Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

Autosketch & Windows Security

Hi there,

We use Autosketch 8 on our school win2k network (2k servers and 2k stations). Greoup policies are setup, altho not by me.

If a member of staff logs onto a computer and uses autosketch, they can save with no problem at all. If a student logs onto the same computer, Autosketch comes up with a "this aciton has been restricted by security, see your network admin etc blah blah" message, then crashes, losing the file that was being worked on.

This is not restricted to one computer. It does not occur on our win98 stations. All users have FULL control on the local win2k workstation.

From this I can only conclude that it is a network security issue.

I have no experience of setting or changing Windows 2k security and would appreciate any suggestions/ideas on 1. how to locate exactly waht is being accessed to cause this error on students only and 2. how to fix it!

If you need anymore info, let me know.

Thanks in advance.

Maz
Senior IS Support Tech
0
MazzaRC
Asked:
MazzaRC
  • 8
  • 3
1 Solution
 
trywaredkCommented:
> "All users have FULL control on the local win2k workstation."

Are they member of the local admin group ?

Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm

members of the local admin group
1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER

Introduction to LOCAL and DOMAIN user accounts
http://windows.about.com/library/weekly/aa010325a.htm

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
trywaredkCommented:
Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm

Remove Users from Local Admin Group
http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/21296/21296.html

I discuss this issue on http://www.experts-exchange.com/Security/Win_Security/Q_20576959.html

W98 users does'nt have a local admin group. They are by default "local administrators"

The problem with local admin group is that more and more programs updates themselfes while users are logged on, thus requirering, that Domain Users has to be a member of the Local Admin Group, because the Power Users Group is not always enough for some programs. Updating and installing programs means Admin Power. For example to gain access to some parts of the registry, and to gain access to C:\WINNT\SYSTEM32

But being member of the Local Admin Group on more than one workstation on the network means, that Domain Users gets unlimited REMOTE access to the other workstations.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)

All this is a problem because Microsoft created the Windows 2000 operating system this way.

If you want to know more about this issue:
---------------------------------------------------------
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734

If you want to test it:
--------------------------
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

0
 
trywaredkCommented:
Some programs can run without problems if the user is member of the local power users group, but not all programs.

Try with your program if it can run in the power users group

Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
MazzaRCAuthor Commented:
Ok, to clarify, all Network Authenticated users are a member of the Power Users group on all local Win2k Clients (otherwise you get problems running things like Office).

All I need to do is allow students to save in Autosketch as staff can do.

0
 
trywaredkCommented:
>"All I need to do is allow students to save in Autosketch as staff can do."

Then students must be member of the local Power Users group
0
 
trywaredkCommented:
Does students have the same NTFS permissioins as the staff group on the share on your server, where Autosketch 8 saves files ?

Understanding NTFS permissions:
http://www.windowsitlibrary.com/Content/592/1.html

Default NTFS Permissions in Windows 2000:
http://support.microsoft.com/?kbid=244600
%systemroot% = C:\WINNT
0
 
MazzaRCAuthor Commented:
To their home drives yes, every user has all rights except "Full Control" to their own directory. The application is installed locally on the client.

The only difference I can figure out is that staff and students have a different network group policy. Unless i'm missing something.
0
 
trywaredkCommented:
1. Where does Autosketch 8 saves files ?

2. What are the different group policies to the staff group and the students group ?

Group Policy Results - Displays information about the Group Policy on the current computer and logged-on user.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842

0
 
MazzaRCAuthor Commented:
Problem solved!!!

Thank you to trywaredk who made the lightbulb go on over my head... it was do to with the working directory of the shortcut! When that was changed to home directory instead of the program's directory.. it worked!

Thank you for all the input and resources.. I have a lot of reading to do :-)
0
 
trywaredkCommented:
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9
0
 
trywaredkCommented:
Sorry about my comment of 03/24/2004 12:01PM CET - I only pressed CTRL-F5 !

The correct answer should have been ....

:o) Glad I could help you - thank you for the points
0

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 8
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now