Solved

Autosketch & Windows Security

Posted on 2004-03-24
11
270 Views
Last Modified: 2013-12-04
Hi there,

We use Autosketch 8 on our school win2k network (2k servers and 2k stations). Greoup policies are setup, altho not by me.

If a member of staff logs onto a computer and uses autosketch, they can save with no problem at all. If a student logs onto the same computer, Autosketch comes up with a "this aciton has been restricted by security, see your network admin etc blah blah" message, then crashes, losing the file that was being worked on.

This is not restricted to one computer. It does not occur on our win98 stations. All users have FULL control on the local win2k workstation.

From this I can only conclude that it is a network security issue.

I have no experience of setting or changing Windows 2k security and would appreciate any suggestions/ideas on 1. how to locate exactly waht is being accessed to cause this error on students only and 2. how to fix it!

If you need anymore info, let me know.

Thanks in advance.

Maz
Senior IS Support Tech
0
Comment
Question by:MazzaRC
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 3
11 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10665828
> "All users have FULL control on the local win2k workstation."

Are they member of the local admin group ?

Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm

members of the local admin group
1. Start / Run
2. Input CMD
3. Press ENTER
4. Input NET LOCALGROUP ADMINISTRATORS
5. Press ENTER

Introduction to LOCAL and DOMAIN user accounts
http://windows.about.com/library/weekly/aa010325a.htm

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10665849
Why you should not run your computer as an administrator
http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/windows_security_whynot_admin.htm

Remove Users from Local Admin Group
http://www.winnetmag.com/WindowsSecurity/Article/ArticleID/21296/21296.html

I discuss this issue on http://www.experts-exchange.com/Security/Win_Security/Q_20576959.html

W98 users does'nt have a local admin group. They are by default "local administrators"

The problem with local admin group is that more and more programs updates themselfes while users are logged on, thus requirering, that Domain Users has to be a member of the Local Admin Group, because the Power Users Group is not always enough for some programs. Updating and installing programs means Admin Power. For example to gain access to some parts of the registry, and to gain access to C:\WINNT\SYSTEM32

But being member of the Local Admin Group on more than one workstation on the network means, that Domain Users gets unlimited REMOTE access to the other workstations.

The unlimited REMOTE access involves:
1. Explorer: \\ComputerName\C$
2. Registry
3. Computer Management (Control Panel)

All this is a problem because Microsoft created the Windows 2000 operating system this way.

If you want to know more about this issue:
---------------------------------------------------------
http://www.experts-exchange.com/Security/Win_Security/Q_20506528.html
http://www.tryware.dk/English/W2kLocalGroupPolicy/TotalAdminPower.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windows2000serv/evaluate/featfunc/07w2kadc.asp
http://support.microsoft.com/?kbid=182734

If you want to test it:
--------------------------
You have to grant a Domain User Group to the Local Admin Group on BOTH test-workstations, AND logout and logon again.

Important: You have to make a new logon after creating the credentials, because they are given in W2k in the second where You press ENTER to password when logging on.

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10665855
Some programs can run without problems if the user is member of the local power users group, but not all programs.

Try with your program if it can run in the power users group

Builtin and predefined groups in Windows 2000 Pro
http://www.microsoft.com/windows2000/en/professional/help/default.asp?url=/windows2000/en/professional/help/windows_security_default_settings.htm
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 1

Author Comment

by:MazzaRC
ID: 10665876
Ok, to clarify, all Network Authenticated users are a member of the Power Users group on all local Win2k Clients (otherwise you get problems running things like Office).

All I need to do is allow students to save in Autosketch as staff can do.

0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10665979
>"All I need to do is allow students to save in Autosketch as staff can do."

Then students must be member of the local Power Users group
0
 
LVL 12

Accepted Solution

by:
trywaredk earned 500 total points
ID: 10666000
Does students have the same NTFS permissioins as the staff group on the share on your server, where Autosketch 8 saves files ?

Understanding NTFS permissions:
http://www.windowsitlibrary.com/Content/592/1.html

Default NTFS Permissions in Windows 2000:
http://support.microsoft.com/?kbid=244600
%systemroot% = C:\WINNT
0
 
LVL 1

Author Comment

by:MazzaRC
ID: 10666023
To their home drives yes, every user has all rights except "Full Control" to their own directory. The application is installed locally on the client.

The only difference I can figure out is that staff and students have a different network group policy. Unless i'm missing something.
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10666160
1. Where does Autosketch 8 saves files ?

2. What are the different group policies to the staff group and the students group ?

Group Policy Results - Displays information about the Group Policy on the current computer and logged-on user.
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

Troubleshooting Group Policy Application Problems
http://support.microsoft.com/?kbid=250842

0
 
LVL 1

Author Comment

by:MazzaRC
ID: 10666171
Problem solved!!!

Thank you to trywaredk who made the lightbulb go on over my head... it was do to with the working directory of the shortcut! When that was changed to home directory instead of the program's directory.. it worked!

Thank you for all the input and resources.. I have a lot of reading to do :-)
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10666238
The Experts Exchange Help Pages - About Closing Questions
http://www.experts-exchange.com/Security/Win_Security/help.jsp#hi9
0
 
LVL 12

Expert Comment

by:trywaredk
ID: 10666252
Sorry about my comment of 03/24/2004 12:01PM CET - I only pressed CTRL-F5 !

The correct answer should have been ....

:o) Glad I could help you - thank you for the points
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Security measures require Windows be logged in using Standard User login (not Administrator).  Yet, sometimes an application has to be run “As Administrator” from a Standard User login.  This paper describes how to create a shortcut icon to launch a…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question