Update: UltraVNC 1.4.3.6 and UltraVNC SC 1.4.3.6: https://forum.uvnc.com/viewtopic.php?t=37885
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
Important: Please update to latest version before to create a reply, a topic or an issue: https://forum.uvnc.com/viewtopic.php?t=37864
Join us on social networks and share our announcements:
- Website: https://uvnc.com/
- GitHub: https://github.com/ultravnc
- Mastodon: https://mastodon.social/@ultravnc
- Facebook: https://www.facebook.com/ultravnc1
- X/Twitter: https://x.com/ultravnc1
- Reddit community: https://www.reddit.com/r/ultravnc
- OpenHub: https://openhub.net/p/ultravnc
NT Authentication
NT Authentication
I have added a domain group to the MS logon part of server setup. When I attempt to connect using an account that is a member of the group everything works fine. When I try to connect using a different account that is NOT part of the group I am still allowed access. It does not appear to be rejecting access. I am using 1.0.0 RC18.
Larry Huisingh
Larry Huisingh
- Rudi De Vos
- Admin & Developer
- Posts: 6862
- Joined: 2004-04-23 10:21
- Contact:
Are you sure the second user is not local admin.....
A local admin have always access, even when he is not member of the group.
A local admin have always access, even when he is not member of the group.
Last edited by Rudi De Vos on 2004-08-23 10:44, edited 1 time in total.
- Rudi De Vos
- Admin & Developer
- Posts: 6862
- Joined: 2004-04-23 10:21
- Contact:
Yes, it turned out that the second user was in the administrators group. I removed that user account from the admin group and rebooted both machines. When I tried with the second one again it crashed the server. I get the following error message
"0x100011f2 referenced memory at 0x00000002. The memory could not be "read"."
I have not tried the new ms-logon yet. This is with RC18. I will try out the new ms-logon next.
Thank you.
"0x100011f2 referenced memory at 0x00000002. The memory could not be "read"."
I have not tried the new ms-logon yet. This is with RC18. I will try out the new ms-logon next.
Thank you.
Hi,Rudi De Vos wrote:If you can use the service manager, you can remote install/uninstall vnc, this users HAVE ALWAYS ACCESS.
No need to block them, because they always can grant themself access.
nevertheless I would like to have an option to disallow the local admins to connect to VNC.
Why? Because we have PCs wich are used by many users - every day another. These users need to be in the local admin group and so we added the "domain users"-group to the local admin group and this is (unfortunately) not arguable.
So every user can connect to each PC - that's a big no for our VNC-project. Even with a query window it's not ok, because the "normal user" clicks on every popup-window
Only our "helpdesk" should be able to connect to these PCs.
By the way - is it possible two switch the order of the confirmations? I think it's better to check first the client-->server permission to establish a connection and then query the server-user.
Greetings
Schra
I just tried the new ms-logon. I put in the registry key with a DWORD value of 1 as well. I modified the group name to use the full domain\group specification and it worked fine. The first user that was part of an authorized group was granted access as desired and the second user (not an authorized group member, non-admin user) was denied access and this time the server didn't crash.
I noticed that if you make changes to the authorized user list you have to stop and start the server for the changes to take effect. It would be nice if it would take place right away.
I noticed that if you make changes to the authorized user list you have to stop and start the server for the changes to take effect. It would be nice if it would take place right away.
- Rudi De Vos
- Admin & Developer
- Posts: 6862
- Joined: 2004-04-23 10:21
- Contact:
Code: Select all
we added the "domain users"-group to the local admin group
They can remote install vnc
They can change the local and remote registry of every PC
They are allowed to reset,shutdown every PC you controle.
They can stop the virus checkers beause they use to much cpu....
How do you gonna block the user for changing the "disallow the local admins", they are allowed to change the value from any remote pc.
What local admin rights does the users need, does they need to install there own services ?
You better create your own "power user group" with needed permissions and add the "domain users" in that group
Thanks for your answer!
No, because of various policies and the disabled "file- and printersharing" a user can't edit the registry remotly.
They need full control over installation of drivers + programs, changing the network settings and so on (required because of technicans outside the office at the customers).
Because of data privacy a normal "domain user" shouldn't connect remotly to another PC with VNC - and no, he can't go to this PC and change the stettings from the PC directly (half way around the world/another department with security doors).
As said before - the domain users thing inside the local admin group isn't changeable and a default user with local admin rights on such a remote PC shouldn't be allowed to log on. Yes, I know, that a user with experience can circumvent such blocking, but we have to follow the rules of our works council.
I hope you understand the problem now a little bit better (my first post wasn't very clear).
Code: Select all
They can change the local and remote registry of every PC
Code: Select all
What local admin rights does the users need, does they need to install there own services ?
Because of data privacy a normal "domain user" shouldn't connect remotly to another PC with VNC - and no, he can't go to this PC and change the stettings from the PC directly (half way around the world/another department with security doors).
As said before - the domain users thing inside the local admin group isn't changeable and a default user with local admin rights on such a remote PC shouldn't be allowed to log on. Yes, I know, that a user with experience can circumvent such blocking, but we have to follow the rules of our works council.
I hope you understand the problem now a little bit better (my first post wasn't very clear).
- Rudi De Vos
- Admin & Developer
- Posts: 6862
- Joined: 2004-04-23 10:21
- Contact:
-
- Posts: 3
- Joined: 2004-08-26 15:23
- Rudi De Vos
- Admin & Developer
- Posts: 6862
- Joined: 2004-04-23 10:21
- Contact:
-
- Posts: 3
- Joined: 2004-08-26 15:23
i tried removing the authlogonuser.dll , the auth.dll is already in the directory, and restarting the machien to make sure the service isn't using the authlogonuser.dll somehow and i get an error "you selected ms-logon but the auth.dll was not found, and it hangs up the ultravnc client as well.
I'm guessing that because the "server" pc is in a workgroup (not authenticated into the domain) and the client pc is authenticated in the domain that i'm going to have problems using the domain to provide authentication for the server. But i'll keep testing it regardless and hope that i'll work it out. maybe there can be some extra settings aloow a work around
I'm guessing that because the "server" pc is in a workgroup (not authenticated into the domain) and the client pc is authenticated in the domain that i'm going to have problems using the domain to provide authentication for the server. But i'll keep testing it regardless and hope that i'll work it out. maybe there can be some extra settings aloow a work around