How to Configure VNC via Group Policy

tightvnc-logo-90x90If you know how to deploy a .MSI package via a group policy object (or GPO) then you know how easy it can make your life as a network or systems administrator. For a long time I was wanting to deploy a VNC client across my domain in order for my helpdesk to support end users on our company’s network. The biggest issue I faced with this was not how to push it but how to configure it. There seems to be a shortage of blogs out there that describe how this can be done so I worked with a friend of mine (Kevin Crafford) and we decided that we would blog about our experience with this. We hope this can help you deploy and configure VNC via group policy pre-configured with passwords and other settings that you may want to use.      Enjoy 😀

What you will need…

We will be deploying Tight VNC 2.7.10 to our network, I downloaded the MSI package -Here-

Also on that page is a PDF that will show you all the triggers you can change during the install. (if you want you can get it -Here- )

The PDF shows you how to install via command line, which is great, but what if you want to update the version when the next version comes out?

You would have to manually go to every computer and uninstall to push the new version out.

lets get down to brass tax here, we will be using a program called ORCA to edit the MSI file so it installs the way WE want via group policy.

(you can get orca -Here-)


Creating the transform file (.mst)…

I decided to push the x86 version out for backwards compatibility for every computer on the network including the 64 bit PCs.

After orca installs open the MSI package with orca File >> Open

It should look like this

<h2>Configure VNC via Group Policy</h2>

Next you want to click Transform >> New Transform


Now in the PDF file that we opened eariler, you can go through there and pick the options you want to turn on, and ill show you how to set the passwords for deployment.

the best way to find the values you want to change in orca is the Find option (Ctrl-F), although most of the options are under the Property table.

Here are the values I looked for (some are set to default in this version).


To set your passwords for connection, and so the user doesn’t turn off VNC accidentally you will need to adjust 2 values.


These options are in CustomAction table, under the target field.

you will physically change the values by deleting VALUE_OF_PASSWORD and inputting your password, for this tutorial im going to use PasswOrd


Once you have your tables adjusted to the options you want, its time to save the transform file.

Go to Transform >> Generate Transform  This will save as a .MST file you will need the .MSI and the .MST file when we push it via group policy




Creating a share and setting the appropriate permissions…

Next we need to set a shared folder across the network, one that every computer that is joined to the domain can access.

I created a series of folders to house my software pushed via GPO

Be sure to put the .MSI file and the .MST file in this directory.


To share this folder I went to the root folder (company in my case), Right click and Properties.


Then advanced sharing, check the box share this folder, and click permissions near the bottom. Add the “Domain Computers” group to the share permissions

Share Permissions

Then click Ok, and Ok again and that will bring you back to the Company folder  Properties.

Click Security, Edit, Add  and add the “Domain Computers” group in the security List.

security permission



Finally, Create and link a Group Policy Object (GPO) to your Organizational Units (OUs) in Group Policy Management…

Now that we have our folder set up so that all computers on the domain can see it, and have access to the files inside its time to set up our GPO.

Since I have OUs set up for laptops and desktops that are on my network, I will link this GPO both OUs.

Open group policy Management, Expand the forest, expand domains, expand the domain you are wishing to push software

Group Policy Mgmt

Right Click Group Policy Objects and click NEW


Name your GPO, I chose VNC Install MSI

Naming the GPO

right click the new GPO you created and click Edit

Edit GPO

Under Computer Configuration, expand Policies, Software Settings  and right click  on software installation Click New >> Package

Sofware installation

Browse to your folder via UNC path (do not browse via hard disk path this needs to be the network share path)


Open the MSI, and you will see another box saying Deploy Software, Click Advanced


Click ok, Go to Modifications Tab and click ADD


Open your transform file (the .MST file) that we created earlier in Orca.


You should see the network path in modifications here.

Click OK

Close Group Policy Management Editor,

Now we need to link the group policy to the OUs that we want to deploy to.

Simply Right click the OU (laptops and desktops in my case) and Link an Existing GPO… and select your GPO

Close Group Policy Management

The best way to test this is to do a “gpupdate /force” in command prompt on a computer in the OU you set up to receive the software.

after the “gpupdate /force” it will ask you to restart the computer. Once the machine reboots TightVNC should be installed and configured. (Good job you :)).

It is worth noting that if for some reason you are having issue pushing the MSI then it may be helpful to consult the “event viewer” on the client machine that you are testing with.

I hope that this tutorial has helped you to configure VNC via Group Policy.

Posted in Technology, Tutorials, Work and tagged , , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *