Managing Users and Session Permissions for RealVNC Server

Follow

If you use one of the following authentication schemes in RealVNC Server, then you must register the user accounts of all prospective RealVNC Viewer users with RealVNC Server:

Once registered, you can assign session permissions to user accounts and/or groups, to control the availability of features such as mouse or keyboard inputs, file transfer, and printing while sessions are in progress.

You can manage users and permissions either by:

  • Setting the RealVNC Server Permissions parameter.

  • Using RealVNC Server’s Options > Users & Permissions page:

    VNC_Server_Options_Dialog_UsersPermissions_UserGroup_Snapshot.png

Understanding pre-registered user accounts and groups

Certain user accounts and/or groups are pre-registered with RealVNC Server, to enable connectivity out-of-the-box:

  Service Mode User Mode Virtual Mode Virtual Mode daemon
Windows Administrators group. Note this typically includes Domain Admins if the computer is joined to a domain. User account starting RealVNC Server Not applicable Not applicable
Mac admin group User account starting RealVNC Server Not applicable Not applicable
Linux admin group 
sudo group (Debian-compatible) 
wheel group (Red Hat-compatible)
User account starting RealVNC Server User account starting RealVNC Server Any user account on the system, including domain accounts if joined to a domain.

Registering a new user or group and granting session permissions

To register a new user account or group using RealVNC Server’s Options > Users & Permissions page:

  1. Click the Add button and follow the instructions for your platform.
    Note prior configuration is required to register domain accounts under Linux.

  2. Grant session permissions to a user account or group. Choose:

    • View-only permissions to enable connected user(s) to observe the desktop but not interact with it.

    • Normal permissions to enable connected user(s) to use all remote control features, but not bypass accept/reject prompts.

    • Administrative permissions to enable connecting user(s) to bypass accept/reject prompts, and subsequently use all remote control features.

    • Custom permissions to fine-tune the remote control experience:
      user-permission-register.png

Note that if you register a group, and separately register a user who is also a member of that group, then it is possible to grant a conflicting set of permissions. In this circumstance, the following rules apply:

  • A feature that is denied cannot be overridden.
  • A feature that is allowed is overridden by denied.
  • A feature that is disallowed is overridden by either allowed or denied.

So for example, if you disallow printing for a group but allow it for a particular member, then that member can print files. But if you deny printing for the group, no member can print files.

Using VNC Permissions Creator

VNC Permissions Creator is a free utility designed to help system administrators manage users and session permissions more easily when RealVNC Server is installed on multiple computers.

  1. Download VNC Permissions Creator for your platform from the website

  2. Use the interface to add users or groups and grant permissions in the expected way.

  3. Click the Refresh Parameter button to generate a permissions string in the correct format:

    user-permission-utility1.png

    *Under Windows, user and group names are automatically translated into security identifiers (SIDs), as above. Note that groups are distinguished by a % preceding the SID.

  4. Apply the permissions string to the RealVNC Server Permissions parameter, for example using policy.

Visualizing an existing permissions string

You can also use VNC Permissions Creator to translate a Permissions parameter value into human-readable form. This is particular useful under Windows, to convert SIDs into recognizable user and group names.

To do this, paste the parameter value into the Permissions Parameter area, and click the Refresh Users & Groups button.

Registering local users and groups under Windows

To register a local (as opposed to a domain or Windows built-in) user account or group, use the special syntax:

  • <LOCAL> for user accounts
  • %<LOCAL> for groups

For example, if you wish to remotely configure five computers, three of which have a TestUser local account:

Computer 1 LITHIUM
Computer 2 SODIUM\TestUser
Computer 3 POTASSIUM
Computer 4 RUBIDIUM\TestUser
Computer 5 CESIUM\TestUser

...then specify the <LOCAL> syntax directly in the Permissions Parameter area:

user-permission-utility2.png

When these five computers are provisioned with the permissions string, those able to resolve the TestUser local account (SODIUMRUBIDIUM, and CESIUM) do so:

user-permission-utility3.png

On these computers, connecting RealVNC Viewer users can now supply TestUser‘s credentials in order to authenticate to RealVNC Server.

Those computers that cannot resolve TestUser (LITHIUM and POTASSIUM) deny access to users authenticating using these credentials, at least until such time as a local account with that name is added.

Was this article helpful?
14 out of 68 found this helpful

Comments

0 comments

Article is closed for comments.