logo
Welcome Guest! To enable all features please Login or Register.

Notification

Icon
Error

Options
Go to last post Go to first unread
Sean  
#1 Posted : Tuesday, May 6, 2014 5:28:05 PM(UTC)
Sean


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 4/16/2010(UTC)
Posts: 436
Location: Raleigh

Thanks: 4 times
Was thanked: 36 time(s) in 31 post(s)
Quote:
I would like to setup an Access Session Group where I have only one group, it will have many machines, but I want to ensure users can only connect to their machines. Is this possible?


Yes, you can do this very easily using one of the available Custom Fields (http://help.screenconnect.com/Enabling_custom_fields_for_sessions).

In this example we will use CustomProperty2 and label it 'Host'.

In the Appearance tab, find the following value 'SessionProperty.Custom2.AccessVisible' and set the value to true.

Code:
SessionProperty.Custom2.AccessVisible true


Then find and set the SessionProperty.Custom2.LabelText value to your desired name of the label (ie: Host).

Once this is set up, you will want to edit your Access Machines and add the appropriate Host Name and Save.

Then in Manage Session Groups (http://help.screenconnect.com/Managing_session_groups)you will add a new Access Group, give it a name (ie: My Access Machines) and use the following Filter:

Code:
CustomProperty2=$USERNAME


Once this is done, all that remains is to add this session group to an appropriate role using role based security (http://help.screenconnect.com/Defining_user_roles_and_permissions).

Edited by user Monday, August 4, 2014 3:21:07 PM(UTC)  | Reason: Not specified

ScreenConnect Team
qlafferty  
#2 Posted : Wednesday, May 20, 2015 1:49:06 PM(UTC)
qlafferty


Rank: Newbie

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 11/7/2013(UTC)
Posts: 4

Was thanked: 3 time(s) in 1 post(s)
I was looking for a way to grant users under my account access to specific computers when they log into my ScreenConnect server with a ScreenConnect user account that I create for them. Many times I would be granting access to a single computer for a user that wants to access their computer at night from home. Additionally, there would often be overlap with a manager/owner that might want access to multiple or all computers at their office. FYI - I am an MSP with over 70 cliens and 1500 computers in ScreenConnect. After contacting ScreenConnect support they pointed me to this forum post.

By following the initial instructions in this post and creating a Session Group that uses the $USERNAME variable I was able to create a dynamic session group that gives users access to only the computers that I assign to them. I called the Session Group "My Computers". This is the Session Filter that makes this group dynamic:

CustomProperty2 LIKE '*' + $USERNAME + '*'

Dynamic Session Group

I then created a Role on the Admin --> Security screen that granted access to this Session group:

My Computers Security Role

Here is a user I created called 'Test' with only this role assigned:

Security Role Assignment

Now when the Test user logs in, they ONLY see the Session Group called "My Computers". When a different user logs into ScreenConnect they will see a completely different list of computers in the "My Computers" Session Group. Additionally, I can add as many different users as I want to the CustomProperty2/Remote Users field without ever having to go back and create a new Session Group or Security Role.

Test User Logged In

FYI - I have decided to standardize on the user's email address as their ScreenConnect username. That way there is no chance that a username that gets reused (employees come and go) would result in that new user having access to the old user's computers.

Edited by user Wednesday, May 20, 2015 2:02:19 PM(UTC)  | Reason: Not specified

thanks 3 users thanked qlafferty for this useful post.
marktoo on 5/21/2015(UTC), CalmComputing on 2/4/2016(UTC), aslee on 2/18/2016(UTC)
marktoo  
#3 Posted : Thursday, May 21, 2015 2:18:23 PM(UTC)
marktoo


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 3/29/2015(UTC)
Posts: 99
United States
Location: Metro DC

Thanks: 28 times
Was thanked: 8 time(s) in 7 post(s)
Quin,

Very nice... Thanks for sharing your work with us! (And thanks for recommending ScreenConnect to us in the first place...)

Mark
aslee  
#4 Posted : Thursday, February 18, 2016 1:29:12 AM(UTC)
aslee


Rank: Newbie

Joined: 4/27/2015(UTC)
Posts: 6
Japan
Location: Tokyo

Thanks: 2 times
Great solution, Quinn! I've decided to implement that method myself.

I've a related problem, though, that I'd like some help with. It concerns the "Build Installer" function. At the moment, I'm asking each user to enter, manually, their Windows login username in the "Custom Property 2" field. However, when there are hundreds of users, this manual process is cumbersome and mistakes can be made. So, I'm wondering whether there's a way to automate this whole process by reprogramming the installer—the .exe file—itself, such that each user merely needs to run the installer. Is this possible?

Cheers,
Simon

Edited by user Thursday, February 18, 2016 1:30:54 AM(UTC)  | Reason: Not specified

Alexander  
#5 Posted : Monday, February 22, 2016 10:06:54 PM(UTC)
Alexander


Rank: Administration

Medals: Level 3: Shirt off your back! Received 25 Thanks!

Joined: 7/23/2013(UTC)
Posts: 714
Man
Location: Raleigh, NC

Was thanked: 66 time(s) in 63 post(s)
It seems like you could use GuestLoggedOnUserName instead of CustomProperty2, though I suppose that wouldn't work if they need to be able to access the machine while they're logged out or if they're running the installer on machines where they have different usernames.

Another option is putting an environment variable as Custom Property 2; unfortunately, you can't just use %USERNAME% directly, since it's resolved in the client service, which runs as a system user. But if you can set a system environment variable to the correct username ahead of time, you can just use that variable. For example, you could have a batch/powershell script that sets the environment variable and then downloads & runs the installer. Group Policy might be able to do it, too, though I'm not very familiar with its functionality.
ScreenConnect Team
thanks 1 user thanked Alexander for this useful post.
aslee on 2/23/2016(UTC)
aslee  
#6 Posted : Tuesday, February 23, 2016 7:00:18 AM(UTC)
aslee


Rank: Newbie

Joined: 4/27/2015(UTC)
Posts: 6
Japan
Location: Tokyo

Thanks: 2 times
Cheers, Alex. I created the following batch script and that did the trick:

Quote:
SET SCSNAME=[insert_your_domain_name_here]
SET SCSPORT=443
SET SCCNAME=%COMPUTERNAME%
SET SCUSER=%USERNAME%
SET SCARGS=?e=Access^&y=Guest^&h=%SCSNAME%^&p=%SCSPORT%^&k=[insert_your_key_here]^&t=%SCCNAME%^&c=^&c=%SCUSER%^&c=^&c=^&c=^&c=^&c=^&c=
echo %SCARGS%
msiexec.exe /i SC.ClientSetup.msi SERVICE_ARGUMENTS="%SCARGS%"


For the key, I replaced every occurrence of % with %%.
ngoa  
#7 Posted : Friday, January 27, 2017 8:19:42 PM(UTC)
ngoa


Rank: Guest

Joined: 1/27/2017(UTC)
Posts: 8
United States

Originally Posted by: qlafferty Go to Quoted Post
I was looking for a way to grant users under my account access to specific computers when they log into my ScreenConnect server with a ScreenConnect user account that I create for them. Many times I would be granting access to a single computer for a user that wants to access their computer at night from home. Additionally, there would often be overlap with a manager/owner that might want access to multiple or all computers at their office. FYI - I am an MSP with over 70 cliens and 1500 computers in ScreenConnect. After contacting ScreenConnect support they pointed me to this forum post.

By following the initial instructions in this post and creating a Session Group that uses the $USERNAME variable I was able to create a dynamic session group that gives users access to only the computers that I assign to them. I called the Session Group "My Computers". This is the Session Filter that makes this group dynamic:

CustomProperty2 LIKE '*' + $USERNAME + '*'

Dynamic Session Group

I then created a Role on the Admin --> Security screen that granted access to this Session group:

My Computers Security Role

Here is a user I created called 'Test' with only this role assigned:

Security Role Assignment

Now when the Test user logs in, they ONLY see the Session Group called "My Computers". When a different user logs into ScreenConnect they will see a completely different list of computers in the "My Computers" Session Group. Additionally, I can add as many different users as I want to the CustomProperty2/Remote Users field without ever having to go back and create a new Session Group or Security Role.

Test User Logged In

FYI - I have decided to standardize on the user's email address as their ScreenConnect username. That way there is no chance that a username that gets reused (employees come and go) would result in that new user having access to the old user's computers.



This worked great when User Source Auth is Internal, but didn't work with the LDAP method. I made sure that User Group corresponded with their Matching Role and within this Role were exactly as to these given instructions (ie. ViewSessionGroup:'My Computers', etc.). But when I log into with that user, no PC shows up. Any ideas as to why it works with one and not the others? Anyone using LDAP method? Thanks in advance.
Michael L  
#8 Posted : Monday, January 30, 2017 5:55:58 PM(UTC)
Michael L


Rank: Administration

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/18/2015(UTC)
Posts: 65
Man
United States

Thanks: 6 times
Was thanked: 11 time(s) in 9 post(s)
You will likely need to compare what you've set in the custom property value to what you have listed for the user account in AD - offhand, I believe it's going to pull the "User Logon Name" field under the Account tab.
ConnectWise Control (ScreenConnect) Support Team
ngoa  
#9 Posted : Monday, January 30, 2017 9:04:31 PM(UTC)
ngoa


Rank: Guest

Joined: 1/27/2017(UTC)
Posts: 8
United States

Thanks for the input, but that value matches the user account in AD, where you said Account > User logon name
Michael L  
#10 Posted : Tuesday, January 31, 2017 8:34:40 PM(UTC)
Michael L


Rank: Administration

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/18/2015(UTC)
Posts: 65
Man
United States

Thanks: 6 times
Was thanked: 11 time(s) in 9 post(s)
Sorry for the confusion. I think you need to use $USERLOGINNAME instead of $USERNAME in the filter for that to work in LDAP. $USERNAME is mapped to the user's display name.

http://forum.screenconne...pressions.aspx#post34337

Edited by user Thursday, February 2, 2017 2:54:18 PM(UTC)  | Reason: typo :)

ConnectWise Control (ScreenConnect) Support Team
ngoa  
#11 Posted : Thursday, February 2, 2017 2:50:46 PM(UTC)
ngoa


Rank: Guest

Joined: 1/27/2017(UTC)
Posts: 8
United States

THANK YOU! It works! I am forever grateful!
ngoa  
#12 Posted : Thursday, February 2, 2017 2:52:15 PM(UTC)
ngoa


Rank: Guest

Joined: 1/27/2017(UTC)
Posts: 8
United States

Update: USERLOGGINNAME had a typo....should be one "G" rather than two
Michael L  
#13 Posted : Thursday, February 2, 2017 2:55:01 PM(UTC)
Michael L


Rank: Administration

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 8/18/2015(UTC)
Posts: 65
Man
United States

Thanks: 6 times
Was thanked: 11 time(s) in 9 post(s)
Originally Posted by: ngoa Go to Quoted Post
Update: USERLOGGINNAME had a typo....should be one "G" rather than two


Haha, whoops, good eye! Thanks for that. Laugh
ConnectWise Control (ScreenConnect) Support Team
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.