Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

Limiting access Windows 2000 Domain

Should you have problems with the MS logon plugin, here's the place to look for help or report issues
Post Reply
robbo007
Posts: 3
Joined: 2006-05-26 07:33

Limiting access Windows 2000 Domain

Post by robbo007 »

Hello,

Is there an easy way to limit connections that only the Administrator or Domain Admins Group on a Windows 2000 domain can connect?

I have Ultra VNC installed on my Windows 2000 server and under "Configure MS Logon Groups" I only have the domain adminsitrators group added but when I connect with a normal user it allows access??

I only want the domain administrator account to be able to remotely connect.

The only way at present is to create a group include all the normal domain users and deny access. Is there a better way?

Rob
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

which version of UltraVNC do you use?
Do you use MS-Logon I or II ("new" mslogon)?

At least with MS-Logon II it should work to just have the group Domain Admins added.
There's no need to explicitly deny access.
robbo007
Posts: 3
Joined: 2006-05-26 07:33

Post by robbo007 »

Hey,

I use version 1.0.1 Release. I only have the "mydomain\Administrators" group added. But every domain user can authenticate and connect???

Is there something wrong?

Rob
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

do you use MS-Logon I or II?

I think there is no "Administrators" group in a domain, they are called "Domain Administrators" or something like that.
robbo007
Posts: 3
Joined: 2006-05-26 07:33

Post by robbo007 »

Hiya,

MS Logon II.

I think I have found a security bug.

The default group for MS-Logon II is the local "Administrator" group for the machine where you install.

If you *don't* change this any normal domain user can authenticate and connect.

If you change this to the "domain admin" domain group only the administrator of the domain can connect.

The user normal user I am testing is a normal domain user no admin rights. The local "Administrator" group is on a server and the only user/group with access is the "Domain Admins" group.

Can anyone else confirm this?

Regards,

Rob
bilbus
8
8
Posts: 18
Joined: 2004-12-17 15:41

Post by bilbus »

There are a few groups in domains

"administrators"
"Domain admins"
"enterprise admins"
"schema admins"
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

Hmm,

MS-Logon II does not have any pre-configured access group.
If you select MS-Logon II and do no further config, nobody can access this VNC server.

BTW, a normal domain user is not automatically member of the local Administrators group.
Zythan
Posts: 1
Joined: 2006-01-28 21:04

Re: Limiting access Windows 2000 Domain

Post by Zythan »

Hello,

I have just gone over my setup (W2K domain with AD) and only the admins of the domain can connect.

You might have a problem with the user groups in the domain.

Regards

Zythan
Post Reply