Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Quickbooks and Limited accounts

Posted on 2004-04-05
11
7,952 Views
Last Modified: 2013-12-04
I have a Windows XP Pro user on a Limited account. The user must never be able to install software, however, the user must be able to use software that has been installed onto the computer.

Quickbooks is one such program the complains that it doesn't have access to modify/add/delete files.

When I called Intuit, they told me to add Power Users to the user's groups, which works, but also allows the user to install programs. I can't allow that.

Is there a way to keep the system secure, but allow currently installed software to run?

Points only awarded to a step-by-step instruction on the process of giving a user (or program) such access.
0
Comment
Question by:frankmorrison
11 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10761090
Folder Guard - Frequently Asked Questions (FAQ)
http://www.winability.com/folderguard/faq.htm#security
http://www.winability.com/folderguard/prevent-installing.htm
http://www.winability.com/folderguard/restrict-removable-disks.htm

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 1

Author Comment

by:frankmorrison
ID: 10761739
Sorry, third party software solutions will not work for me. I need a way to do this through windows xp.
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10762356
You need to find out where the software wants to modify/create/delete files. Chances are that we are talking only one or a few directories. Then modify the directory permissions to allow the user (or the group) to modify/create/delete files in these dirs. This will allow your restricted user to run the software, but will not allow to install new software.
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 44

Accepted Solution

by:
Karl Heinz Kremer earned 300 total points
ID: 10762359
... and, you can use Filemon (http://www.sysinternals.com/ntw2k/source/filemon.shtml) to find out which files or directories need to be modified.
0
 
LVL 6

Assisted Solution

by:Joseph_Moore
Joseph_Moore earned 200 total points
ID: 10762799
To add to what khkremer said, you might also need to know what Registry hives/branches Quickbooks uses. Individual branches can have their own security applied to them. So, it is possible to give only Administrator and/or Power Users rights to a specific branch in the Registry. Then, when a user who is NOT in those groups tries to use the software, they get Registry errors when the software loads. Really annoying trying to troubleshoot these things.
Regmon (also from Sysinternals) will tell you what Registry locations are being accessed.
http://www.sysinternals.com/ntw2k/source/regmon.shtml
Tweaking the permissions on a machine to not give a user account too much power, but to still allow them to run a program that is very secure, is a very difficult thing. It is possible, it just takes a while.
My worse experience in doing this was for Crystal Reports v8! That was bad! Tweaking the files AND the Registry permissions!
Fun for the whole family....
Good luck
0
 
LVL 44

Assisted Solution

by:Karl Heinz Kremer
Karl Heinz Kremer earned 300 total points
ID: 10764162
If you need to change the permissions on a registry key, you need to run regedt32. The "normal" regedit does not allow this. Look under the "Security" menu.
0
 

Expert Comment

by:Donzilla
ID: 11034175
Sorry about the length, but I didn't want to claim credit for this. I found this post via google and it sounds like the chap landed here before going on to solve the problem, so since he did not post his findings, I decided to take the leap and do so for him. I used these two permission-modifications succesfully to get Quickbooks 2002 Pro running on a W2K TS (DC even!) today for restricted users. Toodle-pip!

[syndicated from http://dev.remotenetworktechnology.com/ts/app/installs.htm]

QuickBooks Pro 2002

From a post by David Dawson:

   Finally figured out how to add Quickbooks to a Terminal Server 2000 Server
and have normal Domain User accounts run it.  I had installed it but no
regular users could run it but instead got the following error message:

"Your user account for Windows was created with Restricted access to system
resources.  This will prevent QuickBooks from operating properly.  Please
contact your system administrator and ask him or her to grant you Standard
user rights."

I'd found several postings referencing Sysinternal's Regmon and Filemon to
see what it was accessing but no details posted so thought I'd document it
here.  Finding the files and keys it was accessing and loosening permissions
slowly gave them access with these minimum changes

I created a Quickbooks Users group, added my users, and gave the group Full
Access to the HKLM\Software\Intuit\QuickBooksRegistration Key

To let them run the update they needed Modify rights to the Program
Files\Intuit\Quickbooks Pro folder.

The data is stored in another place where permissions are controlled
differently.  These permissions just let them run the program, not open the
data.

[end syndicated from http://dev.remotenetworktechnology.com/ts/app/installs.htm]
0
 

Expert Comment

by:scottjohnstone
ID: 11618955
This did not work for me by itself with Quickbooks 2004.
What I needed to do was:
1) Make the change previously noted to c:\program files\intuit (modify for quickbooks users)
2) Install an application compatibility "shim" via the appcompat toolkit & create an entry for Quickbooks denoting it as an LUA (limited user access) program.  You the install the shim on the machines running quickbooks.  You can d/l it from ms.com.

Cheers,

Scott
0
 

Expert Comment

by:Mike4CCM
ID: 12041248
I have the toolkit installed, but I don't know how to install an application compatibility "shim", please help!!

- Thank you,
Mike
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 12042347
Please don't post new questions in already closed questions. You will find a bigger audience if you post a new question.
0
 

Expert Comment

by:GMJ29
ID: 12766210
For QuickBooks 2003 this is what we found we had to do to keep the user out of the power users group and run on xp:

full control to the intuit directory in c:\program files
full control to the reg key hklm\software\intuit
go into the permissions of the desktop shortcut and change the compatibility to run as Windows 2000
add the user to the local admin group and logon one time into qb, go into the options and uncheck the box that turns on the company navigator when you open any company.
logoff and take the user out of the local admin group

they should be able to use now.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
treatment for PCs used by guards, CCTV recording & environment sensors 8 93
Move Event Log in windows 2012 3 109
Windows Master Password 11 58
Botnet detection help me please 21 133
In today's information driven age, entrepreneurs have so many great tools and options at their disposal to help turn good ideas into a thriving business. With cloud-based online services, such as Amazon's Web Services (AWS) or Microsoft's Azure, bus…
Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Finds all prime numbers in a range requested and places them in a public primes() array. I've demostrated a template size of 30 (2 * 3 * 5) but larger templates can be built such 210  (2 * 3 * 5 * 7) or 2310  (2 * 3 * 5 * 7 * 11). The larger templa…

837 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question