Questions

Windows SBS 2003 permissions help

+
0 Votes
Locked

Windows SBS 2003 permissions help

tuckerobie
I am setting up a Windows SBS 2003 R2 server to host a point of sales application for a family owned store. When I try to run the software from the workstation logged in to the domain as a user the program wont run. When I try it as an admin it runs just fine. I have set folder permissions to allow users full access to the folder and program. I am not a tech pro I am just the one at this family owned business that was lucky enough to be given this task... Any help would be wonderfull!

Tucker
  • +
    0 Votes
    SAJChurchey

    So the application is installed on the server? How is the user supposed to access the application from the workstation (What are the steps involved to start the program)? What all was involved in installing the program to begin with?

    Also, when you are running the application as administrator, are you running it on the workstation as administrator or on the server as the administrator?

    It is most likely that there is another file or a registry key *somewhere* that still needs the permissions changed for the users to be able to run.

    +
    0 Votes
    tuckerobie

    There is a runtime program that is installed on all computers in order for them to run the actual exe that is a file located on the server. The initial install of the program is just a matter of copying the program files to the share location and installing the runtime files.

    All of my testing has taken place on the end user workstation as admin and user.

    How would I go about finding this registry key?

    Thank you so much for taking the time to help me with this.

    +
    0 Votes
    SAJChurchey

    For this kind of problem, I usually use two tools: FileMon and RegMon (Download them from http://technet.microsoft.com/en-us/sysinternals/86a95979-23f8-45f5-9480-f4ed9dab3aab.aspx)

    These tools run in the background and monitors every file/registry transaction that the computer is performing (along with the name of the program trying to complete the task). In these situations, you usually looking for a few transactions to fail with the reason being "ACCESS_DENIED."

    Log in as the user. You need to start FileMon as the administrator (right click on the EXE and use "Run As" and enter the administrator login info). While FileMon is up, try to start the program and FileMon will start recording the attempts of different programs to open/close/write to files. Once you are sure that the program has failed to start, stop the Capture and look through the various transactions. You're looking for one that says ACCESS_DENIED. The path to the file/registry key should also be given, and this is the file/folder you need to change permissions on.

    RegMon (monitors the registry) works pretty much the exact same way, but it only deals with attempts to use the registry. You can also start the registry editor (start -> Run -> regedit) and you can change the permissions on keys in much the same way as files (Right-Click, Permissions, Security tab). Be careful not to REMOVE any permissions or you may break your system.

    If you fool around with the FileMon/RegMon interface, you'll discover that you can Exclude processes you're not concerned with (like a lot of the background programs/processes) and you can start/stop the capture at will. Remember that you're only concerned with the one program that you're trying to use, anything else is just clutter.

    I know this is a bit technical, but it's the easiest way I've found to solve these kinds of problems. You may also consider changing your user account to at least "Power User" or "Administrator" and this should also resolve these permission issues without a lot of fuss. It sounds like you are trying to avoid doing this, and I agree that it's best if everyday users use a non-administrative account.

    It may be a bit complicated, but please post here with for any more help/explanations.

    +
    0 Votes
    tuckerobie

    This has been extremely helpfull! I will let you know what I come up with.

    +
    0 Votes
    tuckerobie

    In regmon Im getting alot of not founds on the exe in question.

    +
    0 Votes
    SAJChurchey

    I wouldn't worry TOO much about Not Founds. Sometimes a program will check to see if something is there and if not, create it, and some programs do this everytime you start it.

    If it is causing your problem, it would mean that the program wasn't installed on the workstation correctly, and I would try to install the runtime files again.

    You didn't find any "ACCESS DENIED?" How about FileMon? Any promising results there.

    You may also want to go ahead and escalate the user's privleges to Administrator. If the user is then able to open the program, then we are correct in believing it is the permissions and are on the right track.

    +
    0 Votes
    tuckerobie

    Im not seeing any "Access Denied" just "Not Found" if I go to the properties of the file or process that says not found it says <access denied> there... I think I will reinstall and try again from scratch with the application and use regmon and filemon from the beginning.

    +
    0 Votes
    SAJChurchey

    How is everything going? Solved the problem yet? Any luck with escalating the user account to an Administrator?

    +
    0 Votes
    CG IT

    which are limited rights accounts.

    if you install the client program on workstations [POS unit] which runs Windows XP, you need to use the runas and use the admin account.

    Is this a POS system that boots to XP and then automatically launches the POS software? or is this a turnkey POS system?

    +
    0 Votes

    XP

    tuckerobie

    The POS units are windows XP Pro machines that then launch the software.

    +
    0 Votes
    CG IT

    and if the POS software is any good, then it requires users of the POS software to log in, which isn't related to domain user accounts.

    so what you really need to do is have a batch file that runs after the desktop is reached which launches the POS software.

    note: you don't have users login to the domain on the XP machines and you don't require CTL+ALT+DEL to login. you automatically log on with the admin account [part of batch file]and then automatically launch the POS software [also part of the batch file].

    users can shell out of the POS software to get to the desktop but in reality you really don't want them to. This is POS cash register. you don't want users to muck around with it.

    There are a couple of ways to do this. Use an image file you created, use a batch file you create, or the POS system mfgs ought to have a batch file that does the same thing that they can give you or charge a nominal fee.

    BUT! if all your doing is polling the POS unit for daily reciepts and porting them to the SBS box which then their backoffice comp opens them up with a another accounting program to do books, that's another story.

    +
    0 Votes
    tuckerobie

    Thanks for the info the POS systems will be workstations where users need to access email and the internet as well as the Point of Sales software...

    +
    0 Votes
    CG IT

    All the POS systems I've worked on and a dozen or so retail store, from large retail chains like Walmart to specialty clothing stores don't allow users to shell out to the desktop to do other desktop related work. All use POS registers where the POS program automatically launches on the register. Even turnkey systems do this. Users log on to the POS program but never log on to the XP O/S.

    So if you want, you can teach users how to shell out to the desktop on a register, then relaunch the POS software, but if you do that, users will be able to change the computer settings on the register because you have to use the runas command and admin account to launch the POS program. This is true on all Active Directory domains [besides SBS] where user accounts are domain users which are limited rights accounts.

    You could enable the power users security account and make all uses members of this security account which should grant them the ability to install and run programs however from a security standpoint, not advisable. Even if this is just a mom and pop shop.

    +
    0 Votes
    CG IT

    again this is retailers like Walmart, most large chain grocery stores, brand name clothing stores,and stores like the local mom and pop Tru-Value hardware stores do.

    they usually have 1 or 2 workstations in the back office that are used for office applications including email. Not many allow employee emails. The ones that do usualy have a generic email account for everyone to use example: sales@<domain>.com.

    I've yet to run into a store who's cash registers double as a desktop.

    All use startup scripts that launch the POS application, check and apply updates to software & price lists.

    You could try and hide virtually all computer and use settings available in the control panel with Group Policy if you allow users access to the cash register XP desktop but again, I've never run into a company that does this.

  • +
    0 Votes
    SAJChurchey

    So the application is installed on the server? How is the user supposed to access the application from the workstation (What are the steps involved to start the program)? What all was involved in installing the program to begin with?

    Also, when you are running the application as administrator, are you running it on the workstation as administrator or on the server as the administrator?

    It is most likely that there is another file or a registry key *somewhere* that still needs the permissions changed for the users to be able to run.

    +
    0 Votes
    tuckerobie

    There is a runtime program that is installed on all computers in order for them to run the actual exe that is a file located on the server. The initial install of the program is just a matter of copying the program files to the share location and installing the runtime files.

    All of my testing has taken place on the end user workstation as admin and user.

    How would I go about finding this registry key?

    Thank you so much for taking the time to help me with this.

    +
    0 Votes
    SAJChurchey

    For this kind of problem, I usually use two tools: FileMon and RegMon (Download them from http://technet.microsoft.com/en-us/sysinternals/86a95979-23f8-45f5-9480-f4ed9dab3aab.aspx)

    These tools run in the background and monitors every file/registry transaction that the computer is performing (along with the name of the program trying to complete the task). In these situations, you usually looking for a few transactions to fail with the reason being "ACCESS_DENIED."

    Log in as the user. You need to start FileMon as the administrator (right click on the EXE and use "Run As" and enter the administrator login info). While FileMon is up, try to start the program and FileMon will start recording the attempts of different programs to open/close/write to files. Once you are sure that the program has failed to start, stop the Capture and look through the various transactions. You're looking for one that says ACCESS_DENIED. The path to the file/registry key should also be given, and this is the file/folder you need to change permissions on.

    RegMon (monitors the registry) works pretty much the exact same way, but it only deals with attempts to use the registry. You can also start the registry editor (start -> Run -> regedit) and you can change the permissions on keys in much the same way as files (Right-Click, Permissions, Security tab). Be careful not to REMOVE any permissions or you may break your system.

    If you fool around with the FileMon/RegMon interface, you'll discover that you can Exclude processes you're not concerned with (like a lot of the background programs/processes) and you can start/stop the capture at will. Remember that you're only concerned with the one program that you're trying to use, anything else is just clutter.

    I know this is a bit technical, but it's the easiest way I've found to solve these kinds of problems. You may also consider changing your user account to at least "Power User" or "Administrator" and this should also resolve these permission issues without a lot of fuss. It sounds like you are trying to avoid doing this, and I agree that it's best if everyday users use a non-administrative account.

    It may be a bit complicated, but please post here with for any more help/explanations.

    +
    0 Votes
    tuckerobie

    This has been extremely helpfull! I will let you know what I come up with.

    +
    0 Votes
    tuckerobie

    In regmon Im getting alot of not founds on the exe in question.

    +
    0 Votes
    SAJChurchey

    I wouldn't worry TOO much about Not Founds. Sometimes a program will check to see if something is there and if not, create it, and some programs do this everytime you start it.

    If it is causing your problem, it would mean that the program wasn't installed on the workstation correctly, and I would try to install the runtime files again.

    You didn't find any "ACCESS DENIED?" How about FileMon? Any promising results there.

    You may also want to go ahead and escalate the user's privleges to Administrator. If the user is then able to open the program, then we are correct in believing it is the permissions and are on the right track.

    +
    0 Votes
    tuckerobie

    Im not seeing any "Access Denied" just "Not Found" if I go to the properties of the file or process that says not found it says <access denied> there... I think I will reinstall and try again from scratch with the application and use regmon and filemon from the beginning.

    +
    0 Votes
    SAJChurchey

    How is everything going? Solved the problem yet? Any luck with escalating the user account to an Administrator?

    +
    0 Votes
    CG IT

    which are limited rights accounts.

    if you install the client program on workstations [POS unit] which runs Windows XP, you need to use the runas and use the admin account.

    Is this a POS system that boots to XP and then automatically launches the POS software? or is this a turnkey POS system?

    +
    0 Votes

    XP

    tuckerobie

    The POS units are windows XP Pro machines that then launch the software.

    +
    0 Votes
    CG IT

    and if the POS software is any good, then it requires users of the POS software to log in, which isn't related to domain user accounts.

    so what you really need to do is have a batch file that runs after the desktop is reached which launches the POS software.

    note: you don't have users login to the domain on the XP machines and you don't require CTL+ALT+DEL to login. you automatically log on with the admin account [part of batch file]and then automatically launch the POS software [also part of the batch file].

    users can shell out of the POS software to get to the desktop but in reality you really don't want them to. This is POS cash register. you don't want users to muck around with it.

    There are a couple of ways to do this. Use an image file you created, use a batch file you create, or the POS system mfgs ought to have a batch file that does the same thing that they can give you or charge a nominal fee.

    BUT! if all your doing is polling the POS unit for daily reciepts and porting them to the SBS box which then their backoffice comp opens them up with a another accounting program to do books, that's another story.

    +
    0 Votes
    tuckerobie

    Thanks for the info the POS systems will be workstations where users need to access email and the internet as well as the Point of Sales software...

    +
    0 Votes
    CG IT

    All the POS systems I've worked on and a dozen or so retail store, from large retail chains like Walmart to specialty clothing stores don't allow users to shell out to the desktop to do other desktop related work. All use POS registers where the POS program automatically launches on the register. Even turnkey systems do this. Users log on to the POS program but never log on to the XP O/S.

    So if you want, you can teach users how to shell out to the desktop on a register, then relaunch the POS software, but if you do that, users will be able to change the computer settings on the register because you have to use the runas command and admin account to launch the POS program. This is true on all Active Directory domains [besides SBS] where user accounts are domain users which are limited rights accounts.

    You could enable the power users security account and make all uses members of this security account which should grant them the ability to install and run programs however from a security standpoint, not advisable. Even if this is just a mom and pop shop.

    +
    0 Votes
    CG IT

    again this is retailers like Walmart, most large chain grocery stores, brand name clothing stores,and stores like the local mom and pop Tru-Value hardware stores do.

    they usually have 1 or 2 workstations in the back office that are used for office applications including email. Not many allow employee emails. The ones that do usualy have a generic email account for everyone to use example: sales@<domain>.com.

    I've yet to run into a store who's cash registers double as a desktop.

    All use startup scripts that launch the POS application, check and apply updates to software & price lists.

    You could try and hide virtually all computer and use settings available in the control panel with Group Policy if you allow users access to the cash register XP desktop but again, I've never run into a company that does this.