will post
whatever happens.

I believe you are correct about Remote Assistance and Remote Desktop being
separate issues, it was just the same "acknowledgement request" on the
client that made me connect them together this time.

Maybe someone else who has already tried this (or better yet - has it
working?) might respond to both of us. =)

 

[Shenan Stanley]

Looking over the following articles:

http://ask.slashdot.org/comments.pl?sid=126314&cid=10574052
and
http://snipurl.com/b7v0

The implications are that in a Domain environment, with the correct
registry settings on the domain computers:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server Value Name: AllowRemoteRPC
Value Type: DWORD Value
Value Data: 1

One could initiate a shadow session with a domain member without
permission from the logged on user. This is accomplished (correct
me if I am wrong) by the following steps:

1. From a Windows XP/2003 computer in the domain, use remote desktop
to connect to any other Windows XP/2003 computer in the domain.

2. From the remote desktop, issue this command:
shadow 0 /server:COMPUTERNAME
(Where COMPUTERNAME is the NetBIOS name, IP or FQDN of the computer
you wish to connect to and help the user who is locally logged onto
it.)
3. Shortly, you should have a shadow'd session with the third
computer.
My understanding was that if the above was followed, it should work
as advertised.

I would like to ask if there are other caveats I left out or if
there are steps I took to the extreme?

For example:

- Is it necessary for the first computer you are remoting WITH to be
in the domain?
- If the user on the third (to be shadowed) computer is an
administrator, will they be asked for permission?
- Does "Offer Remote Assistance" also need to be enabled on the
domain to accomplish the shadow or does that have no bearing on the
outcome?
My experience so far has been (admittedly, I just finally tried it
today) that even though I can offer remote assistance on my domain
and it asks the end-user for their permission - when I try the
shadowing trick, it is still asking the end-user for their
permission.
Not that I see anything WRONG with the above scenario - in most
cases, asking permission is the way it likely should happen, for
legal reasons. However, I would like comments from people using the
shadowing now without it asking permission.

Hmm - I'm going to have to test, and haven't yet. Thanks for putting
both those links together.

I see some issues with the information presented. I believe the
whole shadowing discussion is in relation to Remote Desktop, and not
Remote Assistance--I expect Remote Assistance to ALWAYS require an
assent from the user at the workstation you are assisting--Offer
Remote Assistance just removes the need for the invitation token,
not the assent.
Whether a second RD session is possible in XP SP2 is
controversial--my understanding is that such a session is used by
Media Center Extender devices, but that it is carefully restricted
in some way so that it isn't useful unless you are such a device. I've
never met one of these critters, so I don't know more.

I'm interested in this, but can't guess when I'll get to actually
trying it out--I've got meetings tonight and a childe home sick.

Hey.. I appreciate the response. Whenever you get to it, that would
be great.. I may be able to do further testing tomorrow myself. I
will post whatever happens.

I believe you are correct about Remote Assistance and Remote Desktop
being separate issues, it was just the same "acknowledgement request"
on the client that made me connect them together this time.

Maybe someone else who has already tried this (or better yet - has it
working?) might respond to both of us. =)

I didn't get to test much, but I can say that the "acknowledgement requet"
received on the client when shadowing is DEFINITELY not the same as one
received when offering Remote Assistance.

What I cannot understand is the inability to shadow without asking the user.
I tried it with the third party being an admin and without. Both times it
asked.

Could it be that one of the computers in the line is Windows Server 2003 and
not Windows XP? The server *is* a member server. I have not tried using a
DC as the first remote computer then shadowing from there to the third PC
yet - but that sounds like it would be stretching reason.

I also cannot actually see it making a difference whether the first remote
session is made to a Windows 2003 or Windows XP machine. As long as it is
XP or later and all machines involved are in the domain..

I was hoping either Christian Camacho or Jeffrey Randow would jump in here
and perhaps tell me the missing component, as it is their 11/15/2004 -
12/6/2004 thread titled "Shadwo no longer work with WixXP SP2" (Typos and
all, heh) that really got me to a breaking point on trying this out - and
the two links I referred to. I am GUESSING they have it working in a domain
environment as we discuss this. =)

 

[Jeffrey Randow (MVP)]

Did you set the appropriate user permission in the active directory
account? You must enable remote access there in order to connect
without user approval...
---
Jeffrey Randow (Windows Networking MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows Network Technology Community -
http://www.microsoft.com/windowsserver2003/community/centers/networking/default.mspx
Windows Home Networking Community -
http://www.microsoft.com/windowsxp/expertzone/communities/wireless.mspx

 

[Jeffrey Randow (MVP)]

See inline...
---
Jeffrey Randow (Windows Networking MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows Network Technology Community -
http://www.microsoft.com/windowsserver2003/community/centers/networking/default.mspx
Windows Home Networking Community -
http://www.microsoft.com/windowsxp/expertzone/communities/wireless.mspx

- Is it necessary for the first computer you are remoting WITH to be in the
domain?

You must have the appropriate domain priveleges... I would say yes
since trying to accomplish this in a non-domain environment would be a
bit difficult...

- If the user on the third (to be shadowed) computer is an administrator,
will they be asked for permission?

Not if the appropriate permissions are applied in the AD user
account.. At least I have been able to shadow a fellow admin at the
office without his permission...

- Does "Offer Remote Assistance" also need to be enabled on the domain to
accomplish the shadow or does that have no bearing on the outcome?

Remote Assistance has no effect on Shadowing.. Shadowing is a
terminal services feature...

 

[Shenan Stanley]

Comments/Questions inline..

You must have the appropriate domain priveleges... I would say yes
since trying to accomplish this in a non-domain environment would be a
bit difficult...

You misunderstand, I think.

Three computers.
(1) Originating - one I am sitting in front of.
(2) Mediator of sorts, the first to be remoted into.
(3) The destination, the machine I am attempting to shadow.

Do ALL machines have to be in the domain? If I use MSTSC on machine (1) -
and it is NOT in said domain - and connect to machine (2) (which is in the
domain) and from there use the SHADOW command to connect to the final
machine (3) (also in the domain) - will it work?

Not if the appropriate permissions are applied in the AD user
account.. At least I have been able to shadow a fellow admin at the
office without his permission...

I am assuming the "appropriate permissions" would be in the Active Directory
User properties.. Remote Control tab.. "Enable remote control" and uncheck
"Require user's permission" and then choose the proper level of control?

Remote Assistance has no effect on Shadowing.. Shadowing is a
terminal services feature...

Yes - I figured this out in a later response, but thank you for verifying
this.

I believe with this additional point, I may have it completely figured out.
If it works, I think I will post back everything I have learned here - it
might help someone else utilize this as well.

Thanks for the response!

 

[Shenan Stanley]

Comments/Questions inline..


You misunderstand, I think.

Three computers.
(1) Originating - one I am sitting in front of.
(2) Mediator of sorts, the first to be remoted into.
(3) The destination, the machine I am attempting to shadow.

Do ALL machines have to be in the domain? If I use MSTSC on machine
(1) - and it is NOT in said domain - and connect to machine (2)
(which is in the domain) and from there use the SHADOW command to
connect to the final machine (3) (also in the domain) - will it work?


I am assuming the "appropriate permissions" would be in the Active
Directory User properties.. Remote Control tab.. "Enable remote
control" and uncheck "Require user's permission" and then choose the
proper level of control?

Yes - I figured this out in a later response, but thank you for
verifying this.

I believe with this additional point, I may have it completely
figured out. If it works, I think I will post back everything I have
learned here - it might help someone else utilize this as well.

Thanks for the response!

Unfortunately - still a no-go.

Changed the permissions I thought you meant (described above) and tried
again.. Still asks the user if they wish to allow it. Tried on three
different domain PCS (as the last PC - the one I was attempting to shadow)
and on two different Windows XP boxes as intermediaries as well as one
Windows Server 2003 box as an intermediary. Tried as regular users, domain
admins and even went full out as Domain/Enterprise admin - all cases - user
is asked if they wish to allow access to their computer by whichever user I
am attempting to use to shadow the session.

Was I incorrect in my assumption on the locations of the "permissions" you
meant?
Is there something other than the registry entries and the likes I should
know about (not mentioned before in this thread?)

I would really like to see this work, as it seems others do have it working.

 

[Jeffrey Randow (MVP)]

Are you trying to interact or view the session? If you are viewing,
then the permissions you mentioned are adequate....
---
Jeffrey Randow (Windows Networking MVP)
(e-mail address removed)

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows Network Technology Community -
http://www.microsoft.com/windowsserver2003/community/centers/networking/default.mspx
Windows Home Networking Community -
http://www.microsoft.com/windowsxp/expertzone/communities/wireless.mspx

 

[Shenan Stanley]

Are you trying to interact or view the session? If you are viewing,
then the permissions you mentioned are adequate....

Actually - either without having it ask would be great - but it asks
everytime.