logo

The ConnectWise Control forum has moved to ConnectWise University! This forum has been locked and is in read-only mode. Click here for instructions on how to access the new forum.

Welcome Guest! You can not login or register.

Notification

Icon
Error

Options
Go to last post Go to first unread
SportinSS  
#1 Posted : Tuesday, March 10, 2015 7:43:24 PM(UTC)
SportinSS


Rank: Newbie

Joined: 3/10/2015(UTC)
Posts: 8
United States
Location: Bethany, OK

Thanks: 2 times
Hello there,

we are new to ScreenConnect, so I hope this hasn't been asked 100 times, but i'm sure it has. =)

We are using the AD integration option, so our techs can just use the same login and password they are used to using.

But i have two users (our CPA and Owner), that just need to access their machines. They don't need access to all of the machines listed.

Is there a way to restrict what computers they have access too? Mostly, i want them to be denied all machines except for one or two.

We are moving to ScreenConnect from LogMeIn Central. And in Central it was very simple to do. Just learning something new! =)

Scott  
#2 Posted : Tuesday, March 10, 2015 7:50:01 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
You can do this by creating a dynamic session group. Basically, you're going to create a group that filters based upon the user's username. I'll include a brief rundown below:

First, the easiest way to do this is to enable an additional custom property, basic steps on how to do this are here: http://help.screenconnec...stom_fields_for_sessions
For this example, we're going to be using CustomProperty2. Basically, for any session that you want a specific user to be able to see, try putting their AD Display Name (not username) into the custom property field.

Next, you need to create a new session group; for this example, we'll call it UserAssigned. Set the filter syntax to something like:

CustomProperty2 LIKE '' + $USERNAME + ''

This group will now automatically display any session where the CustomProperty2 field contains their Display Name but only to the person to whom it belongs.

Now, go to the Security tab on the Administration page and create a new Role. For this new Role, give it the three basic permissions:

ViewSessionGroup>>SpecificSessionGroup>>UserAssigned
JoinSession>>SpecificSessionGroup>>UserAssigned
HostSessionWithoutConsent>>SpecificSessionGroup>>UserAssigned

You may also want to include other permissions, such as TransferFilesInSession or ReinstallSession, but it's up to you. Now, any user who belongs to this group will only see the computers on the Host page where the second custom property string contains their username.

I know it can be a bit confusing, so please don't hesitate to ask any questions you may have!
ScreenConnect Team
thanks 1 user thanked Scott for this useful post.
SportinSS on 3/11/2015(UTC)
mylove4life  
#3 Posted : Tuesday, March 10, 2015 9:19:23 PM(UTC)
mylove4life


Rank: Advanced Member

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 7/5/2010(UTC)
Posts: 112

Was thanked: 2 time(s) in 2 post(s)
this is confusing.. Do you plan on making it a drag and drop system anytime soon?

Originally Posted by: Scott Go to Quoted Post
You can do this by creating a dynamic session group. Basically, you're going to create a group that filters based upon the user's username. I'll include a brief rundown below:

First, the easiest way to do this is to enable an additional custom property, basic steps on how to do this are here: http://help.screenconnec...stom_fields_for_sessions
For this example, we're going to be using CustomProperty2. Basically, for any session that you want a specific user to be able to see, try putting their AD Display Name (not username) into the custom property field.

Next, you need to create a new session group; for this example, we'll call it UserAssigned. Set the filter syntax to something like:

CustomProperty2 LIKE '' + $USERNAME + ''

This group will now automatically display any session where the CustomProperty2 field contains their Display Name but only to the person to whom it belongs.

Now, go to the Security tab on the Administration page and create a new Role. For this new Role, give it the three basic permissions:

ViewSessionGroup>>SpecificSessionGroup>>UserAssigned
JoinSession>>SpecificSessionGroup>>UserAssigned
HostSessionWithoutConsent>>SpecificSessionGroup>>UserAssigned

You may also want to include other permissions, such as TransferFilesInSession or ReinstallSession, but it's up to you. Now, any user who belongs to this group will only see the computers on the Host page where the second custom property string contains their username.

I know it can be a bit confusing, so please don't hesitate to ask any questions you may have!


SportinSS  
#4 Posted : Wednesday, March 11, 2015 12:03:21 AM(UTC)
SportinSS


Rank: Newbie

Joined: 3/10/2015(UTC)
Posts: 8
United States
Location: Bethany, OK

Thanks: 2 times
Yeah, that is really confusing. But I was able to get it working. I hope you do make it a little easier at some point. But right now it's working OK. =)

Thanks for your help!
Scott  
#5 Posted : Wednesday, March 11, 2015 1:16:31 PM(UTC)
Scott


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 3/28/2014(UTC)
Posts: 2,862
United States

Thanks: 3 times
Was thanked: 351 time(s) in 303 post(s)
I know drag-and-drop is on our enhancement-request list and I'll make sure to give it a bump in priority on both of your behalves.

I definitely agree it can be a bit confusing at the start, but I always appreciated the above mentioned method just because it's very dynamic and only needs to be set up once.
ScreenConnect Team
Graeme  
#6 Posted : Tuesday, March 17, 2015 11:52:33 AM(UTC)
Graeme


Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 1: Random Act of Kindness! Received One Thanks!

Joined: 11/14/2014(UTC)
Posts: 43

Thanks: 2 times
Was thanked: 4 time(s) in 3 post(s)
I have a similar requirement and can't work out how to make Screen Connect do this. I need for example our bosses workstations not to be accessible (or visible to) by anybody else. Is there any way to do this without creating a huge mess in the security permissions?
Graeme  
#7 Posted : Thursday, March 19, 2015 5:05:09 PM(UTC)
Graeme


Rank: Advanced Member

Medals: ScreenConnect Advisor: Focus Group MemberLevel 1: Random Act of Kindness! Received One Thanks!

Joined: 11/14/2014(UTC)
Posts: 43

Thanks: 2 times
Was thanked: 4 time(s) in 3 post(s)
Any ideas?
Jeff  
#8 Posted : Friday, March 20, 2015 10:50:01 PM(UTC)
Jeff


Rank: Administration

Medals: Level 4: Wise Old Owl! Received 100 Thanks!

Joined: 4/14/2010(UTC)
Posts: 1,785
Man
Location: Raleigh, NC

Thanks: 8 times
Was thanked: 156 time(s) in 122 post(s)
I think moving his machine into a separate folder that only he has access would be one path (SC admin would still be able to access). The other method is similar to what Scott mentioned or what is in this post:
http://forum.screenconne...employees.aspx#post12379
ScreenConnect Team
Zanthexter  
#9 Posted : Saturday, October 3, 2015 9:32:26 PM(UTC)
Zanthexter


Rank: Newbie

Joined: 8/10/2015(UTC)
Posts: 6
United States
Location: Houston

Originally Posted by: Scott Go to Quoted Post
You can do this by creating a dynamic session group. Basically, you're going to create a group that filters based upon the user's username. I'll include a brief rundown below:

-- edited out for brevity --

I know it can be a bit confusing, so please don't hesitate to ask any questions you may have!


This has been working fine until the most recent update.

Apparently the way it was working before was to match any PART of the of the CustomProperty2 field. If the field was set to "Judy Danielle" it'd allow either Judy or Danielle to connect. Now it seems to need an exact match.

As a quick fix over the weekend I can just keep flipping the name back and forth for whichever of the two needs to connect. But is there a more permanent fix?

Kinda wish some actual user management was built in, but this has worked well enough until now.

Steven  
#10 Posted : Sunday, October 4, 2015 8:14:42 PM(UTC)
Steven


Rank: Guest

Medals: Level 1: Random Act of Kindness! Received One Thanks!

Joined: 5/1/2015(UTC)
Posts: 55
United States
Location: Tampa, FL

Was thanked: 12 time(s) in 8 post(s)
Zanthexter,

One way would be to use * or % as wildcard characters in conjunction with the $USERNAME like so:

CustomProperty2 LIKE '*' + $USERNAME + '*'

The problem with this is it will match both "Steve" and "Steven" if a user with username "Steve" is logged in. A better way is to use comma or semi-colon separated entries and include logic on seeing the username by itself, as well as before, between, or after the selected delimiter. I've posted how to do this with an example using Custom Properties and Notes here.

ScreenConnect Team
Zanthexter  
#11 Posted : Sunday, October 4, 2015 10:10:22 PM(UTC)
Zanthexter


Rank: Newbie

Joined: 8/10/2015(UTC)
Posts: 6
United States
Location: Houston

Originally Posted by: Steven Go to Quoted Post
Zanthexter,

One way would be to use * or % as wildcard characters in conjunction with the $USERNAME like so:

CustomProperty2 LIKE '*' + $USERNAME + '*'

The problem with this is it will match both "Steve" and "Steven" if a user with username "Steve" is logged in. A better way is to use comma or semi-colon separated entries and include logic on seeing the username by itself, as well as before, between, or after the selected delimiter. I've posted how to do this with an example using Custom Properties and Notes here.



It was set up as: CustomProperty2 LIKE '*' + $USERNAME + '*'

And I did run into the Steve/Steven issue :) Not really a problem for me personally, because I've only got 3 remote users.

But I'm going to redo it using your suggested: ((CustomProperty2 = $USERNAME) OR (CustomProperty2 LIKE $USERNAME + ',*') OR (CustomProperty2 LIKE '*,' + $USERNAME) OR (CustomProperty2 LIKE '*,' + $USERNAME + ',*'))

That will address the Steve/Steven issue and possibly just modifying the string will kick something back into place.

Where I stand now is that even with one users name, I have to edit it, that user can log in one time, and then that's it. I have to edit it again. (Add a letter, delete it) before they can log in again.

We'll try it out, and I'll get back to you with the results.

I DO hope to see something more practical eventually. Both an internal database and something using LDAP would be great. And then checkboxes. Simple guys like me, non-programmer types, we like pretty UIs with checkboxes LoL.
Users browsing this topic
Forum Jump  
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.