If you use one of the following authentication schemes in RealVNC Server, then you must register the user accounts of all prospective RealVNC Viewer users with RealVNC Server:
- System authentication (labelled Windows password, Mac password or UNIX password)
- Interactive system authentication (labelled Interactive Mac authentication or Interactive UNIX authentication)
- Single sign-on
- Smartcard/certificate store
- System authentication + RADIUS authentication
- A custom scheme in which RADIUS authentication is used as a single factor
Once registered, you can assign session permissions to user accounts and/or groups, to control the availability of features such as mouse or keyboard inputs, file transfer, and printing while sessions are in progress.
You can manage users and permissions either by:
-
Setting the RealVNC Server Permissions parameter.
-
Using RealVNC Server’s Options > Users & Permissions page:
Understanding pre-registered user accounts and groups
Certain user accounts and/or groups are pre-registered with RealVNC Server, to enable connectivity out-of-the-box:
Service Mode | User Mode | Virtual Mode | Virtual Mode daemon | |
---|---|---|---|---|
Windows |
Administrators group. Note this typically includes Domain Admins if the computer is joined to a domain. |
User account starting RealVNC Server | Not applicable | Not applicable |
Mac |
admin group |
User account starting RealVNC Server | Not applicable | Not applicable |
Linux |
admin group sudo group (Debian-compatible) wheel group (Red Hat-compatible) |
User account starting RealVNC Server | User account starting RealVNC Server | Any user account on the system, including domain accounts if joined to a domain. |
Registering a new user or group and granting session permissions
To register a new user account or group using RealVNC Server’s Options > Users & Permissions page:
-
Click the Add button and follow the instructions for your platform.
Note prior configuration is required to register domain accounts under Linux. -
Grant session permissions to a user account or group. Choose:
-
View-only permissions
to enable connected user(s) to observe the desktop but not interact with it. -
Normal permissions
to enable connected user(s) to use all remote control features, but not bypass accept/reject prompts. -
Administrative permissions
to enable connecting user(s) to bypass accept/reject prompts, and subsequently use all remote control features. -
Custom permissions
to fine-tune the remote control experience:
-
Note that if you register a group, and separately register a user who is also a member of that group, then it is possible to grant a conflicting set of permissions. In this circumstance, the following rules apply:
- A feature that is denied cannot be overridden.
- A feature that is allowed is overridden by denied.
- A feature that is disallowed is overridden by either allowed or denied.
So for example, if you disallow printing for a group but allow it for a particular member, then that member can print files. But if you deny printing for the group, no member can print files.
Using VNC Permissions Creator
VNC Permissions Creator is a free utility designed to help system administrators manage users and session permissions more easily when RealVNC Server is installed on multiple computers.
-
Download VNC Permissions Creator for your platform from the website
- Windows: Download here
- Mac: Download here
- Linux: Download here
-
Use the interface to add users or groups and grant permissions in the expected way.
-
Click the Refresh Parameter button to generate a permissions string in the correct format:
*Under Windows, user and group names are automatically translated into security identifiers (SIDs), as above. Note that groups are distinguished by a%
preceding the SID. -
Apply the permissions string to the RealVNC Server Permissions parameter, for example using policy.
Visualizing an existing permissions string
You can also use VNC Permissions Creator to translate a Permissions
parameter value into human-readable form. This is particular useful under Windows, to convert SIDs into recognizable user and group names.
To do this, paste the parameter value into the Permissions Parameter area, and click the Refresh Users & Groups button.
Registering local users and groups under Windows
To register a local (as opposed to a domain or Windows built-in) user account or group, use the special syntax:
-
<LOCAL>
for user accounts -
%<LOCAL>
for groups
For example, if you wish to remotely configure five computers, three of which have a TestUser
local account:
Computer 1 | LITHIUM |
Computer 2 | SODIUM\TestUser |
Computer 3 | POTASSIUM |
Computer 4 | RUBIDIUM\TestUser |
Computer 5 | CESIUM\TestUser |
...then specify the <LOCAL>
syntax directly in the Permissions Parameter area:
When these five computers are provisioned with the permissions string, those able to resolve the TestUser
local account (SODIUM
, RUBIDIUM
, and CESIUM
) do so:
On these computers, connecting RealVNC Viewer users can now supply TestUser
‘s credentials in order to authenticate to RealVNC Server.
Those computers that cannot resolve TestUser
(LITHIUM
and POTASSIUM
) deny access to users authenticating using these credentials, at least until such time as a local account with that name is added.
Comments
Article is closed for comments.