How to let MS LogonII support local administrator?

Here you will find help for frequently asked questions as well as for your specific question.

How to let MS LogonII support local administrator?

Postby monday8848 » 2012-12-02 10:11

Hi: I test deploy VNC(version10962) with one version to Win7 32Bit;Win764Bit,XP32bit computers, And it's running well. I use MS Logon I authentication. But you know, The AD group is stored in .ini file. I don't want users see it. So I use MS logon II, But it's can't support local computer administrator. So I search the forum, And found nothing, It seems there are some way can support this. But I don't know how to do it. Does anyone can help me? I just want use MS logon II, and want local computer administrator can support authentication. thanks.

Below is I found useful information from forum.
viewtopic.php?f=53&t=27791&p=85224#p85224

MSLogon credentials are stored in the registry regardless.
You can push registry settings to each computer (which is what I do), but you have to be careful if you set local computer accounts (like the local Administrator) because the SID is different on every computer. Domain accounts are simple to push because they will be the same for every computer.
I initially used a hybrid approach where I pushed registry settings for my domain accounts and then used the MSLogonACL.exe program to grant the local admin rights. You could also use the MSLogonACL.exe program exclusively.
I now push all permissions via the registry, but I get the local computer SID first so I can determine the appropriate local Administrator SID to add.
TLDR version: MSLogonACL.exe is the easiest way to set MSLogon permissions across multiple computers.
monday8848
8
8
 
Posts: 27
Joined: 2012-11-22 02:45

Re: How to let MS LogonII support local administrator?

Postby Bonji » 2012-12-03 19:28

How you do this depends on what mechanism you are employing to set user permissions.

MSLogonACL.exe can configure UltraVNC security like this:

Replace all permissions
mslogonacl /i /o perms.txt

PERMS.TXT
Code: Select all
allow   0x00000003   "..\Domain Admins"
allow   0x00000003   "..\VNC Access"
allow   0x00000003   .\Administrator


Append permissions
mslogonacl /i /a perms.txt

PERMS.TXT
Code: Select all
allow   0x00000003   .\Administrator


The domain accounts are preceded by ".." while local accounts are preceded by "." Just FYI, all of this is documented by the executable itself (mslogonacl /?).

For my own needs, I modify the registry entry directly which is probably the most complicated way to do it. I have to figure out the SID of the local Administrator account, convert it to a format that VNC reads from the registry, and then insert it into the complete registry value that includes all other account information. I prefer this method because it doesn't rely on executing external programs.
-Ben
Bonji
100
100
 
Posts: 325
Joined: 2008-05-13 14:54

Re: How to let MS LogonII support local administrator?

Postby monday8848 » 2012-12-06 08:43

thank you Bonji.
monday8848
8
8
 
Posts: 27
Joined: 2012-11-22 02:45


Return to General help

Who is online

Users browsing this forum: Bing [Bot] and 8 guests