Mix local and domain groups with automated deployment

Should you have problems with the MS logon plugin, here's the place to look for help or report issues.
Post Reply
tdemeyer
Posts: 2
Joined: 2021-10-29 14:20

Mix local and domain groups with automated deployment

Post by tdemeyer »

Hi all,

I'm crossposting this from the general help forum, since there's no reaction, but mybe this is a better place..


We're evaluating a migration scenario from a more 'commercial' version of VNC to uVNC.

One of the problems I'm facing is following: Our VNC viewers use a mix of domain accounts or domain groups and machine local groups to determine access to the viewer.

Since a local group is always defined as <machine name>/name-of-local-group how can I create an automated deployment that deals with the changing machine names in the access list? The local group name is always the same BTW..



Tim.
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6415
Joined: 2004-04-23 10:21
Contact:

Re: Mix local and domain groups with automated deployment

Post by Rudi De Vos »

The mslogon II access is based on the standard MS file access.
Image


Permission can be exported and imported using MSlogonACL.exe

The vnc access is like setting a file permission, but also limited to what you can set as permission.
tdemeyer
Posts: 2
Joined: 2021-10-29 14:20

Re: Mix local and domain groups with automated deployment

Post by tdemeyer »

I understand the security mechanism for windows, so no problem there.

My question is related to automated deploy.

When creating access rules with domain accounts or groups there's no problem: these SID's are all equal across the entire domain.
But the commercial VNC we're using right now also has the possibility to define an access user as <local>\username-or-group. On computer TEST1 this would then be translated as TEST1\username-or-group, on computer TEST2 this becomes TEST2\username-or-group etc... This makes an automated deployment on different computers very easy...

We're using a local group on every PC to define who has VNC access to that specific machine..
Rudi De Vos
Admin & Developer
Admin & Developer
Posts: 6415
Joined: 2004-04-23 10:21
Contact:

Re: Mix local and domain groups with automated deployment

Post by Rudi De Vos »

TEST1\rudi
TEST1\rudigroup

Is exported like this.
MSLogonACL /e
== Entering GetACL
== RegQueryValueEx passed dwValueLength = 80
allow 0x00000003 .\rudi
allow 0x00000003 .\rudigroup

If you import it on TEST2 you give acces to
TEST2\rudi
...

export/import strip the hostname
Post Reply