What is the best way to monitor a terminal server session that is being shadowed? I believe I have an admin shadowing one of our users and talking in notepad. Does anyone have any suggestions on the easiest way to find this?
An attempt to shadow a terminal session will result in a prompt requesting a shadow session to be allowed. If the user has not been prompted to allow the shadow then most likely it's not happening.
That is not to say, however, that activities similar to what you are describing can't be done via other methods.
EDIT:
As Tom pointed out, the aforementioned prompt can be disabled in the Terminal Services Configuration. Hopefully this isn't the case for you.
You could also ask another admin (if you have one) to look at the sessions on the terminal server, or look yourself if you have the permissions, and see if the admin in question is logged in. Terminal services manager will show the state of a session that is shadowing another as "RemoteControl".
You could look for an rdpclip.exe process running on the server under the context of the admin's user ID. That'll indicate that the admin has a terminal session, but not necessarily whether or not they're shadowing anyone.
An attempt to shadow a terminal session will result in a prompt requesting a shadow session to be allowed. If the user has not been prompted to allow the shadow then most likely it's not happening.
That is not to say, however, that activities similar to what you are describing can't be done via other methods.
EDIT:
As Tom pointed out, the aforementioned prompt can be disabled in the Terminal Services Configuration. Hopefully this isn't the case for you.
You could also ask another admin (if you have one) to look at the sessions on the terminal server, or look yourself if you have the permissions, and see if the admin in question is logged in. Terminal services manager will show the state of a session that is shadowing another as "RemoteControl".
You could look for an rdpclip.exe process running on the server under the context of the admin's user ID. That'll indicate that the admin has a terminal session, but not necessarily whether or not they're shadowing anyone.
The "prompt" referred to above can be disabled in Terminal Service Manager. FYI.