We run a small application service provider (ASP) that offers a vertical application. Occasionally, our technical support staff needs to shadow users' Citrix MetaFrame 1.8 sessions to troubleshoot the application. Is this possible? We haven't given the support staff the Windows NT Administrator password or made them members of the Administrators group.

By default, only administrators have permissions to shadow users, so you must assign the appropriate rights to your technical support people. A member of the Administrators group can give shadow permissions to any group or user. These permissions let your support staff shadow other users who have shadowing enabled.

To give your support staff the appropriate permissions, open the Citrix Connection Configuration tool, click the connection type (e.g., ICA-TCP for listeners), and choose Permissions from the Security menu. On the next screen, you can add users or groups and assign shadow permissions. Initially, only the available Global and Local groups appear. If you want to add a member or members of the support staff, you must click Show Users. Create a special group called Shadowing, and use User Manager for Domains to add support staff members. You can then manage the "shadowers" by adding or subtracting names from the Shadowing group. Assign the shadow permission by giving the group User Access, then selecting the group, giving its members Special Access, and selecting the Shadow checkbox.

If you want to prevent support staff from shadowing specific MetaFrame users, you must disable shadowing in User Manager for Domains for users that you don't want your support staff to shadow, and then check Inherit User Config in Citrix Connection Configuration.

Next, make sure that your support staff has a shadowing utility. For example, they can use the Citrix Server Administration tool to monitor sessions. You can also give them access to the Shadow Taskbar, which, for typical users, requires that you change permissions for the following files to at least Read and Execute:

- \wtsrv\system32\wshadow.exe
- \wtsrv\system32\cshadow.exe
- \wtsrv\system32\icapas~1\wfica32.exe

You can also teach your support staff to use the Shadow command-line utility, or you can write a command file that uses the utility for them. For example, the command "Query Session" might return the following:

SESSIONNAME       USERNAME         ID   STATE    TYPE        DEVICE
console                            0   conn     wdcon              
rdp-tcp                            1   listen   rdpwd              
ica-ipx                            2   listen   wdica              
ica-netbios                        3   listen   wdica              
ica-tcp                            5   listen   wdica              
ica-tcp#19       administrator    19   active   wdica
ica-tcp#20       dcarroll         20   active   wdica
                                  21    idle

To start the shadowing process, issue the command

SHADOW \{sessionname | sessionid\} \[/SERVER:servername\] \[/V\]

where sessionname is the session name, sessionid identifies the session ID, /SERVER:servername is the server that contains the session (the default is the current server), and /V displays information about actions that occur. For example, the following command shadows the session dcarroll:

Shadow 20 /SERVER:TS1 /V

Good luck, and happy shadowing!