ConnectWise Control Software User Forum
»
Default
»
Output Stream
»
Create Access Session that allows a Host to connect to certain machines
 Rank: Administration Medals:  Joined: 4/16/2010(UTC) Posts: 441 Location: Raleigh
Thanks: 5 times Was thanked: 38 time(s) in 33 post(s)
|
Quote:I would like to setup an Access Session Group where I have only one group, it will have many machines, but I want to ensure users can only connect to their machines. Is this possible? Yes, you can do this very easily using one of the available Custom Fields ( http://help.screenconnect.com/Enabling_custom_fields_for_sessions). In this example we will use CustomProperty2 and label it 'Host'. In the Appearance tab, find the following value 'SessionProperty.Custom2.AccessVisible' and set the value to true. Code:SessionProperty.Custom2.AccessVisible true
Then find and set the SessionProperty.Custom2.LabelText value to your desired name of the label (ie: Host). Once this is set up, you will want to edit your Access Machines and add the appropriate Host Name and Save. Then in Manage Session Groups ( http://help.screenconnect.com/Managing_session_groups)you will add a new Access Group, give it a name (ie: My Access Machines) and use the following Filter: Code:CustomProperty2=$USERNAME
Once this is done, all that remains is to add this session group to an appropriate role using role based security ( http://help.screenconnect.com/Defining_user_roles_and_permissions). Edited by user Monday, August 4, 2014 3:21:07 PM(UTC)
| Reason: Not specified |
ScreenConnect Team |
 1 user thanked Sean for this useful post.
|
|
|
 Rank: Newbie Medals:  Joined: 11/7/2013(UTC) Posts: 4
Was thanked: 3 time(s) in 1 post(s)
|
I was looking for a way to grant users under my account access to specific computers when they log into my ScreenConnect server with a ScreenConnect user account that I create for them. Many times I would be granting access to a single computer for a user that wants to access their computer at night from home. Additionally, there would often be overlap with a manager/owner that might want access to multiple or all computers at their office. FYI - I am an MSP with over 70 cliens and 1500 computers in ScreenConnect. After contacting ScreenConnect support they pointed me to this forum post. By following the initial instructions in this post and creating a Session Group that uses the $USERNAME variable I was able to create a dynamic session group that gives users access to only the computers that I assign to them. I called the Session Group "My Computers". This is the Session Filter that makes this group dynamic: CustomProperty2 LIKE '*' + $USERNAME + '*' I then created a Role on the Admin --> Security screen that granted access to this Session group:  Here is a user I created called 'Test' with only this role assigned:  Now when the Test user logs in, they ONLY see the Session Group called "My Computers". When a different user logs into ScreenConnect they will see a completely different list of computers in the "My Computers" Session Group. Additionally, I can add as many different users as I want to the CustomProperty2/Remote Users field without ever having to go back and create a new Session Group or Security Role.  FYI - I have decided to standardize on the user's email address as their ScreenConnect username. That way there is no chance that a username that gets reused (employees come and go) would result in that new user having access to the old user's computers. Edited by user Wednesday, May 20, 2015 2:02:19 PM(UTC)
| Reason: Not specified
|
 3 users thanked qlafferty for this useful post.
|
|
|
 Rank: Advanced Member Medals:  Joined: 3/29/2015(UTC) Posts: 100  Location: Metro DC Thanks: 27 times Was thanked: 10 time(s) in 8 post(s)
|
Quin,
Very nice... Thanks for sharing your work with us! (And thanks for recommending ScreenConnect to us in the first place...)
Mark
|
|
|
|
 Rank: Newbie Joined: 4/27/2015(UTC) Posts: 30  Thanks: 6 times Was thanked: 3 time(s) in 3 post(s)
|
Great solution, Quinn! I've decided to implement that method myself. I've a related problem, though, that I'd like some help with. It concerns the "Build Installer" function. At the moment, I'm asking each user to enter, manually, their Windows login username in the "Custom Property 2" field. However, when there are hundreds of users, this manual process is cumbersome and mistakes can be made. So, I'm wondering whether there's a way to automate this whole process by reprogramming the installer—the .exe file—itself, such that each user merely needs to run the installer. Is this possible? Cheers, Simon Edited by user Thursday, February 18, 2016 1:30:54 AM(UTC)
| Reason: Not specified
|
|
|
|
 Rank: Administration Medals:  Joined: 7/23/2013(UTC) Posts: 715  Location: Raleigh, NC Was thanked: 66 time(s) in 63 post(s)
|
It seems like you could use GuestLoggedOnUserName instead of CustomProperty2, though I suppose that wouldn't work if they need to be able to access the machine while they're logged out or if they're running the installer on machines where they have different usernames.
Another option is putting an environment variable as Custom Property 2; unfortunately, you can't just use %USERNAME% directly, since it's resolved in the client service, which runs as a system user. But if you can set a system environment variable to the correct username ahead of time, you can just use that variable. For example, you could have a batch/powershell script that sets the environment variable and then downloads & runs the installer. Group Policy might be able to do it, too, though I'm not very familiar with its functionality. |
ScreenConnect Team |
 1 user thanked Alexander for this useful post.
|
|
|
 Rank: Newbie Joined: 4/27/2015(UTC) Posts: 30  Thanks: 6 times Was thanked: 3 time(s) in 3 post(s)
|
Cheers, Alex. I created the following batch script and that did the trick: Quote:SET SCSNAME=[insert_your_domain_name_here] SET SCSPORT=443 SET SCCNAME=%COMPUTERNAME% SET SCUSER=%USERNAME% SET SCARGS=?e=Access^&y=Guest^&h=%SCSNAME%^&p=%SCSPORT%^&k=[insert_your_key_here]^&t=%SCCNAME%^&c=^&c=%SCUSER%^&c=^&c=^&c=^&c=^&c=^&c= echo %SCARGS% msiexec.exe /i SC.ClientSetup.msi SERVICE_ARGUMENTS="%SCARGS%" For the key, I replaced every occurrence of % with %%.
|
|
|
|
 Rank: Guest Joined: 1/27/2017(UTC) Posts: 8 
|
Originally Posted by: qlafferty  I was looking for a way to grant users under my account access to specific computers when they log into my ScreenConnect server with a ScreenConnect user account that I create for them. Many times I would be granting access to a single computer for a user that wants to access their computer at night from home. Additionally, there would often be overlap with a manager/owner that might want access to multiple or all computers at their office. FYI - I am an MSP with over 70 cliens and 1500 computers in ScreenConnect. After contacting ScreenConnect support they pointed me to this forum post. By following the initial instructions in this post and creating a Session Group that uses the $USERNAME variable I was able to create a dynamic session group that gives users access to only the computers that I assign to them. I called the Session Group "My Computers". This is the Session Filter that makes this group dynamic: CustomProperty2 LIKE '*' + $USERNAME + '*' I then created a Role on the Admin --> Security screen that granted access to this Session group:  Here is a user I created called 'Test' with only this role assigned:  Now when the Test user logs in, they ONLY see the Session Group called "My Computers". When a different user logs into ScreenConnect they will see a completely different list of computers in the "My Computers" Session Group. Additionally, I can add as many different users as I want to the CustomProperty2/Remote Users field without ever having to go back and create a new Session Group or Security Role.  FYI - I have decided to standardize on the user's email address as their ScreenConnect username. That way there is no chance that a username that gets reused (employees come and go) would result in that new user having access to the old user's computers. This worked great when User Source Auth is Internal, but didn't work with the LDAP method. I made sure that User Group corresponded with their Matching Role and within this Role were exactly as to these given instructions (ie. ViewSessionGroup:'My Computers', etc.). But when I log into with that user, no PC shows up. Any ideas as to why it works with one and not the others? Anyone using LDAP method? Thanks in advance.
|
|
|
|
 Rank: Administration Medals:  Joined: 8/18/2015(UTC) Posts: 98   Thanks: 8 times Was thanked: 14 time(s) in 12 post(s)
|
You will likely need to compare what you've set in the custom property value to what you have listed for the user account in AD - offhand, I believe it's going to pull the "User Logon Name" field under the Account tab. |
ConnectWise Control (ScreenConnect) Support Team |
|
|
|
 Rank: Guest Joined: 1/27/2017(UTC) Posts: 8 
|
Thanks for the input, but that value matches the user account in AD, where you said Account > User logon name
|
|
|
|
 Rank: Administration Medals:  Joined: 8/18/2015(UTC) Posts: 98   Thanks: 8 times Was thanked: 14 time(s) in 12 post(s)
|
|
ConnectWise Control (ScreenConnect) Support Team |
|
|
|
 Rank: Guest Joined: 1/27/2017(UTC) Posts: 8 
|
THANK YOU! It works! I am forever grateful!
|
|
|
|
 Rank: Guest Joined: 1/27/2017(UTC) Posts: 8 
|
Update: USERLOGGINNAME had a typo....should be one "G" rather than two
|
|
|
|
 Rank: Administration Medals:  Joined: 8/18/2015(UTC) Posts: 98   Thanks: 8 times Was thanked: 14 time(s) in 12 post(s)
|
Originally Posted by: ngoa  Update: USERLOGGINNAME had a typo....should be one "G" rather than two Haha, whoops, good eye! Thanks for that. |
ConnectWise Control (ScreenConnect) Support Team |
|
|
|
ConnectWise Control Software User Forum
»
Default
»
Output Stream
»
Create Access Session that allows a Host to connect to certain machines
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.