In Windows operating systems, shadowing allows an administrator or authorized user to view and control a user's session remotely. This feature is useful when troubleshooting issues, training new employees, or monitoring employee activity. However, granting shadowing access rights can be risky as it gives the user access to sensitive information and potentially compromises security.
To grant shadow access rights to specific users or groups and minimize security risks, follow these steps:
First, create a security group that will contain the users who need shadow access rights.
Next, navigate to the RDS server where you want to grant shadowing permissions and log in as an administrator. Open the Local Group Policy Editor by typing gpedit.msc in the Run dialog box and pressing Enter.

Navigate to Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Connections.

Double-click the "Set rules for remote control of Remote Desktop Services user sessions" policy setting and select Enabled. Under Options, select the "Full Control without user's permission" option.
Open an elevated PowerShell session on the RDS server. Grant your security group shadow access on the RDP-Tcp listener:
$rdp = Get-CimInstance -Namespace root\CIMV2\TerminalServices -ClassName Win32_TSPermissionsSetting -Filter "TerminalName='RDP-Tcp'"
Invoke-CimMethod -InputObject $rdp -MethodName AddAccount -Arguments @{ AccountName = 'DOMAIN\RDS Shadow Operators'; PermissionPreSet = 2 }
Replace DOMAIN\RDS Shadow Operators with the group you created (a single user or a computer account works too). AddAccount returns 0 on success.
The 2 is the PermissionPreSet. Microsoft defines three: 0 (WINSTATION_GUEST_ACCESS) grants Logon only; 1 (WINSTATION_USER_ACCESS) grants Logon, Query Information, Send Message, and Connect; 2 (WINSTATION_ALL_ACCESS) grants every Remote Desktop Services permission on that terminal, shadowing included. Passing 2 is what makes shadowing work, and it is also why the group ends up with more than shadow rights on that terminal, so keep it small and trusted.
To undo the change and return the listener to its default permissions:
$rdp = Get-CimInstance -Namespace root\CIMV2\TerminalServices -ClassName Win32_TSPermissionsSetting -Filter "TerminalName='RDP-Tcp'"
Invoke-CimMethod -InputObject $rdp -MethodName RestoreDefaults
Use TerminalName='Console' if you are granting or restoring shadow rights for the console session instead.
On older servers you may still see this done with a wmic one-liner. It calls the same method, but WMIC is deprecated and is being removed from Windows, so prefer the PowerShell form above:
wmic /namespace:\\root\CIMV2\TerminalServices PATH Win32_TSPermissionsSetting WHERE (TerminalName="RDP-Tcp") CALL AddAccount "DOMAIN\RDS Shadow Operators",2
After completing these steps, the users in your security group should be able to shadow RDS sessions. Note that granting WINSTATION_ALL_ACCESS gives the group more than shadow rights on that terminal, so it is worth testing this in a lab before rolling it out in production.
To verify that the group has shadow access rights, log in as one of its members and attempt to shadow another user's session. If the shadowing feature works correctly, then the account has the necessary permissions.
Granting shadow access rights on Windows RDS servers is a balance between capability and security. By creating a security group, enabling the remote control policy, granting the group shadow permissions on the RDP-Tcp listener, and verifying the result, you keep the shadowing feature in the hands of a small, known set of accounts rather than every administrator on the server.
