These restrictions must not affect network administrators.
You can do all of this by the following script:
// ---------------------------------------
// Script created by Alexey Pikurov / Network Software Solutions
// 28.11.2016 16:58:47
// ---------------------------------------
const
sAdmGroup = 'Administrators';
sErrMsg1 = 'You do not have access to this user';
sErrMsg2 = 'You can only view the screen of this user';
function OnClientPluginSendRawData(iCID, iUINFrom, iUINTo: integer; sPluginNameFrom, sPluginNameTo, sData: string): boolean;
var
bFlag: boolean;
iDeptID1, iDeptID2: integer;
sMsg: string;
begin
bFlag := true;
// if a user opens VNCClient plugin
if (sPluginNameFrom = 'VNCClient') and (sPluginNameTo = 'VNCServer') then
// If this is not a user from the group "Administrators"
if mGetRoleNameByID(mGetUserRoleID(iUINFrom)) <> sAdmGroup then begin
// If a user is going to only view the remote screen
if sData = 'VNCGETLOCALIPS-VIEW' then begin
bFlag := false;
iDeptID1 := mGetUserDepartmentID(iUINFrom);
iDeptID2 := mGetUserDepartmentID(iUINTo);
// if users from the same department
// and iUINFrom - is a chief of this department
if iDeptID1 = iDeptID2 then bFlag := mIsUserTeamLead(iUINFrom);
if not bFlag then sMsg := sErrMsg1;
end else
// if a user is going to take control over a mouse and keyboard,
// then forbid him to opent the VNC session
if sData = 'VNCGETLOCALIPS-CONTROL' then begin
sMsg := sErrMsg2;
bFlag := false;
end;
if not bFlag then
// send a message about impossibility
// to open a session of remote administration
mSendCustomMsgToClientConsoleByCID(iCID,
sMsg +
' (' + mGetUserAttribute(iUINTo, 'DisplayName') + ')',
'Error', true, true, 77);
end;
result := bFlag;
end;
begin
end.
The script supposes, that your administrators are in the group "Administrators". If not — edit the constant sAdmGroup.
Also, you should assign work positions in their profiles:
...and do not forget to specify that they are heads of departments (additionally highlighted by blue color):