if I logon as a domain user and start this software :( !

newbienewb

I am testing AD in my test lab given to me by my head,I installed AD in a pc with windows server 2003 and joined another pc which has windows 2000 professional installed into the domain;In our organisation, different departments use different softwares to meet their need;I am first asked to test the win 2000 pro system with the accounting software installed;I can start and use that software if I login to the system as a domain administrator; however if I logon as a domain user and start this software, the software not even initializing or starting!

I thought the solution may be starting this application alone with administrator privilege! If this is the right solution how to accomplish this?


or if there anyother solutions available?

please note:the members of the domain has to be a domain user;
And member computers can only be installed only windows 2000 professional

Thank you

eurotrash

try applying compatws.inf

newbienewb

thanks for the clue,but could you provide sample configuration please, say for my scenario!

Trailerisf

newbienewb wrote:

I am testing AD in my test lab given to me by my head,I installed AD in a pc with windows server 2003 and joined another pc which has windows 2000 professional installed into the domain;In our organisation, different departments use different softwares to meet their need;I am first asked to test the win 2000 pro system with the accounting software installed;I can start and use that software if I login to the system as a domain administrator; however if I logon as a domain user and start this software, the software not even initializing or starting!

I thought the solution may be starting this application alone with administrator privilege! If this is the right solution how to accomplish this?


or if there anyother solutions available?



please note:the members of the domain has to be a domain user;
And member computers can only be installed only windows 2000 professional

Thank you

If you are using QuickBooks, you need to go to the Programs Folder/ Intuit and click on properties. Go down and change the permissions (NTFS) on the folder to include your domain users (group if you have) or simply add everyone. Give them full control.

Sometimes when you install software, it only gives folder rights to the user installing the software. QuickBooks is definately one that does.

newbienewb

Please note that this software is a product developed by an organization in our region.

Trailerisf, I did give the full control permission, though for Everyone it was already assigned 'Full Control';Still the software not starting successfully

Any other solutions are also most welcome!

Thank you

eurotrash

if this software was originally developed for an older OS then the problem could be (and sounds like) it doesn't have permissions to resources it needs in order to be able to start up, as older OSs may have been more lax in security.

now i wouldn't suggest simply applying compatws to your production environment but as you are in a test lab it should be fine.
so one idea would be to (if you don't have an overriding group policy) open your local computer policy and import compatws.inf at the Security Settings node/folder and see if it will then let you run it (and presumeably you can work from there to see what precisely it was).

another idea would be to audit for faliures, lets say that it needs a certain level of access to some reg key and doesn't have it so it fails to start. so you could configure auditing for the registry (or hive) and then go over the security log and see if it was denied access to a certain key, then you can configure its permissions and try again.

kalebksp

You can also try and contact the company who developed the software, they may have dealt with this before, and if not, they can tell you what files it needs access to.

woodworm

* Download Filemon and Regmon from www.sysinternals.com
* Run these with admin rights while logged on as your domain user (runas)
* Then try to start your financial software, if it is a problem trying to access either a file/regkey then it will be logged in this software (do a search for access denied).

Usually it requires Domain Users having Modify access to the installation directory.

newbienewb

I did download and followed the steps you specified, and found alot of access denied in both filemon and regmon!

So how to get around this security issue? How may I achieve?

Please let me know

Thank you

woodworm

It's usually a case of 'poking holes' in your security. I mean giving more access than normal (e.g. Modify instead of Read) to each file/directory.

It's not ideal, but with old or badly written software it's usually the only option? What is annoying is that there are still applications being written now that require users to have elevated privelidges on the local machine (eg AutoCad)

RamsesK

i have seen this before in my work place also where we use AutoCAD a lot!

can be great if you specify what program is this because some programs are so customized and they try to read and write files in the system all the time so that is why we need to give permissions to these programs since windows check the permissions for any program or user access based on the user logged on in that moment.

and definitelly is all about permissions, be sure where this program writes files and registry keys during installation (so you can release permissions in those places for the user who is going to use it), be sure to give permissions wheter full control or specific permissions in the "program files" folder in the folder where the program installed itself, also check the common files folder inside program files folder (some programs share resources and create a folder inside this folder for specific funtions specially networking operations) restriccions inside this folder in common files can also lock the program to be used from a regular user in a AD.

and last but not less important, the REGISTRY! i can tell you that 90% of these errors have a relation with the registry and permissions inside the registry, check where the program created the keys for this program and right click on them go permissions and give the control you need wheter full or more restricted permissions to let the program work under an user account.

also comes to my mind "licensing stuff", be sure that if the license is in a place in the network different than the local machine, you have to have access to this place under a user account to the servers if you set it like that, or that the license is not restrictive for one user (administrator in this case) or machine which shouldn't be the problem if it is a license open program but has happened to me so i think it might give you another idea if nothing else works.

i hope that helps! and as kalebksp says, contact the company who developed the software and ask for technical support, they have to solve the problem so ask kindly for help and they will for sure give you answers!!!

let us know what happened!

Regards

newbienewb

Wow! In-depth analysis report Ramsesk! The sad story is the company who developed this application has closed their software development and currently not in market.Phew!

I found this software is installed into 3 folders; The folder by its name, winnt/system32 and program files/common!

As I don't have any technical support people out there, and none is there to provide the technical details like the registry keys,files they write to etc. I could not proceed further!

keatron

Try adding the users who would use this program to the Power Users group. This will probably give them the priviliges they need without giving them admin rights. By default Power Users are given write and modify permissions to the folder you specified (Common Files). Also by the default, any folder created inside the Common Files folder will inherit permissions from the parent folder (which is Common Files). So you have two options actually. As I've already said, add the users to the Power Users group, or go the the software file folder, right click it, select sharing and security, then select the security tab. Now you want to assign the group or user/users you're testing the proper permissions. You will need to click the advanced tab at the bottom of this page, then uncheck the box which reads "Inherit parent permissions etc etc etc." Then you'll want to check the box immediately under it, which reads "Replace permissions entries on all child objects etc etc etc". In most cases, this will do it.

If security is a major issue here, I suggest the second option, because simply adding them to the power users group will probably give you the results you want but it will also give them read, write and modify permissions to all of the folders and files in the "Program Files directory, as well as un-needed permissions on other vital system files and folders. Always remember "Principle of Least Privilege"

Keatron

newbienewb

Plus as I could not get tech. data we postponed the idea for implementing domain based network till next new software that serves the same purpose is acquired.

Trailerisf

keatron wrote:

Try adding the users who would use this program to the Power Users group. This will probably give them the priviliges they need without giving them admin rights. By default Power Users are given write and modify permissions to the folder you specified (Common Files). Also by the default, any folder created inside the Common Files folder will inherit permissions from the parent folder (which is Common Files). So you have two options actually. As I've already said, add the users to the Power Users group, or go the the software file folder, right click it, select sharing and security, then select the security tab. Now you want to assign the group or user/users you're testing the proper permissions. You will need to click the advanced tab at the bottom of this page, then uncheck the box which reads "Inherit parent permissions etc etc etc." Then you'll want to check the box immediately under it, which reads "Replace permissions entries on all child objects etc etc etc". In most cases, this will do it.

If security is a major issue here, I suggest the second option, because simply adding them to the power users group will probably give you the results you want but it will also give them read, write and modify permissions to all of the folders and files in the "Program Files directory, as well as un-needed permissions on other vital system files and folders. Always remember "Principle of Least Privilege"

Keatron

With programs like QuickBooks, you need to give the local users access to the folder.
All of our domain users are power users to begin with.
It good advice, but you need to plan for it not working.

But you should follow keatron's steps first.

keatron

Trailerisf wrote:

keatron wrote:

Try adding the users who would use this program to the Power Users group. This will probably give them the priviliges they need without giving them admin rights. By default Power Users are given write and modify permissions to the folder you specified (Common Files). Also by the default, any folder created inside the Common Files folder will inherit permissions from the parent folder (which is Common Files). So you have two options actually. As I've already said, add the users to the Power Users group, or go the the software file folder, right click it, select sharing and security, then select the security tab. Now you want to assign the group or user/users you're testing the proper permissions. You will need to click the advanced tab at the bottom of this page, then uncheck the box which reads "Inherit parent permissions etc etc etc." Then you'll want to check the box immediately under it, which reads "Replace permissions entries on all child objects etc etc etc". In most cases, this will do it.

If security is a major issue here, I suggest the second option, because simply adding them to the power users group will probably give you the results you want but it will also give them read, write and modify permissions to all of the folders and files in the "Program Files directory, as well as un-needed permissions on other vital system files and folders. Always remember "Principle of Least Privilege"

Keatron

With programs like QuickBooks, you need to give the local users access to the folder.
All of our domain users are power users to begin with.
It good advice, but you need to plan for it not working.

But you should follow keatron's steps first.

Just curious Trailerisf, why would all of your domain users be power users? Also if you look at the original post, one of the requirements is that ALL users have to be domain users, so giving local users permissions wouldn't help his purpose.

newbienewb

This software uses backend; that backend server runs on our network;

This software connects to the backend and fetches data and displays them plus allows to modify,delete etc;

Sorry I should have added this info in the first post itself!

taktsoi

In this scenario, if you've found out that you need administrative right to run this software, there you go, you are on the right track. Yes, your only choice is to give them administrative right. (yeah..i know...i know). but you need the following instructions to work with this software and secure your network.

1) create an runas account on your AD other than the domain user you instruct to log in. give it domain user member. ex: domainrunas, give it a password.
2) join the workstations in a domain.
3) in the domain workstations, log in administrator (the following will be the interesting stuff)
4) go to computer management, local user and group, expand the group, double click the ADMINISTRATORS GROUP
5) add the DOMAIN USER (domainrunas) account here.
6) go to control panel, adminstrative tools, services, make sure the secondary logon is running.
7) log off then log in your domain user REGULARLY.
locate your software, right click, run-as
9) choose "The following user: enter "domainrunas" along with the password.
10) the software should've started successfully.
11) If you are concerned about security, you can at any time deactivate this special run-as account on the AD server because this account is the local administrator account. You can also set up logon hours on the AD, change pasword as often as you like, group policy to deny this account to logon locally and audit the account logon. there may be more stuffs you can secure.

guys, please share more on knocking down the system in this case.

please post your result. I wanna see how it goes.

tak

elover_jm

Don't ya'll think it would be better to run the custom application using Terminal server?

tht way you don't have to be worrying about pple sticking there noses where it shouldn't be.

taktsoi

but licensing is so expensive.............