I am having problems to shadow the remote desktop session of a user on a Windows Server 2008 R2.
If I log on as local administrator on the server with RDP and shadow the session of a domain user that works. However, if I log on with a domain user that is in the local administrators group and try to shadow the session of the same user as I tried before, I get an error:
> shadow ...
Remote Control failed. error Code 5
Error [5]:Access is denied.
I explicitly enabled all permissions for the domain user which cannot shadow a session under: Remote Desktop Session Host Configuration -> Rdp-Tcp connection -> Security -> checked Full Control
I even restarted the server after these modifications without success. I have exactly the same settings enabled on a different server and there a domain user, also being in the local administrators group can shadow sessions of other domain users.
So, are there any other settings I must enable to allow screensharing? Or do I do something wrong? Is there a way to determine which permissions an existing user actually has?
I found the solution: The user must run the powershell with elevated rights. I used this solution for my script that starts a remote controlled session:
http://www.christiano.ch/wordpress/2009/07/26/get-content-access-to-the-path-cprogram-files-is-denied/