Solved

Quickbooks and Limited accounts

Posted on 2004-04-05
11
7,917 Views
Last Modified: 2013-12-04
I have a Windows XP Pro user on a Limited account. The user must never be able to install software, however, the user must be able to use software that has been installed onto the computer.

Quickbooks is one such program the complains that it doesn't have access to modify/add/delete files.

When I called Intuit, they told me to add Power Users to the user's groups, which works, but also allows the user to install programs. I can't allow that.

Is there a way to keep the system secure, but allow currently installed software to run?

Points only awarded to a step-by-step instruction on the process of giving a user (or program) such access.
0
Comment
Question by:frankmorrison
11 Comments
 
LVL 12

Expert Comment

by:trywaredk
ID: 10761090
Folder Guard - Frequently Asked Questions (FAQ)
http://www.winability.com/folderguard/faq.htm#security
http://www.winability.com/folderguard/prevent-installing.htm
http://www.winability.com/folderguard/restrict-removable-disks.htm

Many Regards
Jorgen Malmgren
IT-Supervisor
Denmark

:o) Your brain is like a parachute. It works best when it's open
0
 
LVL 1

Author Comment

by:frankmorrison
ID: 10761739
Sorry, third party software solutions will not work for me. I need a way to do this through windows xp.
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 10762356
You need to find out where the software wants to modify/create/delete files. Chances are that we are talking only one or a few directories. Then modify the directory permissions to allow the user (or the group) to modify/create/delete files in these dirs. This will allow your restricted user to run the software, but will not allow to install new software.
0
 
LVL 44

Accepted Solution

by:
Karl Heinz Kremer earned 300 total points
ID: 10762359
... and, you can use Filemon (http://www.sysinternals.com/ntw2k/source/filemon.shtml) to find out which files or directories need to be modified.
0
 
LVL 6

Assisted Solution

by:Joseph_Moore
Joseph_Moore earned 200 total points
ID: 10762799
To add to what khkremer said, you might also need to know what Registry hives/branches Quickbooks uses. Individual branches can have their own security applied to them. So, it is possible to give only Administrator and/or Power Users rights to a specific branch in the Registry. Then, when a user who is NOT in those groups tries to use the software, they get Registry errors when the software loads. Really annoying trying to troubleshoot these things.
Regmon (also from Sysinternals) will tell you what Registry locations are being accessed.
http://www.sysinternals.com/ntw2k/source/regmon.shtml
Tweaking the permissions on a machine to not give a user account too much power, but to still allow them to run a program that is very secure, is a very difficult thing. It is possible, it just takes a while.
My worse experience in doing this was for Crystal Reports v8! That was bad! Tweaking the files AND the Registry permissions!
Fun for the whole family....
Good luck
0
Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

 
LVL 44

Assisted Solution

by:Karl Heinz Kremer
Karl Heinz Kremer earned 300 total points
ID: 10764162
If you need to change the permissions on a registry key, you need to run regedt32. The "normal" regedit does not allow this. Look under the "Security" menu.
0
 

Expert Comment

by:Donzilla
ID: 11034175
Sorry about the length, but I didn't want to claim credit for this. I found this post via google and it sounds like the chap landed here before going on to solve the problem, so since he did not post his findings, I decided to take the leap and do so for him. I used these two permission-modifications succesfully to get Quickbooks 2002 Pro running on a W2K TS (DC even!) today for restricted users. Toodle-pip!

[syndicated from http://dev.remotenetworktechnology.com/ts/app/installs.htm]

QuickBooks Pro 2002

From a post by David Dawson:

   Finally figured out how to add Quickbooks to a Terminal Server 2000 Server
and have normal Domain User accounts run it.  I had installed it but no
regular users could run it but instead got the following error message:

"Your user account for Windows was created with Restricted access to system
resources.  This will prevent QuickBooks from operating properly.  Please
contact your system administrator and ask him or her to grant you Standard
user rights."

I'd found several postings referencing Sysinternal's Regmon and Filemon to
see what it was accessing but no details posted so thought I'd document it
here.  Finding the files and keys it was accessing and loosening permissions
slowly gave them access with these minimum changes

I created a Quickbooks Users group, added my users, and gave the group Full
Access to the HKLM\Software\Intuit\QuickBooksRegistration Key

To let them run the update they needed Modify rights to the Program
Files\Intuit\Quickbooks Pro folder.

The data is stored in another place where permissions are controlled
differently.  These permissions just let them run the program, not open the
data.

[end syndicated from http://dev.remotenetworktechnology.com/ts/app/installs.htm]
0
 

Expert Comment

by:scottjohnstone
ID: 11618955
This did not work for me by itself with Quickbooks 2004.
What I needed to do was:
1) Make the change previously noted to c:\program files\intuit (modify for quickbooks users)
2) Install an application compatibility "shim" via the appcompat toolkit & create an entry for Quickbooks denoting it as an LUA (limited user access) program.  You the install the shim on the machines running quickbooks.  You can d/l it from ms.com.

Cheers,

Scott
0
 

Expert Comment

by:Mike4CCM
ID: 12041248
I have the toolkit installed, but I don't know how to install an application compatibility "shim", please help!!

- Thank you,
Mike
0
 
LVL 44

Expert Comment

by:Karl Heinz Kremer
ID: 12042347
Please don't post new questions in already closed questions. You will find a bigger audience if you post a new question.
0
 

Expert Comment

by:GMJ29
ID: 12766210
For QuickBooks 2003 this is what we found we had to do to keep the user out of the power users group and run on xp:

full control to the intuit directory in c:\program files
full control to the reg key hklm\software\intuit
go into the permissions of the desktop shortcut and change the compatibility to run as Windows 2000
add the user to the local admin group and logon one time into qb, go into the options and uncheck the box that turns on the company navigator when you open any company.
logoff and take the user out of the local admin group

they should be able to use now.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

As I write this article, I am finishing cleanup from the Qakbot virus variant found in the wild on April 18, 2011.  It was a messy beast that had varying levels of infection, speculated as being dependent on how long it resided on the infected syste…
No security measures warrant 100% as a "silver bullet". The truth is we also cannot assume anything but a defensive and vigilance posture. Adopt no trust by default and reveal in assumption. Only assume anonymity or invisibility in the reverse. Safe…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now