MazzaRC
asked on
Autosketch & Windows Security
Hi there,
We use Autosketch 8 on our school win2k network (2k servers and 2k stations). Greoup policies are setup, altho not by me.
If a member of staff logs onto a computer and uses autosketch, they can save with no problem at all. If a student logs onto the same computer, Autosketch comes up with a "this aciton has been restricted by security, see your network admin etc blah blah" message, then crashes, losing the file that was being worked on.
This is not restricted to one computer. It does not occur on our win98 stations. All users have FULL control on the local win2k workstation.
From this I can only conclude that it is a network security issue.
I have no experience of setting or changing Windows 2k security and would appreciate any suggestions/ideas on 1. how to locate exactly waht is being accessed to cause this error on students only and 2. how to fix it!
If you need anymore info, let me know.
Thanks in advance.
Maz
Senior IS Support Tech
We use Autosketch 8 on our school win2k network (2k servers and 2k stations). Greoup policies are setup, altho not by me.
If a member of staff logs onto a computer and uses autosketch, they can save with no problem at all. If a student logs onto the same computer, Autosketch comes up with a "this aciton has been restricted by security, see your network admin etc blah blah" message, then crashes, losing the file that was being worked on.
This is not restricted to one computer. It does not occur on our win98 stations. All users have FULL control on the local win2k workstation.
From this I can only conclude that it is a network security issue.
I have no experience of setting or changing Windows 2k security and would appreciate any suggestions/ideas on 1. how to locate exactly waht is being accessed to cause this error on students only and 2. how to fix it!
If you need anymore info, let me know.
Thanks in advance.
Maz
Senior IS Support Tech
Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
Remove Users from Local Admin Group
http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/21296/21296.html
I discuss this issue on https://www.experts-exchange.com/questions/20576959/Domain-Users-in-Local-Admin-Group.html
W98 users does'nt have a local admin group. They are by default "local administrators"
The problem with local admin group is that more and more programs updates themselfes while users are logged on, thus requirering, that Domain Users has to be a member of the Local Admin Group, because the Power Users Group is not always enough for some programs. Updating and installing programs means Admin Power. For example to gain access to some parts of the registry, and to gain access to C:\WINNT\SYSTEM32
But being member of the Local Admin Group on more than one workstation on the network means, that Domain Users gets unlimited REMOTE access to the other workstations.
The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)
All this is a problem because Microsoft created the Windows 2000 operating system this way.
If you want to know more about this issue:
--------------------------
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734
If you want to test it:
--------------------------
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm
Remove Users from Local Admin Group
http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/21296/21296.html
I discuss this issue on https://www.experts-exchange.com/questions/20576959/Domain-Users-in-Local-Admin-Group.html
W98 users does'nt have a local admin group. They are by default "local administrators"
The problem with local admin group is that more and more programs updates themselfes while users are logged on, thus requirering, that Domain Users has to be a member of the Local Admin Group, because the Power Users Group is not always enough for some programs. Updating and installing programs means Admin Power. For example to gain access to some parts of the registry, and to gain access to C:\WINNT\SYSTEM32
But being member of the Local Admin Group on more than one workstation on the network means, that Domain Users gets unlimited REMOTE access to the other workstations.
The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)
All this is a problem because Microsoft created the Windows 2000 operating system this way.
If you want to know more about this issue:
--------------------------
https://www.experts-exchange.com/questions/20506528/DomainUsers-in-LocalAdminGroup.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734
If you want to test it:
--------------------------
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.
Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.
Some programs can run without problems if the user is member of the local power users group, but not all programs.
Try with your program if it can run in the power users group
Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm
Try with your program if it can run in the power users group
Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm
ASKER
Ok, to clarify, all Network Authenticated users are a member of the Power Users group on all local Win2k Clients (otherwise you get problems running things like Office).
All I need to do is allow students to save in Autosketch as staff can do.
All I need to do is allow students to save in Autosketch as staff can do.
>"All I need to do is allow students to save in Autosketch as staff can do."
Then students must be member of the local Power Users group
Then students must be member of the local Power Users group
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
To their home drives yes, every user has all rights except "Full Control" to their own directory. The application is installed locally on the client.
The only difference I can figure out is that staff and students have a different network group policy. Unless i'm missing something.
The only difference I can figure out is that staff and students have a different network group policy. Unless i'm missing something.
1. Where does Autosketch 8 saves files ?
2. What are the different group policies to the staff group and the students group ?
Group Policy Results - Displays information about the Group Policy on the current computer and logged-on user.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842
2. What are the different group policies to the staff group and the students group ?
Group Policy Results - Displays information about the Group Policy on the current computer and logged-on user.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp
Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842
ASKER
Problem solved!!!
Thank you to trywaredk who made the lightbulb go on over my head... it was do to with the working directory of the shortcut! When that was changed to home directory instead of the program's directory.. it worked!
Thank you for all the input and resources.. I have a lot of reading to do :-)
Thank you to trywaredk who made the lightbulb go on over my head... it was do to with the working directory of the shortcut! When that was changed to home directory instead of the program's directory.. it worked!
Thank you for all the input and resources.. I have a lot of reading to do :-)
The Experts Exchange Help Pages - About Closing Questions
https://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9
https://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9
Sorry about my comment of 03/24/2004 12:01PM CET - I only pressed CTRL-F5 !
The correct answer should have been ....
:o) Glad I could help you - thank you for the points
The correct answer should have been ....
:o) Glad I could help you - thank you for the points
Are they member of the local admin group ?
Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm
members of the local admin group
1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER
Introduction to LOCAL and DOMAIN user accounts
http://windows.about.com/library/weekly/aa010325a.htm
Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark
:o) Your brain is like a parachute. It works best when it's open