diff --git a/agents/MeshCentralRouter.exe b/agents/MeshCentralRouter.exe
index 9ee18d0b..0f1de288 100644
Binary files a/agents/MeshCentralRouter.exe and b/agents/MeshCentralRouter.exe differ
diff --git a/webserver.js b/webserver.js
index cc1672ec..0462e9de 100644
--- a/webserver.js
+++ b/webserver.js
@@ -86,22 +86,42 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
     obj.renderLanguages = [];
 
     // Mesh Rights
-    const MESHRIGHT_EDITMESH = 1;
-    const MESHRIGHT_MANAGEUSERS = 2;
-    const MESHRIGHT_MANAGECOMPUTERS = 4;
-    const MESHRIGHT_REMOTECONTROL = 8;
-    const MESHRIGHT_AGENTCONSOLE = 16;
-    const MESHRIGHT_SERVERFILES = 32;
-    const MESHRIGHT_WAKEDEVICE = 64;
-    const MESHRIGHT_SETNOTES = 128;
+    const MESHRIGHT_EDITMESH            = 0x00000001;
+    const MESHRIGHT_MANAGEUSERS         = 0x00000002;
+    const MESHRIGHT_MANAGECOMPUTERS     = 0x00000004;
+    const MESHRIGHT_REMOTECONTROL       = 0x00000008;
+    const MESHRIGHT_AGENTCONSOLE        = 0x00000010;
+    const MESHRIGHT_SERVERFILES         = 0x00000020;
+    const MESHRIGHT_WAKEDEVICE          = 0x00000040;
+    const MESHRIGHT_SETNOTES            = 0x00000080;
+    const MESHRIGHT_REMOTEVIEWONLY      = 0x00000100;
+    const MESHRIGHT_NOTERMINAL          = 0x00000200;
+    const MESHRIGHT_NOFILES             = 0x00000400;
+    const MESHRIGHT_NOAMT               = 0x00000800;
+    const MESHRIGHT_DESKLIMITEDINPUT    = 0x00001000;
+    const MESHRIGHT_LIMITEVENTS         = 0x00002000;
+    const MESHRIGHT_CHATNOTIFY          = 0x00004000;
+    const MESHRIGHT_UNINSTALL           = 0x00008000;
+    const MESHRIGHT_NODESKTOP           = 0x00010000;
+    const MESHRIGHT_REMOTECOMMAND       = 0x00020000;
+    const MESHRIGHT_RESETOFF            = 0x00040000;
+    const MESHRIGHT_GUESTSHARING        = 0x00080000;
+    const MESHRIGHT_ADMIN               = 0xFFFFFFFF;
 
-    // Site rights
-    const SITERIGHT_SERVERBACKUP = 1;
-    const SITERIGHT_MANAGEUSERS = 2;
-    const SITERIGHT_SERVERRESTORE = 4;
-    const SITERIGHT_FILEACCESS = 8;
-    const SITERIGHT_SERVERUPDATE = 16;
-    const SITERIGHT_LOCKED = 32;
+        // Site rights
+    const SITERIGHT_SERVERBACKUP        = 0x00000001;
+    const SITERIGHT_MANAGEUSERS         = 0x00000002;
+    const SITERIGHT_SERVERRESTORE       = 0x00000004;
+    const SITERIGHT_FILEACCESS          = 0x00000008;
+    const SITERIGHT_SERVERUPDATE        = 0x00000010;
+    const SITERIGHT_LOCKED              = 0x00000020;
+    const SITERIGHT_NONEWGROUPS         = 0x00000040;
+    const SITERIGHT_NOMESHCMD           = 0x00000080;
+    const SITERIGHT_USERGROUPS          = 0x00000100;
+    const SITERIGHT_RECORDINGS          = 0x00000200;
+    const SITERIGHT_LOCKSETTINGS        = 0x00000400;
+    const SITERIGHT_ALLEVENTS           = 0x00000800;
+    const SITERIGHT_ADMIN               = 0xFFFFFFFF;
 
     // Setup SSPI authentication if needed
     if ((obj.parent.platform == 'win32') && (obj.args.nousers != true) && (obj.parent.config != null) && (obj.parent.config.domains != null)) {
@@ -6233,6 +6253,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                 // A user/pass is provided in URL arguments
                 obj.authenticate(req.query.user, req.query.pass, domain, function (err, userid, passhint, loginOptions) {
 
+                    // Check if user as the "notools" site right. If so, deny this connection as tools are not allowed to connect.
+                    if ((user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & SITERIGHT_NOMESHCMD)) {
+                        // No tools allowed, close the websocket connection
+                        parent.debug('web', 'ERR: Websocket no tools allowed');
+                        try { ws.send(JSON.stringify({ action: 'close', cause: 'notools', msg: 'notools' })); ws.close(); } catch (e) { }
+                        return;
+                    }
+
                     // See if we support two-factor trusted cookies
                     var twoFactorCookieDays = 30;
                     if (typeof domain.twofactorcookiedurationdays == 'number') { twoFactorCookieDays = domain.twofactorcookiedurationdays; }
@@ -6349,6 +6377,14 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
                 obj.authenticate(s[0], s[1], domain, function (err, userid, passhint, loginOptions) {
                     var user = obj.users[userid];
                     if ((err == null) && (user)) {
+                        // Check if user as the "notools" site right. If so, deny this connection as tools are not allowed to connect.
+                        if ((user.siteadmin != 0xFFFFFFFF) && (user.siteadmin & SITERIGHT_NOMESHCMD)) {
+                            // No tools allowed, close the websocket connection
+                            parent.debug('web', 'ERR: Websocket no tools allowed');
+                            try { ws.send(JSON.stringify({ action: 'close', cause: 'notools', msg: 'notools' })); ws.close(); } catch (e) { }
+                            return;
+                        }
+
                         // Check if a 2nd factor is needed
                         if (checkUserOneTimePasswordRequired(domain, user, req, loginOptions) == true) {