Solved

Unable to use email feature in Quickbooks on Terminal Server without being power user or above.

Posted on 2004-10-04
16
533 Views
Last Modified: 2010-05-18
Hello Experts,

The situation is this.  I have Metaframe XP running on Windows 2000 Server with Quickbook Enterpise Solutions as the published application.  Recently I have had a user who wanted to use the email feature in Quickbooks, which seems to call a regular Windows mail profile to choose and then opens Outlook with a form attached (Invoice, Statement,...etc) in PDF format.  

In order for this to work, I had to add the User to the local Power Users group on the Metaframe Server.  By doing this it gave him access to view but not print to every other users auto-created printer.  This is normal in a Terminal Server environment but is unacceptable as he is able to view printers in Quickbooks from companies other than his own.  

When the user is just part of the Domain Users group he doesn't see anyones printers except his own.  But when the email button in Quickbooks is executed nothing happens.  No error messages, nothing.

So, please help me find a way to have this users access the email feature without being part of a group with elavated privliges.  It seems to me that the email feature calls upon files and registry entries needed to be written to or read from that requires a user with power user or above privleges.
Thanks
Mike
0
Comment
Question by:zCitrixz
  • 8
  • 7
16 Comments
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 12218843
I've been slugging it out with quickbooks on this very issue and here is what I have:

According to Quickbooks users have to be a member of the Power Users group for it to work
(I agree it is absolutely insane, I've spoken to MS and Quickbooks and they both point the finger at the other)

As far as the printing issue goes I've developed a workaround although I am still looking for a long term solution (See this link)
http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21106068.html

One other thing that I have come across is that applying the compatws.inf security template can open up the registry for legacy (aka poorly designed).  I haven't tried this on my machine yet as it is already in production but it sounds promising.  If it doesn't work you can always import a higher security template.  

I feel your pain on this one.  Let me know if you need any help of clarification.
Crow
0
 

Author Comment

by:zCitrixz
ID: 12221688
Thanks Crow,

I will look into your post and excellent suggestions first chance I get and will let you know how I make out.  It's comforting to know that there is someone else out there with a successfull TS/Quickbooks install to get help from.  And, oh yeah, share the pain with.

Thanks again

Mike
0
 

Author Comment

by:zCitrixz
ID: 12251074
Crow,
I am having access errors with the subinacl command.  Here the output I get for a user that is in the local power users group on the Citrix Server.

SeSecurityPrivilege : Access is denied.


WARNING :Unable to set SeSecurityPrivilege privilege. This privilege may be required.
Client\CITRIXZ#\\\DOLLARS\hp psc 900 series [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\CITRIXZ#\Intuit Internal Printer [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\OFFICE#\Brother MFL Pro Printer [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\OFFICE#\HP DeskJet 540 Printer [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\OFFICE#\Brother MFL Pro Printer - OpenPrinter Error : 5 Access is denied.


Client\OFFICE#\HP DeskJet 540 Printer - OpenPrinter Error : 5 Access is denied.


Client\KRISTA#\Canon i450 [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\KRISTA#\hp psc 2170 series [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\BRAD#\\\LEX\HP Color Inkjet CP1700 [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\BRAD#\\\lex\Fax [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\BRAD#\Intuit Internal Printer [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\BRAD#\Microsoft Office Document Image Writer [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\BRAD#\\\LEX\Kyocera Mita KM-2030 KX - OpenPrinter Error : 5 Access is denied.


Client\BRAD#\\\LEX\HP Color Inkjet CP1700 - OpenPrinter Error : 5 Access is denied.


Client\FrontDeskTint#\HP DeskJet 540 Printer [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\FrontDeskTint#\Brother MFL Pro Printer [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\FrontDeskTint#\HP DeskJet 540 Printer - OpenPrinter Error : 5 Access is denied.


Client\FrontDeskTint#\Brother MFL Pro Printer - OpenPrinter Error : 5 Access is denied.


Client\DYANA#\\\KRISTA\hp psc 2170 series [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\DYANA#\ActiveTouch Document Loader [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\DYANA#\HP LaserJet 3300 Series PCL 6 [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\DYANA#\HP LaserJet 3330 Series PS [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\DYANA#\HP LaserJet 3300 Series PCL 6 - OpenPrinter Error : 5 Access is denied.


Client\GRAHAM#\\\LEX\Kyocera Mita KM-2030 KX [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\GRAHAM#\\\LEX\HP Color Inkjet CP1700 [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\GRAHAM#\\\lex\Fax [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\GRAHAM#\Microsoft Office Document Image Writer [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.


Client\GRAHAM#\\\LEX\Kyocera Mita KM-2030 KX - OpenPrinter Error : 5 Access is denied.


Client\GRAHAM#\\\LEX\HP Color Inkjet CP1700 - OpenPrinter Error : 5 Access is denied.


Client\BRAD#\\\LEX\Kyocera Mita KM-2030 KX [UPD:PCL5c] - OpenPrinter Error : 5 Access is denied.



Mike
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 12256324
I had to set this up first as a batch file and then as a scheduled task set to run under local administrator credentials.  Give that a shot and see how it does.
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 12256328
Did you try the compatws security template already?  I'm curious to know if it works or not.
0
 

Author Comment

by:zCitrixz
ID: 12258375
I haven't tried the compatws security template.  I think if all else fails I will give it a go.  Will applying this template cause problems to my existing environment?
0
 

Author Comment

by:zCitrixz
ID: 12259634
Ok, I have the batch file setup to run at logon with a scheduled task under the admin account.  I couldn't see the output of the subinalc command but I tested it by applying the power user group to an auto-created printer from my local PC.  After running the batch file the group was gone.  So its working now.  Thanks

I can still see everyone's printers while a member of power users.  When I look at the security for all the auto-created printers from other users, I don't see any power users group.  Before or after running the script.  

Do I still see everyone's printers because I haven't yet run the script for them at their PC?

Thanks


0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 12260224
Negative, it should only have to be run on the Term Server.  I had to schedule it as a recurring task (about every five minutes) because once a new user logs on, their printers populate on the term serv with the default groups (including power users).  I've tried setting this script to run when the user logs on but the TS printers haven't populated at that time.  This is one reason why I'm wondering if the compatws template will negate the need to put them in the Power Users group.  This template won't do anything that can't be undone by applying a higher security template to the machine.  It only effects the local machine and you can go into gpedit.msc (from the run dialouge box) after the fact and reverse any changes that are made.  From the reading I've done it opens up the registry for applications that weren't designed with security in mind.  The way I see it is you can compramise security by putting users in the Power Users group (with all the annoying things that go along with it) or you can do it by generally opening up the registry to users (and potentially avoid these headaches).  Keep in mind that I have not personally tested the template for this particular issue but it sounds like the type of problem microsoft developed the template for.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 12260253
If you want to read up on templates check out this link.  If the compatws template doesn't work you can import the default security template to normalize the server:

http://support.microsoft.com/default.aspx?scid=kb;en-us;816585
0
 

Author Comment

by:zCitrixz
ID: 12261420
I will look into link.  I am worried it will remove permissions for Citrix and the Web Interface.

Regarding the printers.  When I look at everyone's auto-created printers security, I don't see any power users group.  The Security at each printer is the "user" who auto-created, Administrator and System.  This has always been the case.
Do your clients auto-create printers? and when you see them on TS Server (before ever running script) did they have the power users group?
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 12261488
By default the power users on my terminal server have permissions on the ACL for any printer objects created on the machine (They also show up on the ACL).  My clients are set up to have their printers autocreated/redirected when they log on to the server.  I wonder is this is a difference between 2000 and 2003 or possibly an extra service that citrix provides.  I have a spare 2003 box that I am going to set up as a term server and try the compatws trick to see if it will work (it sounds like you are running in a production enviroment as well).  I'll take a note on the default behaviours and get back with you.
0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 12261525
I've just checked two of my 2000 Citrix machines and have verified that the default behavior does not place the Power Users group on the ACL for the printer objects.  I'm not sure if this is a 2000/2003 change or a citrix function.  I'll let you know what results I get with compatws.
0
 

Author Comment

by:zCitrixz
ID: 12261564
I am running in a production environment.  I have been yelled at to much of late for anything else to go wrong.

One thing I have noticed is that when using the Email feature, QB calls on the "Intuit Internal Printer".  Also I have run a tool that list the processess of what files are being accessed when the Email button is executed.  QB calls upon spool.exe in order to send an email.

I can log the results and post later if you like.
0
 

Author Comment

by:zCitrixz
ID: 12276501
Finally figured it out!  I couldn't get my mind wrapped around why the spoolsv.exe in the WINNT/system32 was being accessed when executing the email button.  

Quickbooks is trying to access the "Intuit Internal Printer" which creates the PDF document that is to be emailed.  None of my users have this printer in their TS sessions.  As soon as I created the Printer, which is a local printer on the TS Server, email worked fine without any user needing to be in a Power Users grpup.

There is an executable (install.exe) in the Intuit directory that creates this printer.  You must rename this printer from Ayumni....... to Intuit Internal Printer for the Email to work.

0
 
LVL 9

Expert Comment

by:SamuraiCrow
ID: 12278275
Lol, I'm glad you got it worked out.  I've set up a test server with the compatws template applied.  Just for fun I'll let you know how it goes in testing.
0
 

Accepted Solution

by:
RomMod earned 0 total points
ID: 12289092
The question has been PAQ'd and the 500 points have been refunded.
RomMod
Community Support Moderator
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Moving applications to the cloud or switching services to cloud-based ones, is a stressful job.  Here's how you can make it easier.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Illustrator's Shape Builder tool will let you combine shapes visually and interactively. This video shows the Mac version, but the tool works the same way in Windows. To follow along with this video, you can draw your own shapes or download the file…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now