terça-feira, 3 de maio de 2016


Initial installation and testing

The purpose of this step is to download, install and configure UltraVNC to our liking. Once we have tested it, we can reuse the .ini configuration file for other computers. We will also import a registry setting from this test computer into the Group Policy Objects (GPO).
  1. Download the x86 and x64 Msi Installer packages from http://www.uvnc.com/downloads/ultravnc/100-download-ultravnc-10962.html
  2. Use the relevant .msi installer to install UltraVNC on a test computer. I’m using the x64 installer for a Win7 laptop.
  3. Configure UltraVNC with the desired settings, eg:
    Note Require MS Logon is selected for Active Directory authentication.
  4. After making the configuration changes, restart the UltraVNC service (uvnc_service), or restart the computer.
  5. Confirm you can connect to the test computer:

Modifying the UltraVNC installer to exclude desktop/start menu shortcuts

In this step we’re going to stop the UltraVNC shortcuts from being added to the user’s desktop.
  1. Download and install Orca, or alternatively you can try http://www.instedit.com
  2. Open UltraVnc_10962_x86.msi within Orca.
  3. Select the Shortcut table on the left, select all entries on the right, then select Drop Row(s) from the Tables menu:
  4. Click OK to confirm removal:
  5. Select File > Save.
  6. Now do the same for UltraVnc_10962_x64.msi.

Creating a software deployment path

We need to create a UNC path on the network to deploy the software from.
  1. Create a folder (eg. Deploy) and give Everyone, Full Control share permissions:
    I always find it easier to give Full Control permissions to Everyone, then control access via NTFS Security permissions. It makes troubleshooting file access issues a breeze…well, not as bad anyway.
  2. Ensure the application users have a minimum of Read Security permissions (source):
  3. You should now have a UNC path of \\servername\Deploy.
  4. Create a folder named ultravnc in the Deploy folder, then copy the modified .msi files from the previous section into the ultravnc folder:

Configuring the GPO to deploy UltraVNC

We will now create our Group Policy Object that will deploy the UltraVNC application.
There are 4 sub-sections to this:
  1. Add UNC path to .msi file.
  2. Copy the UltraVNC .ini file.
  3. Update the UltraVNC .ini file.
  4. Import registry settings.

Add UNC path to .msi file

  1. Create new GPO (eg. x64 UltraVNC Installation) and link it to an OU for testing:
  2. Right-click > Edit on the GPO and navigate to Computer Configuration > Policies > Software Settings > Software Installation.
  3. Right-click Software Installation and select New > Package:
  4. Navigate to the UltraVnc_10962_x64.msi in UNC path, then click Open:
  5. Select Assigned, then click OK:

Copy the UltraVNC .ini file

  1. On the test computer, copy ultravnc.ini from C:\Program Files\uvnc bvba\UltraVnc to the UNC deployment path (\\servername\Deploy\ultravnc):
  2. Open the x64 UltraVNC Installation GPO and navigate to Computer Configuration > Preferences > Windows Settings > Files.
  3. Right-click Files and select New > File:
  4. Select Replace for the Action, enter the UNC path in the Source file(s) field, and %ProgramFilesDir%\uvnc bvba\UltraVnc\ultravnc.ini in the Destination File field:
  5. If you want to use another variable for similar functions, you can view them by pressing F3 within the Source/Destination fields:
  6. Click OK to finish.

Update the UltraVNC .ini file

  1. Open the x64 UltraVNC Installation GPO and navigate to Computer Configuration > Preferences > Windows Settings > Ini Files.
  2. Right-click Ini Files and select New > Ini File:
  3. Select Replace for the Action, enter %ProgramFilesDir%\uvnc bvba\UltraVnc\ultravnc.ini in the File Path field, admin in the Section Name field, path in the Property Name field, and %ProgramFilesDir%\uvnc bvba\UltraVnc in the Property Value field:
  4. Click OK to finish.

Import registry settings

  1. Open the x64 UltraVNC Installation GPO and navigate to Computer Configuration > Preferences > Windows Settings > Registry.
  2. Right-click Registry and select New > Registry Wizard:
  3. Enter the name of the test computer, then click Next:

    If an error occurs at this point, make sure the Remote Registry service is running on the test computer.
  4. Navigate to HKEY_LOCAL_MACHINE/Software/ORL/WinVNC3/, tick the ACL key, then clickFinish:
  5. Rename the label from Registry Wizard Values to something more useful, like UltraVNC ACL:
  6. Select the WinVNC3 sub-tree, double-click the ACL entry, then change the action to Replace:

Creating WMI Filters to select the correct GPO for 32-bit or 64-bit computers

  1. Under Group Policy Management, right-click WMI Filters and select New.
  2. Enter a new namedescription, then click add.
  3. Leaving the default namespace, enter SELECT * FROM Win32_Processor WHERE AddressWidth=’64’:
  4. To target 32-bit computers, use Select * from win32_processor where addresswidth=’32’.
  5. If you need to troubleshoot, you can test your WQL queries using WMICodeCreator.

Setting the GPO scope

We need to set the scope so only the relevant computers will get the UltraVNC software.
  1. Select the x64 UltraVNC Installation GPO.
  2. Remove Authenticated Users and add Domain Computers to the Security Filtering section.
  3. Select 64-bit OS from the drop-down menu in WMI Filtering section:

Enabling CTRL+ALT+DEL for Win7

Almost there now! We finally have to enable the Win7 computers to accept CTRL+ALT+DEL commands from UltraVNC.
  1. Open the x64 UltraVNC Installation GPO and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options > Disable or enable software Secure Attention Sequence.
  2. Enable the policy and select Services from the Options drop-down menu:
  3. Job done!
Now you can put a few computers in the TestWorkstation OU, restart them, then test the VNC connection. All being well, you can link the GPO to a production OU.
Most of the above only covers targeting 64-bit computers, so don’t forget to follow similar steps for 32-bit computers.
Fonte: http://www.virtuallyimpossible.co.uk/deploying-ultravnc-within-an-active-directory-environment-using-group-policy/

Nenhum comentário:

Postar um comentário