« Back to docs

Managing users and permissions for VNC Server

If you have a Professional or Enterprise subscription, and you use one of the following authentication schemes, then you must register the user accounts of all prospective VNC Viewer users with VNC Server:

Once registered, you can assign session permissions to user accounts and/or groups, to control the availability of features such as mouse or keyboard inputs, file transfer, and printing while connections are in progress.

You can manage users and permissions either by:

  • Setting the VNC Server Permissions parameter.

  • Using VNC Server’s Options > Users & Permissions page:

    _images/VNC_Server_Options_Dialog_UsersPermissions_UserGroup_Snapshot.png

Understanding pre-registered user accounts and groups

Certain user accounts and/or groups are pre-registered with VNC Server, to enable connectivity out-of-the-box:

  Service Mode User Mode Virtual Mode Virtual Mode daemon
Windows Administrators group. Note this typically includes Domain Admins if the computer is joined to a domain. User account starting VNC Server Not applicable Not applicable
Mac admin group User account starting VNC Server Not applicable Not applicable
Linux admin group
sudo group (Debian-compatible)
wheel group (Red Hat-compatible)
User account starting VNC Server User account starting VNC Server Any user account on the system, including domain accounts if joined to a domain.

Registering a new user or group and granting permissions

To register a new user account or group using VNC Server’s Options > Users & Permissions page:

  1. Click the Add button and follow the instructions for your platform.

    Note prior configuration is required to register domain accounts under Linux.

  2. Grant permissions to a user account or group. Choose:

    • View-only permissions to enable connected user(s) to observe the desktop but not interact with it.

    • Normal permissions to enable connected user(s) to use all remote control features, but not bypass connection prompts.

    • Administrative permissions to enable connecting user(s) to bypass connection prompts, and subsequently use all remote control features.

    • Custom permissions to fine-tune the remote control experience:

      _images/user-permission-register.png

Note that if you register a group, and separately register a user who is also a member of that group, then it is possible to grant a conflicting set of permissions. In this circumstance, the following rules apply:

  • A feature that is denied cannot be overridden.
  • A feature that is allowed is overridden by denied.
  • A feature that is disallowed is overridden by either allowed or denied.

So for example, if you disallow printing for a group but allow it for a particular member, then that member can print files. But if you deny printing for the group, no member can print files.

Using VNC Permissions Creator

VNC Permissions Creator is a free utility designed to help system administrators manage users and permissions more easily when VNC Server is installed on multiple computers.

  1. Download VNC Permissions Creator for your platform.

  2. Use the interface to add users or groups and grant permissions in the expected way.

  3. Click the Refresh Parameter button to generate a permissions string in the correct format:

    _images/user-permission-utility1.png

    Note

    Under Windows, user and group names are automatically translated into security identifiers (SIDs), as above. Note the built-in Administrators group is distinguished by a % preceding the SID.

  4. Apply the permissions string to the VNC Server Permissions parameter, for example using policy.

Visualizing an existing permissions string

You can also use VNC Permissions Creator to translate a Permissions parameter value into human-readable form. This is particular useful under Windows, to covert SIDs into recognizable user and group names.

To do this, paste the parameter value into the Permissions Parameter area, and click the Refresh Users & Groups button.

Registering local users and groups under Windows

To register a local (as opposed to a domain or Windows built-in) user account or group, use the special syntax:

  • <LOCAL> for user accounts
  • %<LOCAL> for groups

For example, if you wish to remotely configure five computers, three of which have a TestUser local account:

Computer 1 LITHIUM
Computer 2 SODIUM\TestUser
Computer 3 POTASSIUM
Computer 4 RUBIDIUM\TestUser
Computer 5 CESIUM\TestUser

...then specify the <LOCAL> syntax directly in the Permission Parameter area:

_images/user-permission-utility2.png

When these five computers are provisioned with the permissions string, those able to resolve the TestUser local account (SODIUM, RUBIDIUM, and CESIUM) do so:

_images/user-permission-utility3.png

On these computers, connecting VNC Viewer users can now supply TestUser‘s credentials in order to authenticate to VNC Server.

Those computers that cannot resolve TestUser (LITHIUM and POTASSIUM) deny access to users authenticating using these credentials, at least until such time as a local account with that name is added.

×