Deploying UltraVNC within an Active Directory environment using Group Policy

Scenario

You’ve tried several different VNC applications and have decided UltraVNC meets your humble Remote Support needs. Now you want to centrally deploy and manage UltraVNC in your domain.

The default installer creates unwanted shortcuts on the user’s desktop, so you need to modify this before rolling out to all client PCs. In addition to this, there are separate installers for 32-bit and 64-bit PCs, so this will have to be accounted for.

Here is how to achieve remote desktop nirvana using UltraVNC:

Solution

There are many steps to this one, so let’s break it down into sections:

  1. Initial installation and testing.
  2. Modifying the UltraVNC installer to exclude desktop/start menu shortcuts.
  3. Creating a software deployment path.
  4. Configuring the GPO to deploy UltraVNC.
  5. Creating WMI Filters to select the correct GPO for 32-bit or 64-bit computers.
  6. Setting the GPO scope.
  7. Enabling CTRL+ALT+DEL for Win7.

Initial installation and testing

The purpose of this step is to download, install and configure UltraVNC to our liking. Once we have tested it, we can reuse the .ini configuration file for other computers. We will also import a registry setting from this test computer into the Group Policy Objects (GPO).

  1. Download the x86 and x64 Msi Installer packages from http://www.uvnc.com/downloads/ultravnc/100-download-ultravnc-10962.html

  2. Use the relevant .msi installer to install UltraVNC on a test computer. I’m using the x64 installer for a Win7 laptop.
  3. Configure UltraVNC with the desired settings, eg:
    Note Require MS Logon is selected for Active Directory authentication.
  4. After making the configuration changes, restart the UltraVNC service (uvnc_service), or restart the computer.
  5. Confirm you can connect to the test computer:

Modifying the UltraVNC installer to exclude desktop/start menu shortcuts

In this step we’re going to stop the UltraVNC shortcuts from being added to the user’s desktop.

  1. Download and install Orca, or alternatively you can try http://www.instedit.com
  2. Open UltraVnc_10962_x86.msi within Orca.
  3. Select the Shortcut table on the left, select all entries on the right, then select Drop Row(s) from the Tables menu:
  4. Click OK to confirm removal:
  5. Select File > Save.
  6. Now do the same for UltraVnc_10962_x64.msi.

Creating a software deployment path

We need to create a UNC path on the network to deploy the software from.

  1. Create a folder (eg. Deploy) and give Everyone, Full Control share permissions:

    I always find it easier to give Full Control permissions to Everyone, then control access via NTFS Security permissions. It makes troubleshooting file access issues a breeze…well, not as bad anyway.
  2. Ensure the application users have a minimum of Read Security permissions (source):
  3. You should now have a UNC path of \\servername\Deploy.
  4. Create a folder named ultravnc in the Deploy folder, then copy the modified .msi files from the previous section into the ultravnc folder:

Configuring the GPO to deploy UltraVNC

We will now create our Group Policy Object that will deploy the UltraVNC application.
There are 4 sub-sections to this:

  1. Add UNC path to .msi file.
  2. Copy the UltraVNC .ini file.
  3. Update the UltraVNC .ini file.
  4. Import registry settings.

Add UNC path to .msi file

  1. Create new GPO (eg. x64 UltraVNC Installation) and link it to an OU for testing:
  2. Right-click > Edit on the GPO and navigate to Computer Configuration > Policies > Software Settings > Software Installation.
  3. Right-click Software Installation and select New > Package:
  4. Navigate to the UltraVnc_10962_x64.msi in UNC path, then click Open:
  5. Select Assigned, then click OK:

Copy the UltraVNC .ini file

  1. On the test computer, copy ultravnc.ini from C:\Program Files\uvnc bvba\UltraVnc to the UNC deployment path (\\servername\Deploy\ultravnc):
  2. Open the x64 UltraVNC Installation GPO and navigate to Computer Configuration > Preferences > Windows Settings > Files.
  3. Right-click Files and select New > File:
  4. Select Replace for the Action, enter the UNC path in the Source file(s) field, and %ProgramFilesDir%\uvnc bvba\UltraVnc\ultravnc.ini in the Destination File field:
  5. If you want to use another variable for similar functions, you can view them by pressing F3 within the Source/Destination fields:
  6. Click OK to finish.

Update the UltraVNC .ini file

  1. Open the x64 UltraVNC Installation GPO and navigate to Computer Configuration > Preferences > Windows Settings > Ini Files.
  2. Right-click Ini Files and select New > Ini File:
  3. Select Replace for the Action, enter %ProgramFilesDir%\uvnc bvba\UltraVnc\ultravnc.ini in the File Path field, admin in the Section Name field, path in the Property Name field, and %ProgramFilesDir%\uvnc bvba\UltraVnc in the Property Value field:
  4. Click OK to finish.

Import registry settings

  1. Open the x64 UltraVNC Installation GPO and navigate to Computer Configuration > Preferences > Windows Settings > Registry.
  2. Right-click Registry and select New > Registry Wizard:
  3. Enter the name of the test computer, then click Next:

    If an error occurs at this point, make sure the Remote Registry service is running on the test computer.
  4. Navigate to HKEY_LOCAL_MACHINE/Software/ORL/WinVNC3/, tick the ACL key, then click Finish:
  5. Rename the label from Registry Wizard Values to something more useful, like UltraVNC ACL:
  6. Select the WinVNC3 sub-tree, double-click the ACL entry, then change the action to Replace:

Creating WMI Filters to select the correct GPO for 32-bit or 64-bit computers

  1. Under Group Policy Management, right-click WMI Filters and select New.
  2. Enter a new name, description, then click add.
  3. Leaving the default namespace, enter SELECT * FROM Win32_Processor WHERE AddressWidth=’64’:

  4. To target 32-bit computers, use Select * from win32_processor where addresswidth=’32’.
  5. If you need to troubleshoot, you can test your WQL queries using WMICodeCreator.

Setting the GPO scope

We need to set the scope so only the relevant computers will get the UltraVNC software.

  1. Select the x64 UltraVNC Installation GPO.
  2. Remove Authenticated Users and add Domain Computers to the Security Filtering section.
  3. Select 64-bit OS from the drop-down menu in WMI Filtering section:

Enabling CTRL+ALT+DEL for Win7

Almost there now! We finally have to enable the Win7 computers to accept CTRL+ALT+DEL commands from UltraVNC.

  1. Open the x64 UltraVNC Installation GPO and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Logon Options > Disable or enable software Secure Attention Sequence.
  2. Enable the policy and select Services from the Options drop-down menu:
  3. Job done!

Now you can put a few computers in the TestWorkstation OU, restart them, then test the VNC connection. All being well, you can link the GPO to a production OU.

Most of the above only covers targeting 64-bit computers, so don’t forget to follow similar steps for 32-bit computers.

Good luck!

A massive shout out to my colleague Shaun who got this working first 🙂

Comments

  1. Thanks so much for posting this–quite helpful and has worked very well for me so far (in the testing stage right now, modified the steps a little for our environment). This is by far the most complete and well written instructions I have seen on how to do this.

    • No problem Matt. It took much longer than I thought to document the steps, but it’s a great reference for me, and can be applied to many different applications.

      Glad you found it useful 🙂

  2. Stephen B says:

    Adam – thanks for this post!

    However, I keep getting errors when trying to push this out to a couple of test VMs; the software doesn’t install! The .ini file deployment policy works, as does everything else, with the exception of the actual MSI install.

    Can you help?

    Thanks mate!

    • I can’t speak from experience, as I had no errors during deployment.

      Are you sure you’re targeting the correct .msi with the correct architecture (x86/x64)?
      What are the errors you’re getting?

      • Stephen B says:

        It’s alright, I figured out some extra settings that needed enabling before it pulled the software onto my test machines.

        1. Via GPO, I needed to enable the setting “Always wait for the network at computer startup and logon – Enabled” in Computer Settings / Administrative Templates / System / Logon
        2. I also removed the whole “Group Policy” key here: HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/

        Installation now works… although the ini file installation actually takes place before the software install, so the default ini file overwrites the amended one above…

        Further testing needed from my end, but thanks for this post!

        – Steve

        • Nice work Steve, glad you figured it out, it’s not an easy setup is it!

        • Similarly to Stephen B, I’m having problems with the .ini file but only on WinXP. Turns out that you need MS Hotfix KB974266 to allow the file copy/replace to work on XP…works fine with Win7.

          • Good point Stephen. I take it for granted that everyone knows to install client side extensions with XP. I should know better, as it stumped me for ages when I first came across that issue! lol

      • It worked great for me, just make sure that in the WMI query you make sure to change the ’64’ or ’32’ as specified in the write up to “64” or “32”. This is the only place I was having troubles making it work.

        Great write-up though!

        Chip Timm
        http://www.trtechit.com

        • Thanks Chip!

          • michael says:

            same issue. double checked and fixed my filters. Also, be sure you dont have a higher gpo checked as Enforced. it killed everything below it.

        • Raghavendra TS says:

          Yes. Changing WMI query from ’64’ to “64” fixed my issue. The software is installing perfectly now. Thanks for a very help full detailed document shared with us.

  3. Great tutorial! Walks you through this exact item, but also gives you a starting point for other Group policy deployment settings and steps. Well done!

  4. Had 2 q’s while reading this,
    1. the registry on the test machine does not have an ORL\WinVNC directory or keys (I don’t have ORL at all). I tried reinstalling but still not there, can I make them or should it be setup through UVNC on install?
    2. if I can make the registry keys, or somehow get them installed, will that require having the test machine on in order for machines to get the full GPO or is it just copying the registry settings into the .msi?

    • I don’t think the registry keys are required since I’m setting it to save settings to the .ini and not to the registry

      But I can’t seem to get the password to install, it keeps resetting to 000000000000000, I’ve tried removing from the GPO, reinstalling manually to get a fresh .ini but haven’t had any real luck. I’ve tried adding Stephen B’s “Always wait at logon” setting and experimented with “Update” instead of “Replace” but it doesn’t want to transfer the admin password

      • That’s great if you can get it all working without importing reg keys, but I had to use both reg keys and .ini files.

        I’m sorry I can’t help further with this as I did this quite a while back now, and my brain has pushed this stuff aside for new info. Good luck 🙂

    • If you can’t find the ORL folder in the registry, make sure you’re selecting your test computer in Step 3 in this section: http://www.virtuallyimpossible.co.uk/deploying-ultravnc-within-an-active-directory-environment-using-group-policy/#a8

      No, the test computer will not need to be turned on forever; just whilst you import the reg keys into the GPO.

  5. tygrus says:

    Cannot find what you are talking about. “Right-click > Edit on the GPO and navigate to Computer Configuration > Policies > Software Settings > Software Installation.”
    Directions from this point on are useless. Win2003 AD, looking at server.

  6. rossdav says:

    Thanks for this, very helpful, I also needed to add a firewall exception for vncserver.exe to my GPO to get my clients working as the msi install didnt seem to do that automatically. Other than that the whole thing was flawless. Thank you!

  7. muito bom

    • Yes no need to use the registry since the latest version have all passwords in the config file, I used the system start up script in the GPO to copy the config. file over since your GPO copies it before the installation.

  8. excellent, with little tuning like folder security, firewall etc anyway gr8 work thnx a lot 🙂

  9. Thank you SO much! I have no idea how you guys figured this out but thank you for sharing!

  10. michael says:

    This walkthrough was THE BEST one I found. There was a bit of a learning curve for me as I was a beginner but I got it to work and it is amazing! 57 computers all accessible from one place. Makes my job ALOT easier.

  11. I also recommend watching this Youtube https://www.youtube.com/watch?v=jXAz6vrWMP0

  12. Great article! thank you!

Trackbacks

  1. […] UltraVNC via Group Policy – cost was free (other than my time!) I followed a guide by Adam Rush (Deploying UltraVNC within an Active Directory environment using Group Policy – Virtually Impossible) …But had to carry out some additional steps for firewall exceptions and also to ensure […]