How to shadow RDP Sessions for Remote Support Without Third-Party Tools

How to shadow RDP Sessions for Remote Support Without Third-Party Tools


Overview


When a user needs hands-on help with something on their remote desktop session, most admins reach for third-party tools like TeamViewer, AnyDesk, or ConnectWise. However, Windows has a built-in feature called RDP Shadowing that lets you view or take control of another user's active session — no extra software required.

This is especially useful in Remote Desktop Services (RDS) environments where multiple users are connected to the same session host, but it also works for standard remote connections.


How It Works


RDP Shadowing allows an administrator to connect to an existing user session on a Windows machine. You can choose to:


  • View only — observe what the user is doing without interacting
  • Full control — see the session and use your own mouse and keyboard to interact


By default, the user will receive a prompt asking them to approve the shadow request. This behaviour is configurable via Group Policy.


Requirements


  • The target machine must be running Windows Server 2012 R2 or later, or Windows 10/11
  • You must have local administrator rights on the target machine (or equivalent RDS permissions)
  • The shadowing policy must not be set to "No remote control allowed"


Step-by-Step: Shadowing via Command Line


Identify the Session ID

First, query the target machine to see active sessions. Open an elevated Command Prompt or PowerShell and run:


qwinsta /server:SERVERNAME


This will return output similar to:


 SESSIONNAME    USERNAME       ID  STATE   TYPE
 console                        0  Conn
 rdp-tcp#12     jsmith          2  Active
 rdp-tcp#15     adoe            3  Active


Note the ID column — you need this number for the shadow command.


2. Initiate the Shadow Session


Run the following command:


mstsc /shadow:<SessionID> /v:<SERVERNAME> /control


For example, to shadow user jsmith (session ID 2) with full control:


mstsc /shadow:2 /v:RDS01 /control

Parameter breakdown:


  • /shadow:<ID> — the session ID from the previous step
  • /v:<server> — the target server name or IP
  • /control — grants mouse/keyboard control (omit this for view-only)
  • /noConsentPrompt — skips the user approval dialog (requires GPO config, see below)




Unless configured otherwise, the user will see a dialog box asking:


"DOMAIN\admin is requesting to view your session remotely. Do you accept the request?"


The shadow session only begins if the user clicks Yes.



Configuring Shadow Behaviour with Group Policy


You can control how shadowing works across your environment using GPO:

Policy location:

Computer Configuration > Administrative Templates > Windows Components
  > Remote Desktop Services > Remote Desktop Session Host > Connections
    > Set rules for remote control of Remote Desktop Services user sessions


Available options:


  1. No remote control allowed
  2. Full control with user's permission (default)
  3. Full control without user's permission
  4. View session with user's permission
  5. View session without user's permission



Important considerations:


  • Option 3 and 5 (no consent) should be used carefully and documented in your IT policy — users will not know they are being observed
  • This GPO applies per-machine, not per-user
  • Changes require a Group Policy refresh (gpupdate /force) or a reboot to take effect


Quick Reference


Action

Command

List sessions

qwinsta /server:SERVERNAME

Shadow with control + consent

mstsc /shadow:ID /v:SERVER /control

Shadow view-only + consent

mstsc /shadow:ID /v:SERVER

Shadow with control, no consent

mstsc /shadow:ID /v:SERVER /control /noConsentPrompt

Disconnect

Close the window or Ctrl+Alt+Break

Updated on: 03/03/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!