How do I tell if Shadowing is Allowed or Prohibited on a Server
November 4, 2008
Citrix XenApp Server products allow Farm Administrators and Users to interact with other user sessions.
Shadowing can be a useful tool for user collaboration, training, troubleshooting, and monitoring. This capability is useful for supervisors, help desk personnel, teachers, and anyone else who may need to examine another user’s session. During Setup, you can limit or disable shadowing. You can disable shadowing of ICA sessions on all servers in a farm if, for example, legal requirements prohibit shadowing of user’s sessions. Or, you may want to disable shadowing on servers that host sensitive applications such as Human Resources or Payroll.
During Setup, you will see this dialog box:
The decision made on this screen cannot be changed without reinstalling XenApp. This is from page 66 of the XenApp 4.5 with Feature Release 1 (AKA XenApp 5.0 on Server 2003):
Important: Shadowing restrictions are permanent. If you disable shadowing or
enable shadowing but disable certain shadowing features during Setup, you
cannot change the restrictions later. Any user policies you create to enable user-to-
user shadowing are subject to the restrictions you place on shadowing during
Setup. Do not disable shadowing as a substitute for user- and group-specific
Prohibit shadowing of user sessions on this server. Select this option to
permanently disable shadowing of user sessions on the server. If you disable
shadowing during Setup, you cannot enable it using other Citrix Presentation
Server configuration utilities or by creating connection policies.
The problem that an Accidental Citrix Admin will have is how to tell if shadowing is Allowed or Prohibited on a server they now manage? Whether shadowing is Allowed or Prohibited, all shadowing components are still installed.
- The cshadow.* and wshadow.* program files are still installed in C:\Program Files\Citrix\System32
- The Shadow Taskbar is enabled
- Citrix policies for shadowing can still be created and applied.
So how does the Accidental Admin determine if shadowing is Allowed or Prohibited? Well, you will start with the Terminal Services Configuration Console. Within the console, under the Connections node, examine the Property sheet for the ICA-tcp object. When the Property sheet is displayed, click on the ICA-settings tab.
The following screenshot shows what the ICA Settings look like when shadowing is Allowed:
In the bottom area there is a Shadowing section that allows Shadowing to Inherit user config or set to:
- is disabled
- is enabled: input OFF, notify OFF
- is enabled: input OFF, notify ON
- is enabled: input ON, notify ON
When shadowing is prohibited:
When shadowing is Prohibited during the installation of XenApp, the Shadowing section of the ICA Settings is grayed out.
This was tested in my lab using XenApp 5.0 on Server 2003.