It seems as though the only way to use the PowerShell Get-RDUserSession cmdlet against the Connection Broker is if the user running the command is a member of the Administrators group on the Connection Broker server. This might be undesirable…!
This is a workaround that allows you to get a list of active sessions from your Remote Desktop deployment without granting users admin rights on the Connection Broker(s).
Note that you still have to give them administrator rights on the RDSH servers to allow the Remote Desktop Client shadowing process to work (which might also be undesirable!). EDIT: Or perhaps not… Not tried this myself though.
I’m running my Connection Broker in high availability mode, which means I have a shared SQL database, and it is this SQL database that is what I’m using at the root of my workaround.
We’re going to create a SQL View to pull together the session and host information from the database, then use this to launch a basic GUI to fire off the RDP client in shadowing mode. You need to have created a group, probably in active directory, to add the shadowing users to – this is used to grant limited permissions to the Connection Broker SQL database. A potential benefit of this is that you don’t need to have the Windows Remote Server Admin Tools installed on your helpdesk PCs (which you would need in order to use Get-RDUserSession).
Modify and then run the following SQL against your connection broker SQL server (maybe backup your connection broker database first in case you mess up!):
USE [master] GO CREATE LOGIN [RCMTECH\Shadow Users 2012] FROM WINDOWS WITH DEFAULT_DATABASE=[CBR2012] GO USE [CBR2012] GO CREATE USER [RCMTECH\Shadow Users 2012] FOR LOGIN [RCMTECH\Shadow Users 2012] GO SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE VIEW [dbo].[Shadowing] AS SELECT Session.UserName, Pool.DisplayName AS PoolName, Target.Name AS ServerName, Session.SessionId FROM rds.Session AS Session INNER JOIN rds.Target AS Target ON Target.Id = Session.TargetId INNER JOIN rds.Pool AS Pool ON Target.PoolId = Pool.Id WHERE (Session.State = 0) GO GRANT SELECT ON [dbo].[Shadowing] TO [RCMTECH\Shadow Users 2012] GO
and now here’s the PowerShell that the shadowing users run to pull that data and present it via the Out-GridView GUI:
$CBSQLServer = "SQL05.rcmtech.co.uk"
$CBDB = "CBR2012"
# Open connection to Connection Broker DB
$CBDBConnection = New-Object -TypeName System.Data.SqlClient.SqlConnection -ArgumentList "Server=$CBSQLServer;Database=$CBDB;Integrated Security=SSPI"
$CBDBConnection.Open()
# Get Shadowing View
$SQLCommand = $CBDBConnection.CreateCommand()
$SQLCommand.CommandText = ("SELECT * FROM Shadowing")
$SQLReader = $SQLCommand.ExecuteReader()
$ShadowingView = New-Object System.Data.DataTable
$ShadowingView.Load($SQLReader)
$SQLReader.Close()
$Session = $ShadowingView | Out-GridView -Title "Remote Desktop Shadowing - Active Sessions" -OutputMode Single
if($Session -eq $null){
# No session selected, user probably clicked Cancel
return
}
mstsc /v:($Session.ServerName) /shadow:($Session.SessionId) /control | Out-Null
Just pick a session and click OK to launch mstsc with the correct command line switches – /v:<servername> /shadow:<sessionid> /control
