We're using Active Directory and currently, only our Administrators who log in to Domain Controller can shadow RDP sessions. From there they're shadowing RDP sessions on another Windows Server 2016.
It is working as expected, but all these users that are shadowing RDP sessions on another server, as a part of the support team, shouldn't have administrator rights nor should they have an access to our Domain Controller, as they're not IT personnel.
Is there a way to give access to RDP shadowing from a server that is not our DC, to a specific user group (for example "Support") to shadow RDP sessions?
It doesn't have to be a GUI solution (though it is preferred), we can use the command line as well, but for now, I can't seem to be able to give these rights to the specific user group on another server that is part of our domain, but is not our DC.
If that is not possible, is the simpler solution possible: giving rights to the specific group on our DC to shadow RDP sessions?
Best Answer
To be able to shadow sessions on an RDS server, the user or group needs to be granted the Remote Control permission on the RDP protocol on the server where the sessions to be shadowed are.