We're here if you need help
Managing users and permissions for VNC Server¶
If you have a Professional or Enterprise subscription, then by default VNC Server is set to use system authentication, which means users can authenticate to VNC Server using the same credentials they normally use to log in to their user account on that computer. Note that some users and groups are pre-registered with VNC Server, to enable connectivity out-of-the-box.
This authentication scheme is typically both secure and convenient; system administrators commonly force the adoption of complex user names and passwords in enterprise environments, and users can authenticate using already-familiar credentials, and don’t have to remember yet another password.
A Home subscription does not support system authentication. Only the VNC authentication scheme is available.
To authenticate to VNC Server, a connecting user can supply the credentials:
- Under any platform, of a local user account (that is, one set up directly on the computer).
- Under Windows and Mac, providing the computer is joined to a domain, of a domain user account (one that is managed by a network service such as Active Directory). Note that prior configuration is required to use domain accounts under Linux.
- Under Windows 8 or later, providing the computer is connected to the Internet, of a cloud user account (that is, a Microsoft account in which the email address constitutes the user name).
Note that for any platform, the credentials supplied by a user to authenticate to VNC Server determine the VNC Connect permissions granted to that user, controling the features available to use while their connection is in progress.
Understanding pre-registered user accounts and groups¶
Certain user accounts and groups are pre-registered with VNC Server to enable connectivity out-of-the-box:
|User||User account starting VNC Server||User account starting VNC Server||User account starting VNC Server|
|Virtual||User account starting VNC Server|
|Virtual Daemon||Any user account on the system, including domain accounts if joined to a domain.|
Registering a new user or group and granting permissions¶
You can register new users and groups using VNC Server’s Options > Users & Permissions page:
Click the Add button and follow the instructions for your platform.
Grant permissions to a user or group. Choose:
View-only permissionsto enable connected user(s) to observe the desktop but not interact with it.
Normal permissionsto enable connected user(s) to use all remote control features, but not bypass connection prompts.
Administrative permissionsto enable connecting user(s) to bypass connection prompts, and subsequently use all remote control features.
Custom permissionsto fine-tunes the remote control experience:
Note that if you register a group, and separately register a user who is also a member of that group, then it is possible to grant a conflicting set of permissions. In this circumstance, the following rules apply:
- A feature that is denied cannot be overridden.
- A feature that is allowed is overridden by denied.
- A feature that is disallowed is overridden by either allowed or denied.
So for example, if you disallow printing for a group but allow it for a particular member, then that member can print files. But if you deny printing for the group, no member can print files.
Using VNC Permissions Creator¶
VNC Permissions Creator is a free utility designed to help system administrators manage users and permissions more easily when VNC Server is installed on multiple computers.
Download VNC Permissions Creator for your platform.
Use the interface to add users or groups and grant permissions in the expected way.
Click the Refresh Parameter button to generate a permissions string in the correct format:
Under Windows, user and group names are automatically translated into security identifiers (SIDs), as above. Note the built-in Administrators group is distinguished by a
%preceding the SID.
Visualizing an existing permissions string¶
You can also use VNC Permissions Creator to translate a
Permissions parameter value into human-readable form. This is particular useful under Windows, to covert SIDs into recognizable user and group names.
To do this, paste the parameter value into the Permissions Parameter area, and click the Refresh Users & Groups button.
Registering local users and groups under Windows¶
To register a local (as opposed to a domain or Windows built-in) user account or group, use the special syntax:
<LOCAL>for user accounts
For example, if you wish to remotely configure five computers, three of which have a
TestUser local account:
...then specify the
<LOCAL> syntax directly in the Permission Parameter area:
When these five computers are provisioned with the permissions string, those able to resolve the
TestUser local account (
CESIUM) do so:
On these computers, connecting VNC Viewer users can now supply
TestUser‘s credentials in order to authenticate to VNC Server.
Those computers that cannot resolve
POTASSIUM) deny access to users authenticating using these credentials, at least until such time as a local account with that name is added.