« Back to docs

Managing users and permissions for VNC Server

If you have a Professional or Enterprise subscription, then by default VNC Server is set to use system authentication, which means users can authenticate to VNC Server using the same credentials they normally use to log in to their user account on that computer. Note that some users and groups are pre-registered with VNC Server, to enable connectivity out-of-the-box.


This authentication scheme is typically both secure and convenient; system administrators commonly force the adoption of complex user names and passwords in enterprise environments, and users can authenticate using already-familiar credentials, and don’t have to remember yet another password.


A Home subscription does not support system authentication. Only the VNC authentication scheme is available.

To authenticate to VNC Server, a connecting user can supply the credentials:

  • Under any platform, of a local user account (that is, one set up directly on the computer).
  • Under Windows and Mac, providing the computer is joined to a domain, of a domain user account (one that is managed by a network service such as Active Directory). Note that prior configuration is required to use domain accounts under Linux.
  • Under Windows 8 or later, providing the computer is connected to the Internet, of a cloud user account (that is, a Microsoft account in which the email address constitutes the user name).

Note that for any platform, the credentials supplied by a user to authenticate to VNC Server determine the VNC Connect permissions granted to that user, controling the features available to use while their connection is in progress.

Understanding pre-registered user accounts and groups

Certain user accounts and groups are pre-registered with VNC Server to enable connectivity out-of-the-box:

Mode Windows Mac Linux
Service Administrators group. Note this typically includes Domain Admins if the computer is joined to a domain. admin group root user account
admin group
sudo group (Debian-compatible)
wheel group (Red Hat-compatible)
User User account starting VNC Server User account starting VNC Server User account starting VNC Server
Virtual     User account starting VNC Server
Virtual Daemon     Any user account on the system, including domain accounts if joined to a domain.

Registering a new user or group and granting permissions

You can register new users and groups using VNC Server’s Options > Users & Permissions page:

  1. Click the Add button and follow the instructions for your platform.

  2. Grant permissions to a user or group. Choose:

    • View-only permissions to enable connected user(s) to observe the desktop but not interact with it.

    • Normal permissions to enable connected user(s) to use all remote control features, but not bypass connection prompts.

    • Administrative permissions to enable connecting user(s) to bypass connection prompts, and subsequently use all remote control features.

    • Custom permissions to fine-tunes the remote control experience:


Note that if you register a group, and separately register a user who is also a member of that group, then it is possible to grant a conflicting set of permissions. In this circumstance, the following rules apply:

  • A feature that is denied cannot be overridden.
  • A feature that is allowed is overridden by denied.
  • A feature that is disallowed is overridden by either allowed or denied.

So for example, if you disallow printing for a group but allow it for a particular member, then that member can print files. But if you deny printing for the group, no member can print files.

Using VNC Permissions Creator

VNC Permissions Creator is a free utility designed to help system administrators manage users and permissions more easily when VNC Server is installed on multiple computers.

  1. Download VNC Permissions Creator for your platform.

  2. Use the interface to add users or groups and grant permissions in the expected way.

  3. Click the Refresh Parameter button to generate a permissions string in the correct format:



    Under Windows, user and group names are automatically translated into security identifiers (SIDs), as above. Note the built-in Administrators group is distinguished by a % preceding the SID.

  4. Apply the permissions string to the VNC Server Permissions parameter, for example using policy.

Visualizing an existing permissions string

You can also use VNC Permissions Creator to translate a Permissions parameter value into human-readable form. This is particular useful under Windows, to covert SIDs into recognizable user and group names.

To do this, paste the parameter value into the Permissions Parameter area, and click the Refresh Users & Groups button.

Registering local users and groups under Windows

To register a local (as opposed to a domain or Windows built-in) user account or group, use the special syntax:

  • <LOCAL> for user accounts
  • %<LOCAL> for groups

For example, if you wish to remotely configure five computers, three of which have a TestUser local account:

Computer 1 LITHIUM
Computer 2 SODIUM\TestUser
Computer 3 POTASSIUM
Computer 4 RUBIDIUM\TestUser
Computer 5 CESIUM\TestUser

...then specify the <LOCAL> syntax directly in the Permission Parameter area:


When these five computers are provisioned with the permissions string, those able to resolve the TestUser local account (SODIUM, RUBIDIUM, and CESIUM) do so:


On these computers, connecting VNC Viewer users can now supply TestUser‘s credentials in order to authenticate to VNC Server.

Those computers that cannot resolve TestUser (LITHIUM and POTASSIUM) deny access to users authenticating using these credentials, at least until such time as a local account with that name is added.