Hi all,
I'm crossposting this from the general help forum, since there's no reaction, but mybe this is a better place..
We're evaluating a migration scenario from a more 'commercial' version of VNC to uVNC.
One of the problems I'm facing is following: Our VNC viewers use a mix of domain accounts or domain groups and machine local groups to determine access to the viewer.
Since a local group is always defined as <machine name>/name-of-local-group how can I create an automated deployment that deals with the changing machine names in the access list? The local group name is always the same BTW..
Tim.
Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Bluesky/AT Protocol: https://bsky.app/profile/ultravnc.bsky.social
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Bluesky/AT Protocol: https://bsky.app/profile/ultravnc.bsky.social
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Mix local and domain groups with automated deployment
- Rudi De Vos
- Admin & Developer
- Posts: 6867
- Joined: 2004-04-23 10:21
- Contact:
Re: Mix local and domain groups with automated deployment
The mslogon II access is based on the standard MS file access.
Permission can be exported and imported using MSlogonACL.exe
The vnc access is like setting a file permission, but also limited to what you can set as permission.
Permission can be exported and imported using MSlogonACL.exe
The vnc access is like setting a file permission, but also limited to what you can set as permission.
Re: Mix local and domain groups with automated deployment
I understand the security mechanism for windows, so no problem there.
My question is related to automated deploy.
When creating access rules with domain accounts or groups there's no problem: these SID's are all equal across the entire domain.
But the commercial VNC we're using right now also has the possibility to define an access user as <local>\username-or-group. On computer TEST1 this would then be translated as TEST1\username-or-group, on computer TEST2 this becomes TEST2\username-or-group etc... This makes an automated deployment on different computers very easy...
We're using a local group on every PC to define who has VNC access to that specific machine..
My question is related to automated deploy.
When creating access rules with domain accounts or groups there's no problem: these SID's are all equal across the entire domain.
But the commercial VNC we're using right now also has the possibility to define an access user as <local>\username-or-group. On computer TEST1 this would then be translated as TEST1\username-or-group, on computer TEST2 this becomes TEST2\username-or-group etc... This makes an automated deployment on different computers very easy...
We're using a local group on every PC to define who has VNC access to that specific machine..
- Rudi De Vos
- Admin & Developer
- Posts: 6867
- Joined: 2004-04-23 10:21
- Contact:
Re: Mix local and domain groups with automated deployment
TEST1\rudi
TEST1\rudigroup
Is exported like this.
MSLogonACL /e
== Entering GetACL
== RegQueryValueEx passed dwValueLength = 80
allow 0x00000003 .\rudi
allow 0x00000003 .\rudigroup
If you import it on TEST2 you give acces to
TEST2\rudi
...
export/import strip the hostname
TEST1\rudigroup
Is exported like this.
MSLogonACL /e
== Entering GetACL
== RegQueryValueEx passed dwValueLength = 80
allow 0x00000003 .\rudi
allow 0x00000003 .\rudigroup
If you import it on TEST2 you give acces to
TEST2\rudi
...
export/import strip the hostname