Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

How to let MS LogonII support local administrator?

Post Reply
monday8848
8
8
Posts: 27
Joined: 2012-11-22 02:45

How to let MS LogonII support local administrator?

Post by monday8848 »

Hi: I test deploy VNC(version10962) with one version to Win7 32Bit;Win764Bit,XP32bit computers, And it's running well. I use MS Logon I authentication. But you know, The AD group is stored in .ini file. I don't want users see it. So I use MS logon II, But it's can't support local computer administrator. So I search the forum, And found nothing, It seems there are some way can support this. But I don't know how to do it. Does anyone can help me? I just want use MS logon II, and want local computer administrator can support authentication. thanks.

Below is I found useful information from forum.
https://forum.ultravnc.net/viewtopic.ph ... 224#p85224

MSLogon credentials are stored in the registry regardless.
You can push registry settings to each computer (which is what I do), but you have to be careful if you set local computer accounts (like the local Administrator) because the SID is different on every computer. Domain accounts are simple to push because they will be the same for every computer.
I initially used a hybrid approach where I pushed registry settings for my domain accounts and then used the MSLogonACL.exe program to grant the local admin rights. You could also use the MSLogonACL.exe program exclusively.
I now push all permissions via the registry, but I get the local computer SID first so I can determine the appropriate local Administrator SID to add.
TLDR version: MSLogonACL.exe is the easiest way to set MSLogon permissions across multiple computers.
Bonji
100
100
Posts: 339
Joined: 2008-05-13 14:54

Re: How to let MS LogonII support local administrator?

Post by Bonji »

How you do this depends on what mechanism you are employing to set user permissions.

MSLogonACL.exe can configure UltraVNC security like this:

Replace all permissions
mslogonacl /i /o perms.txt

PERMS.TXT

Code: Select all

allow	0x00000003	"..\Domain Admins"
allow	0x00000003	"..\VNC Access"
allow	0x00000003	.\Administrator
Append permissions
mslogonacl /i /a perms.txt

PERMS.TXT

Code: Select all

allow	0x00000003	.\Administrator
The domain accounts are preceded by ".." while local accounts are preceded by "." Just FYI, all of this is documented by the executable itself (mslogonacl /?).

For my own needs, I modify the registry entry directly which is probably the most complicated way to do it. I have to figure out the SID of the local Administrator account, convert it to a format that VNC reads from the registry, and then insert it into the complete registry value that includes all other account information. I prefer this method because it doesn't rely on executing external programs.
-Ben
monday8848
8
8
Posts: 27
Joined: 2012-11-22 02:45

Re: How to let MS LogonII support local administrator?

Post by monday8848 »

thank you Bonji.
Post Reply