Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: viewtopic.php?t=37864

Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://twitter.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc

MSLogonACL for remote computers

Should you have problems with the MS logon plugin, here's the place to look for help or report issues
Post Reply
sbostedor
100
100
Posts: 273
Joined: 2005-02-02 19:30
Location: Jackson, MI, USA
Contact:

MSLogonACL for remote computers

Post by sbostedor »

Any thoughts of adding the feature to import and export the ACL from computers over a LAN?
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

You could use UltraVNC to export the ACL :)
For importing you could use any tool that allows to start processes on remote computers.
See psexec from http://www.sysinternals.com/ntw2k/freew ... ools.shtml
sbostedor
100
100
Posts: 273
Joined: 2005-02-02 19:30
Location: Jackson, MI, USA
Contact:

Post by sbostedor »

ahhh .. .I just made it part of the deployment wizard in VNCScan so it's all good, now. ;) The ACL will push out with the UltraVNC deplpyment.

In the deployment wizard, it offers you a text box to put in ACL information right under the checkbox to use MSAUTH.

It also has a new feature to let you include a .REG file with the deployment of all flavors of VNC incuding Ultra. The reg file is executed remotely on the computers to import reg settings. So far, the beta testers love this feature and I can't wait until it's out for everyone to use.

The inclusion of the REG file is more for the other flavors than for Ultra, though. The other ones don't use a text based ACL util like you do. For those flavors, people have to configure a computer and then export it to a .reg file and then deploy that with the VNCScan deployment wizard.

- Steve Bostedor
http://www.vncscan.com
Last edited by sbostedor on 2005-05-11 15:02, edited 1 time in total.
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

The ACL contains the SIDs of the accounts that are configured.
That's the reason why you should not directly export and import the reg key of the ACL.
If you have local users/groups, their SIDs are different on different machines.
Also the binary structure of the ACL is not guaranteed to be the same on different Windows versions.
So I added the MSLogonACL utility to export/import the ACL savely.
sbostedor
100
100
Posts: 273
Joined: 2005-02-02 19:30
Location: Jackson, MI, USA
Contact:

Post by sbostedor »

You're correct, sir. :D

You can, however, resolve a remote computername\username to a valid SID on that local machine SAM database through an API. I'll dig it up if you're interested, but it's c# so I'm not sure that it'll help you.

It works fine for VNCScan, though. When VNCScan deploys UltraVNC to a remote computer and MS AUTH is chosen, it copies the ACL information into a text file on the remote computer, copies over the mslogonauth util and then remotely executes it on that computer so that it's resolving against that computers SAM database.

It works this way just fine, I was just wondering if you ever planned to put in the code to make it resolve SIDS against remote computer accounts to save this extra step in the deployment process.

If I knew how you constructed the binary registry key, I'd just make my own .NET version and release it as open source freeware. Any info on that?

- Steve Bostedor
http://www.vncscan.com
Last edited by sbostedor on 2005-05-12 12:10, edited 1 time in total.
Marscha
Former moderator
Former moderator
Posts: 464
Joined: 2004-05-14 06:48

Post by Marscha »

it's standard MS:
LookupAccountName()
InitializeAcl()
AddAccessDeniedAce()
AddAccessAllowedAce()
See http://cvs.sourceforge.net/viewcvs.py/u ... iew=markup
Look at function vncImportACL::BuildACL()

I don't understand your suggestion:
I was just wondering if you ever planned to put in the code to make it resolve SIDS against remote computer accounts to save this extra step in the deployment process.
If you don't want local accounts in the ACL, you can always use domain accounts (if you have domains available :wink: )
Post Reply