Sign in with
Sign up | Sign in
Your question

Shadowing in a Domain Environment..

Last response: in Windows XP
Share
Anonymous
December 8, 2004 2:51:22 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Looking over the following articles:

http://ask.slashdot.org/comments.pl?sid=126314&cid=1057...
and
http://snipurl.com/b7v0

The implications are that in a Domain environment, with the correct registry
settings on the domain computers:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
Value Name: AllowRemoteRPC
Value Type: DWORD Value
Value Data: 1

One could initiate a shadow session with a domain member without permission
from the logged on user. This is accomplished (correct me if I am wrong) by
the following steps:

1. From a Windows XP/2003 computer in the domain, use remote desktop to
connect to any other Windows XP/2003 computer in the domain.

2. From the remote desktop, issue this command:
shadow 0 /server:COMPUTERNAME
(Where COMPUTERNAME is the NetBIOS name, IP or FQDN of the computer you
wish to connect to and help the user who is locally logged onto it.)

3. Shortly, you should have a shadow'd session with the third computer.

My understanding was that if the above was followed, it should work as
advertised.

I would like to ask if there are other caveats I left out or if there are
steps I took to the extreme?

For example:

- Is it necessary for the first computer you are remoting WITH to be in the
domain?
- If the user on the third (to be shadowed) computer is an administrator,
will they be asked for permission?
- Does "Offer Remote Assistance" also need to be enabled on the domain to
accomplish the shadow or does that have no bearing on the outcome?

My experience so far has been (admittedly, I just finally tried it today)
that even though I can offer remote assistance on my domain and it asks the
end-user for their permission - when I try the shadowing trick, it is still
asking the end-user for their permission.

Not that I see anything WRONG with the above scenario - in most cases,
asking permission is the way it likely should happen, for legal reasons.
However, I would like comments from people using the shadowing now without
it asking permission.

--
<- Shenan ->
--
Anonymous
December 8, 2004 7:38:38 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Hmm - I'm going to have to test, and haven't yet. Thanks for putting both
those links together.

I see some issues with the information presented. I believe the whole
shadowing discussion is in relation to Remote Desktop, and not Remote
Assistance--I expect Remote Assistance to ALWAYS require an assent from the
user at the workstation you are assisting--Offer Remote Assistance just
removes the need for the invitation token, not the assent.

Whether a second RD session is possible in XP SP2 is controversial--my
understanding is that such a session is used by Media Center Extender
devices, but that it is carefully restricted in some way so that it isn't
useful unless you are such a device. I've never met one of these critters,
so I don't know more.

I'm interested in this, but can't guess when I'll get to actually trying it
out--I've got meetings tonight and a childe home sick.


"Shenan Stanley" <news_helper@hushmail.com> wrote in message
news:%23IsJL6U3EHA.1400@TK2MSFTNGP11.phx.gbl...
> Looking over the following articles:
>
> http://ask.slashdot.org/comments.pl?sid=126314&cid=1057...
> and
> http://snipurl.com/b7v0
>
> The implications are that in a Domain environment, with the correct
> registry settings on the domain computers:
>
> Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
> Value Name: AllowRemoteRPC
> Value Type: DWORD Value
> Value Data: 1
>
> One could initiate a shadow session with a domain member without
> permission from the logged on user. This is accomplished (correct me if I
> am wrong) by the following steps:
>
> 1. From a Windows XP/2003 computer in the domain, use remote desktop to
> connect to any other Windows XP/2003 computer in the domain.
>
> 2. From the remote desktop, issue this command:
> shadow 0 /server:COMPUTERNAME
> (Where COMPUTERNAME is the NetBIOS name, IP or FQDN of the computer you
> wish to connect to and help the user who is locally logged onto it.)
>
> 3. Shortly, you should have a shadow'd session with the third computer.
>
> My understanding was that if the above was followed, it should work as
> advertised.
>
> I would like to ask if there are other caveats I left out or if there are
> steps I took to the extreme?
>
> For example:
>
> - Is it necessary for the first computer you are remoting WITH to be in
> the domain?
> - If the user on the third (to be shadowed) computer is an administrator,
> will they be asked for permission?
> - Does "Offer Remote Assistance" also need to be enabled on the domain to
> accomplish the shadow or does that have no bearing on the outcome?
>
> My experience so far has been (admittedly, I just finally tried it today)
> that even though I can offer remote assistance on my domain and it asks
> the end-user for their permission - when I try the shadowing trick, it is
> still asking the end-user for their permission.
>
> Not that I see anything WRONG with the above scenario - in most cases,
> asking permission is the way it likely should happen, for legal reasons.
> However, I would like comments from people using the shadowing now without
> it asking permission.
>
> --
> <- Shenan ->
> --
>
>
Anonymous
December 8, 2004 7:38:39 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Shenan Stanley wrote:
> Looking over the following articles:
>
> http://ask.slashdot.org/comments.pl?sid=126314&cid=1057...
> and
> http://snipurl.com/b7v0
>
> The implications are that in a Domain environment, with the correct
> registry settings on the domain computers:
>
> Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
> Server Value Name: AllowRemoteRPC
> Value Type: DWORD Value
> Value Data: 1
>
> One could initiate a shadow session with a domain member without
> permission from the logged on user. This is accomplished (correct
> me if I am wrong) by the following steps:
>
> 1. From a Windows XP/2003 computer in the domain, use remote desktop
> to connect to any other Windows XP/2003 computer in the domain.
>
> 2. From the remote desktop, issue this command:
> shadow 0 /server:COMPUTERNAME
> (Where COMPUTERNAME is the NetBIOS name, IP or FQDN of the computer
> you wish to connect to and help the user who is locally logged onto
> it.)
> 3. Shortly, you should have a shadow'd session with the third
> computer.
> My understanding was that if the above was followed, it should work
> as advertised.
>
> I would like to ask if there are other caveats I left out or if
> there are steps I took to the extreme?
>
> For example:
>
> - Is it necessary for the first computer you are remoting WITH to be
> in the domain?
> - If the user on the third (to be shadowed) computer is an
> administrator, will they be asked for permission?
> - Does "Offer Remote Assistance" also need to be enabled on the
> domain to accomplish the shadow or does that have no bearing on the
> outcome?
> My experience so far has been (admittedly, I just finally tried it
> today) that even though I can offer remote assistance on my domain
> and it asks the end-user for their permission - when I try the
> shadowing trick, it is still asking the end-user for their
> permission.
> Not that I see anything WRONG with the above scenario - in most
> cases, asking permission is the way it likely should happen, for
> legal reasons. However, I would like comments from people using the
> shadowing now without it asking permission.

Bill Sanderson wrote:
> Hmm - I'm going to have to test, and haven't yet. Thanks for putting
> both those links together.
>
> I see some issues with the information presented. I believe the whole
> shadowing discussion is in relation to Remote Desktop, and not Remote
> Assistance--I expect Remote Assistance to ALWAYS require an assent
> from the user at the workstation you are assisting--Offer Remote
> Assistance just removes the need for the invitation token, not the
> assent.
> Whether a second RD session is possible in XP SP2 is controversial--my
> understanding is that such a session is used by Media Center Extender
> devices, but that it is carefully restricted in some way so that it
> isn't useful unless you are such a device. I've never met one of
> these critters, so I don't know more.
>
> I'm interested in this, but can't guess when I'll get to actually
> trying it out--I've got meetings tonight and a childe home sick.

Hey.. I appreciate the response. Whenever you get to it, that would be
great.. I may be able to do further testing tomorrow myself. I will post
whatever happens.

I believe you are correct about Remote Assistance and Remote Desktop being
separate issues, it was just the same "acknowledgement request" on the
client that made me connect them together this time.

Maybe someone else who has already tried this (or better yet - has it
working?) might respond to both of us. =)

--
<- Shenan ->
--
The information is provided "as is", it is suggested you research for
yourself before you take any advice - you are the one ultimately
responsible for your actions/problems/solutions. Know what you are
getting into before you jump in with both feet.
Related resources
Anonymous
December 10, 2004 8:17:48 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Shenan Stanley wrote:
> Looking over the following articles:
>
> http://ask.slashdot.org/comments.pl?sid=126314&cid=1057...
> and
> http://snipurl.com/b7v0
>
> The implications are that in a Domain environment, with the correct
> registry settings on the domain computers:
>
> Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
> Server Value Name: AllowRemoteRPC
> Value Type: DWORD Value
> Value Data: 1
>
> One could initiate a shadow session with a domain member without
> permission from the logged on user. This is accomplished (correct
> me if I am wrong) by the following steps:
>
> 1. From a Windows XP/2003 computer in the domain, use remote desktop
> to connect to any other Windows XP/2003 computer in the domain.
>
> 2. From the remote desktop, issue this command:
> shadow 0 /server:COMPUTERNAME
> (Where COMPUTERNAME is the NetBIOS name, IP or FQDN of the computer
> you wish to connect to and help the user who is locally logged onto
> it.)
> 3. Shortly, you should have a shadow'd session with the third
> computer.
> My understanding was that if the above was followed, it should work
> as advertised.
>
> I would like to ask if there are other caveats I left out or if
> there are steps I took to the extreme?
>
> For example:
>
> - Is it necessary for the first computer you are remoting WITH to be
> in the domain?
> - If the user on the third (to be shadowed) computer is an
> administrator, will they be asked for permission?
> - Does "Offer Remote Assistance" also need to be enabled on the
> domain to accomplish the shadow or does that have no bearing on the
> outcome?
> My experience so far has been (admittedly, I just finally tried it
> today) that even though I can offer remote assistance on my domain
> and it asks the end-user for their permission - when I try the
> shadowing trick, it is still asking the end-user for their
> permission.
> Not that I see anything WRONG with the above scenario - in most
> cases, asking permission is the way it likely should happen, for
> legal reasons. However, I would like comments from people using the
> shadowing now without it asking permission.

Bill Sanderson wrote:
> Hmm - I'm going to have to test, and haven't yet. Thanks for putting
> both those links together.
>
> I see some issues with the information presented. I believe the
> whole shadowing discussion is in relation to Remote Desktop, and not
> Remote Assistance--I expect Remote Assistance to ALWAYS require an
> assent from the user at the workstation you are assisting--Offer
> Remote Assistance just removes the need for the invitation token,
> not the assent.
> Whether a second RD session is possible in XP SP2 is
> controversial--my understanding is that such a session is used by
> Media Center Extender devices, but that it is carefully restricted
> in some way so that it isn't useful unless you are such a device. I've
> never met one of these critters, so I don't know more.
>
> I'm interested in this, but can't guess when I'll get to actually
> trying it out--I've got meetings tonight and a childe home sick.

Shenan Stanley wrote:
> Hey.. I appreciate the response. Whenever you get to it, that would
> be great.. I may be able to do further testing tomorrow myself. I
> will post whatever happens.
>
> I believe you are correct about Remote Assistance and Remote Desktop
> being separate issues, it was just the same "acknowledgement request"
> on the client that made me connect them together this time.
>
> Maybe someone else who has already tried this (or better yet - has it
> working?) might respond to both of us. =)


I didn't get to test much, but I can say that the "acknowledgement requet"
received on the client when shadowing is DEFINITELY not the same as one
received when offering Remote Assistance.

What I cannot understand is the inability to shadow without asking the user.
I tried it with the third party being an admin and without. Both times it
asked.

Could it be that one of the computers in the line is Windows Server 2003 and
not Windows XP? The server *is* a member server. I have not tried using a
DC as the first remote computer then shadowing from there to the third PC
yet - but that sounds like it would be stretching reason.

I also cannot actually see it making a difference whether the first remote
session is made to a Windows 2003 or Windows XP machine. As long as it is
XP or later and all machines involved are in the domain..

I was hoping either Christian Camacho or Jeffrey Randow would jump in here
and perhaps tell me the missing component, as it is their 11/15/2004 -
12/6/2004 thread titled "Shadwo no longer work with WixXP SP2" (Typos and
all, heh) that really got me to a breaking point on trying this out - and
the two links I referred to. I am GUESSING they have it working in a domain
environment as we discuss this. =)

--
<- Shenan ->
--
The information is provided "as is", it is suggested you research for
yourself before you take any advice - you are the one ultimately
responsible for your actions/problems/solutions. Know what you are
getting into before you jump in with both feet.
Anonymous
December 14, 2004 11:26:40 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Did you set the appropriate user permission in the active directory
account? You must enable remote access there in order to connect
without user approval...
---
Jeffrey Randow (Windows Networking MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows Network Technology Community -
http://www.microsoft.com/windowsserver2003/community/ce...
Windows Home Networking Community -
http://www.microsoft.com/windowsxp/expertzone/communiti...

On Fri, 10 Dec 2004 17:17:48 -0600, "Shenan Stanley"
<news_helper@hushmail.com> wrote:

>Shenan Stanley wrote:
>> Looking over the following articles:
>>
>> http://ask.slashdot.org/comments.pl?sid=126314&cid=1057...
>> and
>> http://snipurl.com/b7v0
>>
>> The implications are that in a Domain environment, with the correct
>> registry settings on the domain computers:
>>
>> Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
>> Server Value Name: AllowRemoteRPC
>> Value Type: DWORD Value
>> Value Data: 1
>>
>> One could initiate a shadow session with a domain member without
>> permission from the logged on user. This is accomplished (correct
>> me if I am wrong) by the following steps:
>>
>> 1. From a Windows XP/2003 computer in the domain, use remote desktop
>> to connect to any other Windows XP/2003 computer in the domain.
>>
>> 2. From the remote desktop, issue this command:
>> shadow 0 /server:COMPUTERNAME
>> (Where COMPUTERNAME is the NetBIOS name, IP or FQDN of the computer
>> you wish to connect to and help the user who is locally logged onto
>> it.)
>> 3. Shortly, you should have a shadow'd session with the third
>> computer.
>> My understanding was that if the above was followed, it should work
>> as advertised.
>>
>> I would like to ask if there are other caveats I left out or if
>> there are steps I took to the extreme?
>>
>> For example:
>>
>> - Is it necessary for the first computer you are remoting WITH to be
>> in the domain?
>> - If the user on the third (to be shadowed) computer is an
>> administrator, will they be asked for permission?
>> - Does "Offer Remote Assistance" also need to be enabled on the
>> domain to accomplish the shadow or does that have no bearing on the
>> outcome?
>> My experience so far has been (admittedly, I just finally tried it
>> today) that even though I can offer remote assistance on my domain
>> and it asks the end-user for their permission - when I try the
>> shadowing trick, it is still asking the end-user for their
>> permission.
>> Not that I see anything WRONG with the above scenario - in most
>> cases, asking permission is the way it likely should happen, for
>> legal reasons. However, I would like comments from people using the
>> shadowing now without it asking permission.
>
> Bill Sanderson wrote:
>> Hmm - I'm going to have to test, and haven't yet. Thanks for putting
>> both those links together.
>>
>> I see some issues with the information presented. I believe the
>> whole shadowing discussion is in relation to Remote Desktop, and not
>> Remote Assistance--I expect Remote Assistance to ALWAYS require an
>> assent from the user at the workstation you are assisting--Offer
>> Remote Assistance just removes the need for the invitation token,
>> not the assent.
>> Whether a second RD session is possible in XP SP2 is
>> controversial--my understanding is that such a session is used by
>> Media Center Extender devices, but that it is carefully restricted
>> in some way so that it isn't useful unless you are such a device. I've
>> never met one of these critters, so I don't know more.
>>
>> I'm interested in this, but can't guess when I'll get to actually
>> trying it out--I've got meetings tonight and a childe home sick.
>
>Shenan Stanley wrote:
>> Hey.. I appreciate the response. Whenever you get to it, that would
>> be great.. I may be able to do further testing tomorrow myself. I
>> will post whatever happens.
>>
>> I believe you are correct about Remote Assistance and Remote Desktop
>> being separate issues, it was just the same "acknowledgement request"
>> on the client that made me connect them together this time.
>>
>> Maybe someone else who has already tried this (or better yet - has it
>> working?) might respond to both of us. =)
>
>
>I didn't get to test much, but I can say that the "acknowledgement requet"
>received on the client when shadowing is DEFINITELY not the same as one
>received when offering Remote Assistance.
>
>What I cannot understand is the inability to shadow without asking the user.
>I tried it with the third party being an admin and without. Both times it
>asked.
>
>Could it be that one of the computers in the line is Windows Server 2003 and
>not Windows XP? The server *is* a member server. I have not tried using a
>DC as the first remote computer then shadowing from there to the third PC
>yet - but that sounds like it would be stretching reason.
>
>I also cannot actually see it making a difference whether the first remote
>session is made to a Windows 2003 or Windows XP machine. As long as it is
>XP or later and all machines involved are in the domain..
>
>I was hoping either Christian Camacho or Jeffrey Randow would jump in here
>and perhaps tell me the missing component, as it is their 11/15/2004 -
>12/6/2004 thread titled "Shadwo no longer work with WixXP SP2" (Typos and
>all, heh) that really got me to a breaking point on trying this out - and
>the two links I referred to. I am GUESSING they have it working in a domain
>environment as we discuss this. =)
>
>--
><- Shenan ->
Anonymous
December 14, 2004 11:29:29 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

See inline...
---
Jeffrey Randow (Windows Networking MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows Network Technology Community -
http://www.microsoft.com/windowsserver2003/community/ce...
Windows Home Networking Community -
http://www.microsoft.com/windowsxp/expertzone/communiti...

On Wed, 8 Dec 2004 11:51:22 -0600, "Shenan Stanley"
<news_helper@hushmail.com> wrote:


>
>- Is it necessary for the first computer you are remoting WITH to be in the
>domain?

You must have the appropriate domain priveleges... I would say yes
since trying to accomplish this in a non-domain environment would be a
bit difficult...

>- If the user on the third (to be shadowed) computer is an administrator,
>will they be asked for permission?

Not if the appropriate permissions are applied in the AD user
account.. At least I have been able to shadow a fellow admin at the
office without his permission...

>- Does "Offer Remote Assistance" also need to be enabled on the domain to
>accomplish the shadow or does that have no bearing on the outcome?
>

Remote Assistance has no effect on Shadowing.. Shadowing is a
terminal services feature...
Anonymous
December 15, 2004 12:35:41 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Comments/Questions inline..

>> - Is it necessary for the first computer you are remoting WITH to be
>> in the domain?
>
> You must have the appropriate domain priveleges... I would say yes
> since trying to accomplish this in a non-domain environment would be a
> bit difficult...

You misunderstand, I think.

Three computers.
(1) Originating - one I am sitting in front of.
(2) Mediator of sorts, the first to be remoted into.
(3) The destination, the machine I am attempting to shadow.

Do ALL machines have to be in the domain? If I use MSTSC on machine (1) -
and it is NOT in said domain - and connect to machine (2) (which is in the
domain) and from there use the SHADOW command to connect to the final
machine (3) (also in the domain) - will it work?

>> - If the user on the third (to be shadowed) computer is an
>> administrator, will they be asked for permission?
>
> Not if the appropriate permissions are applied in the AD user
> account.. At least I have been able to shadow a fellow admin at the
> office without his permission...

I am assuming the "appropriate permissions" would be in the Active Directory
User properties.. Remote Control tab.. "Enable remote control" and uncheck
"Require user's permission" and then choose the proper level of control?

>> - Does "Offer Remote Assistance" also need to be enabled on the
>> domain to accomplish the shadow or does that have no bearing on the
>> outcome?
>
> Remote Assistance has no effect on Shadowing.. Shadowing is a
> terminal services feature...

Yes - I figured this out in a later response, but thank you for verifying
this.

I believe with this additional point, I may have it completely figured out.
If it works, I think I will post back everything I have learned here - it
might help someone else utilize this as well.

Thanks for the response!

--
<- Shenan ->
--
The information is provided "as is", it is suggested you research for
yourself before you take any advice - you are the one ultimately
responsible for your actions/problems/solutions. Know what you are
getting into before you jump in with both feet.
Anonymous
December 22, 2004 6:36:14 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Shenan Stanley wrote:
> Comments/Questions inline..
>
>>> - Is it necessary for the first computer you are remoting WITH to be
>>> in the domain?
>>
>> You must have the appropriate domain priveleges... I would say yes
>> since trying to accomplish this in a non-domain environment would be
>> a bit difficult...
>
> You misunderstand, I think.
>
> Three computers.
> (1) Originating - one I am sitting in front of.
> (2) Mediator of sorts, the first to be remoted into.
> (3) The destination, the machine I am attempting to shadow.
>
> Do ALL machines have to be in the domain? If I use MSTSC on machine
> (1) - and it is NOT in said domain - and connect to machine (2)
> (which is in the domain) and from there use the SHADOW command to
> connect to the final machine (3) (also in the domain) - will it work?
>
>>> - If the user on the third (to be shadowed) computer is an
>>> administrator, will they be asked for permission?
>>
>> Not if the appropriate permissions are applied in the AD user
>> account.. At least I have been able to shadow a fellow admin at the
>> office without his permission...
>
> I am assuming the "appropriate permissions" would be in the Active
> Directory User properties.. Remote Control tab.. "Enable remote
> control" and uncheck "Require user's permission" and then choose the
> proper level of control?
>>> - Does "Offer Remote Assistance" also need to be enabled on the
>>> domain to accomplish the shadow or does that have no bearing on the
>>> outcome?
>>
>> Remote Assistance has no effect on Shadowing.. Shadowing is a
>> terminal services feature...
>
> Yes - I figured this out in a later response, but thank you for
> verifying this.
>
> I believe with this additional point, I may have it completely
> figured out. If it works, I think I will post back everything I have
> learned here - it might help someone else utilize this as well.
>
> Thanks for the response!

Unfortunately - still a no-go.

Changed the permissions I thought you meant (described above) and tried
again.. Still asks the user if they wish to allow it. Tried on three
different domain PCS (as the last PC - the one I was attempting to shadow)
and on two different Windows XP boxes as intermediaries as well as one
Windows Server 2003 box as an intermediary. Tried as regular users, domain
admins and even went full out as Domain/Enterprise admin - all cases - user
is asked if they wish to allow access to their computer by whichever user I
am attempting to use to shadow the session.

Was I incorrect in my assumption on the locations of the "permissions" you
meant?
Is there something other than the registry entries and the likes I should
know about (not mentioned before in this thread?)

I would really like to see this work, as it seems others do have it working.

--
<- Shenan ->
--
Anonymous
January 3, 2005 10:04:58 PM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Are you trying to interact or view the session? If you are viewing,
then the permissions you mentioned are adequate....
---
Jeffrey Randow (Windows Networking MVP)
jeffreyr-support@remotenetworktechnology.com

Please post all responses to the newsgroups for the benefit
of all USENET users. Messages sent via email may or may not
be answered depending on time availability....

Remote Networking Technology Support Site -
http://www.remotenetworktechnology.com
Windows Network Technology Community -
http://www.microsoft.com/windowsserver2003/community/ce...
Windows Home Networking Community -
http://www.microsoft.com/windowsxp/expertzone/communiti...

On Wed, 22 Dec 2004 15:36:14 -0600, "Shenan Stanley"
<news_helper@hushmail.com> wrote:

>Shenan Stanley wrote:
>> Comments/Questions inline..
>>
>>>> - Is it necessary for the first computer you are remoting WITH to be
>>>> in the domain?
>>>
>>> You must have the appropriate domain priveleges... I would say yes
>>> since trying to accomplish this in a non-domain environment would be
>>> a bit difficult...
>>
>> You misunderstand, I think.
>>
>> Three computers.
>> (1) Originating - one I am sitting in front of.
>> (2) Mediator of sorts, the first to be remoted into.
>> (3) The destination, the machine I am attempting to shadow.
>>
>> Do ALL machines have to be in the domain? If I use MSTSC on machine
>> (1) - and it is NOT in said domain - and connect to machine (2)
>> (which is in the domain) and from there use the SHADOW command to
>> connect to the final machine (3) (also in the domain) - will it work?
>>
>>>> - If the user on the third (to be shadowed) computer is an
>>>> administrator, will they be asked for permission?
>>>
>>> Not if the appropriate permissions are applied in the AD user
>>> account.. At least I have been able to shadow a fellow admin at the
>>> office without his permission...
>>
>> I am assuming the "appropriate permissions" would be in the Active
>> Directory User properties.. Remote Control tab.. "Enable remote
>> control" and uncheck "Require user's permission" and then choose the
>> proper level of control?
>>>> - Does "Offer Remote Assistance" also need to be enabled on the
>>>> domain to accomplish the shadow or does that have no bearing on the
>>>> outcome?
>>>
>>> Remote Assistance has no effect on Shadowing.. Shadowing is a
>>> terminal services feature...
>>
>> Yes - I figured this out in a later response, but thank you for
>> verifying this.
>>
>> I believe with this additional point, I may have it completely
>> figured out. If it works, I think I will post back everything I have
>> learned here - it might help someone else utilize this as well.
>>
>> Thanks for the response!
>
>Unfortunately - still a no-go.
>
>Changed the permissions I thought you meant (described above) and tried
>again.. Still asks the user if they wish to allow it. Tried on three
>different domain PCS (as the last PC - the one I was attempting to shadow)
>and on two different Windows XP boxes as intermediaries as well as one
>Windows Server 2003 box as an intermediary. Tried as regular users, domain
>admins and even went full out as Domain/Enterprise admin - all cases - user
>is asked if they wish to allow access to their computer by whichever user I
>am attempting to use to shadow the session.
>
>Was I incorrect in my assumption on the locations of the "permissions" you
>meant?
>Is there something other than the registry entries and the likes I should
>know about (not mentioned before in this thread?)
>
>I would really like to see this work, as it seems others do have it working.
>
>--
><- Shenan ->
Anonymous
January 4, 2005 10:56:05 AM

Archived from groups: microsoft.public.windowsxp.work_remotely (More info?)

Jeffrey Randow (MVP) wrote:
> Are you trying to interact or view the session? If you are viewing,
> then the permissions you mentioned are adequate....

Actually - either without having it ask would be great - but it asks
everytime.

--
<- Shenan ->
--
The information is provided "as is", it is suggested you research for
yourself before you take any advice - you are the one ultimately
responsible for your actions/problems/solutions. Know what you are
getting into before you jump in with both feet.
!