RE: RE: [U2] Windows 2003 server security on new users
We have our users all login into an account and we specify UV account when setting up the user. Our users are in the local user group on machine and they have full rights to the data account, source code account and the uv account. Works like a charm they are dropped right into the account we want them to. We also have code in our menu system that blocks them from TCL. Tony Caufield IS Manager Harbor Wholesale Grocery Inc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Monday, March 17, 2008 6:19 PM To: u2-users@listserver.u2ug.org Subject: Re: RE: [U2] Windows 2003 server security on new users The problem you are experimenting has to do with either Windows understanding the user is an Administrator or a Local Administrator, or not finding where to go in the UVlogins file. - Original Message - From: IT-Laure Hansen Date: Monday, March 17, 2008 7:53 pm Subject: RE: [U2] Windows 2003 server security on new users To: u2-users@listserver.u2ug.org Hi Bill, I'm not a server/network person so please bear with me. We don't want our users to ever go to TCL. There is custom coding in the login paragraph to prevent this. Users get into a customized menu system. We also don't want the users to pick and choose the accounts they access; so, we have been setting them up with the account path in the profile tab, under the home folder, local path. This worked like a charm on Win2000, but ever since we upgraded to Win2003, creating new users resets the permissions to the selected account path as soon as we save the new user with that path as their local path. So the path is not truly to a user profile, but to their home directory. Since they share directories (we only have so many Universeaccounts), we don't want the permissions to be reset. I hope this makes more sense. If there is a better way to do this, please let me know: we've been doing this by rote and are obviously missing a piece of the equation. Thanks! Laure Hansen, City of Redwood City Information Technology 1017 Middlefield Road Redwood City, CA 94063 Tel 650-780-7087 Cell 650-207-3235 Fax 650-556-9204 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Haskett Sent: Monday, March 17, 2008 4:21 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] Windows 2003 server security on new users Laure: Are you saying you set permissions to a UV account (e.g. E:\OurUV\Production). Then, when you create a new user and place this directory in their profile tab the permissions change? Why are the roaming user profiles maintained in a UV dbms directory? Doesn't it seem reasonable that the profile directory is altered as you describe? I'm wondering if these profiles shouldn't be maintained in another directory like E:\UVProfiles\%username%. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:owner-u2- [EMAIL PROTECTED] On Behalf Of IT-Laure Hansen Sent: Monday, March 17, 2008 9:59 AM To: u2-users@listserver.u2ug.org Subject: [U2] Windows 2003 server security on new users Universe 10.2 on Win2003 server SP2 (but was happening before SP2 as well): our set-up requires that users get created with the path to a valid Universe account in the user's profile tab. As soon as I do this, using the admin login on the server, the original permissions on the account are removed and all that remains are administrator and the new user. This is not acceptable, as Universe requires wide-open security (the effect of this is that other users can no longer even log to the account). I've been creating new users after hours because of this, and it's starting to drive me nuts! Does anyone know of a fix, either via change to Windows security policies, hotfixes etc? Thanks, Laure Hansen, City of Redwood City Information Technology 1017 Middlefield Road Redwood City, CA 94063 Tel 650-780-7087 Cell 650-207-3235 Fax 650-556-9204 [EMAIL PROTECTED] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Windows 2003 server security on new users
Laure: Are you saying you set permissions to a UV account (e.g. E:\OurUV\Production). Then, when you create a new user and place this directory in their profile tab the permissions change? Why are the roaming user profiles maintained in a UV dbms directory? Doesn't it seem reasonable that the profile directory is altered as you describe? I'm wondering if these profiles shouldn't be maintained in another directory like E:\UVProfiles\%username%. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:owner-u2- [EMAIL PROTECTED] On Behalf Of IT-Laure Hansen Sent: Monday, March 17, 2008 9:59 AM To: u2-users@listserver.u2ug.org Subject: [U2] Windows 2003 server security on new users Universe 10.2 on Win2003 server SP2 (but was happening before SP2 as well): our set-up requires that users get created with the path to a valid Universe account in the user's profile tab. As soon as I do this, using the admin login on the server, the original permissions on the account are removed and all that remains are administrator and the new user. This is not acceptable, as Universe requires wide-open security (the effect of this is that other users can no longer even log to the account). I've been creating new users after hours because of this, and it's starting to drive me nuts! Does anyone know of a fix, either via change to Windows security policies, hotfixes etc? Thanks, Laure Hansen, City of Redwood City Information Technology 1017 Middlefield Road Redwood City, CA 94063 Tel 650-780-7087 Cell 650-207-3235 Fax 650-556-9204 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Windows 2003 server security on new users
Hi Bill, I'm not a server/network person so please bear with me. We don't want our users to ever go to TCL. There is custom coding in the login paragraph to prevent this. Users get into a customized menu system. We also don't want the users to pick and choose the accounts they access; so, we have been setting them up with the account path in the profile tab, under the home folder, local path. This worked like a charm on Win2000, but ever since we upgraded to Win2003, creating new users resets the permissions to the selected account path as soon as we save the new user with that path as their local path. So the path is not truly to a user profile, but to their home directory. Since they share directories (we only have so many Universe accounts), we don't want the permissions to be reset. I hope this makes more sense. If there is a better way to do this, please let me know: we've been doing this by rote and are obviously missing a piece of the equation. Thanks! Laure Hansen, City of Redwood City Information Technology 1017 Middlefield Road Redwood City, CA 94063 Tel 650-780-7087 Cell 650-207-3235 Fax 650-556-9204 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Haskett Sent: Monday, March 17, 2008 4:21 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] Windows 2003 server security on new users Laure: Are you saying you set permissions to a UV account (e.g. E:\OurUV\Production). Then, when you create a new user and place this directory in their profile tab the permissions change? Why are the roaming user profiles maintained in a UV dbms directory? Doesn't it seem reasonable that the profile directory is altered as you describe? I'm wondering if these profiles shouldn't be maintained in another directory like E:\UVProfiles\%username%. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:owner-u2- [EMAIL PROTECTED] On Behalf Of IT-Laure Hansen Sent: Monday, March 17, 2008 9:59 AM To: u2-users@listserver.u2ug.org Subject: [U2] Windows 2003 server security on new users Universe 10.2 on Win2003 server SP2 (but was happening before SP2 as well): our set-up requires that users get created with the path to a valid Universe account in the user's profile tab. As soon as I do this, using the admin login on the server, the original permissions on the account are removed and all that remains are administrator and the new user. This is not acceptable, as Universe requires wide-open security (the effect of this is that other users can no longer even log to the account). I've been creating new users after hours because of this, and it's starting to drive me nuts! Does anyone know of a fix, either via change to Windows security policies, hotfixes etc? Thanks, Laure Hansen, City of Redwood City Information Technology 1017 Middlefield Road Redwood City, CA 94063 Tel 650-780-7087 Cell 650-207-3235 Fax 650-556-9204 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
Re: RE: [U2] Windows 2003 server security on new users
The problem you are experimenting has to do with either Windows understanding the user is an Administrator or a Local Administrator, or not finding where to go in the UVlogins file. - Original Message - From: IT-Laure Hansen Date: Monday, March 17, 2008 7:53 pm Subject: RE: [U2] Windows 2003 server security on new users To: u2-users@listserver.u2ug.org Hi Bill, I'm not a server/network person so please bear with me. We don't want our users to ever go to TCL. There is custom coding in the login paragraph to prevent this. Users get into a customized menu system. We also don't want the users to pick and choose the accounts they access; so, we have been setting them up with the account path in the profile tab, under the home folder, local path. This worked like a charm on Win2000, but ever since we upgraded to Win2003, creating new users resets the permissions to the selected account path as soon as we save the new user with that path as their local path. So the path is not truly to a user profile, but to their home directory. Since they share directories (we only have so many Universeaccounts), we don't want the permissions to be reset. I hope this makes more sense. If there is a better way to do this, please let me know: we've been doing this by rote and are obviously missing a piece of the equation. Thanks! Laure Hansen, City of Redwood City Information Technology 1017 Middlefield Road Redwood City, CA 94063 Tel 650-780-7087 Cell 650-207-3235 Fax 650-556-9204 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Haskett Sent: Monday, March 17, 2008 4:21 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] Windows 2003 server security on new users Laure: Are you saying you set permissions to a UV account (e.g. E:\OurUV\Production). Then, when you create a new user and place this directory in their profile tab the permissions change? Why are the roaming user profiles maintained in a UV dbms directory? Doesn't it seem reasonable that the profile directory is altered as you describe? I'm wondering if these profiles shouldn't be maintained in another directory like E:\UVProfiles\%username%. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:owner-u2- [EMAIL PROTECTED] On Behalf Of IT-Laure Hansen Sent: Monday, March 17, 2008 9:59 AM To: u2-users@listserver.u2ug.org Subject: [U2] Windows 2003 server security on new users Universe 10.2 on Win2003 server SP2 (but was happening before SP2 as well): our set-up requires that users get created with the path to a valid Universe account in the user's profile tab. As soon as I do this, using the admin login on the server, the original permissions on the account are removed and all that remains are administrator and the new user. This is not acceptable, as Universe requires wide-open security (the effect of this is that other users can no longer even log to the account). I've been creating new users after hours because of this, and it's starting to drive me nuts! Does anyone know of a fix, either via change to Windows security policies, hotfixes etc? Thanks, Laure Hansen, City of Redwood City Information Technology 1017 Middlefield Road Redwood City, CA 94063 Tel 650-780-7087 Cell 650-207-3235 Fax 650-556-9204 [EMAIL PROTECTED] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
RE: [U2] Windows 2003 server security on new users {unclassified}
Hi Laure We run UV 10.1.18 on Win 2003 SP2 and have no problems pointing all our users to one account. We also prevent them from going to TCL and have them use a custom menu system. Overall, we have 180+ users logging in daily from all over the world using our internal WAN and Citrix. To manage security, I put users into logical windows groups and use NTFS permissions on the various UV file folders to give or deny access to data as applicable. To get the users to login to the correct account I do not, however, use their windows Profile (AD or otherwise). Instead I setup a UV.LOGINS record for each user. This is accessible through UniAdmin under the Network Services/Telnet menu. Click the Users tab and then the Add User button. Use their Windows login ID, in uppercase, as the user name. If it is a domain login, put the domain name and the path to the account that you want them to use in the Domains area. If it is a local login id (created on the server which hosts UV), then use the Local Machines area. Either way, it is important that it is all in upper case and the account path is used, not the account name. Then under the parameters tab, click the UV Account radio button so UV will use the local info and not the home path. Using this method does not change permissions on the account when a user is setup and does not make the system any less secure. It also gives you more control over who has access to your DB if you do not have direct access to the Windows profiles. I hope this helps, Andrew Mack Snr DB Mgr. New Zealand Defence Force -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of IT-Laure Hansen Sent: Tuesday, 18 March 2008 12:20 p.m. To: u2-users@listserver.u2ug.org Subject: RE: [U2] Windows 2003 server security on new users Hi Bill, I'm not a server/network person so please bear with me. We don't want our users to ever go to TCL. There is custom coding in the login paragraph to prevent this. Users get into a customized menu system. We also don't want the users to pick and choose the accounts they access; so, we have been setting them up with the account path in the profile tab, under the home folder, local path. This worked like a charm on Win2000, but ever since we upgraded to Win2003, creating new users resets the permissions to the selected account path as soon as we save the new user with that path as their local path. So the path is not truly to a user profile, but to their home directory. Since they share directories (we only have so many Universe accounts), we don't want the permissions to be reset. I hope this makes more sense. If there is a better way to do this, please let me know: we've been doing this by rote and are obviously missing a piece of the equation. Thanks! Laure Hansen, City of Redwood City Information Technology 1017 Middlefield Road Redwood City, CA 94063 Tel 650-780-7087 Cell 650-207-3235 Fax 650-556-9204 [EMAIL PROTECTED] -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bill Haskett Sent: Monday, March 17, 2008 4:21 PM To: u2-users@listserver.u2ug.org Subject: RE: [U2] Windows 2003 server security on new users Laure: Are you saying you set permissions to a UV account (e.g. E:\OurUV\Production). Then, when you create a new user and place this directory in their profile tab the permissions change? Why are the roaming user profiles maintained in a UV dbms directory? Doesn't it seem reasonable that the profile directory is altered as you describe? I'm wondering if these profiles shouldn't be maintained in another directory like E:\UVProfiles\%username%. Bill -Original Message- From: [EMAIL PROTECTED] [mailto:owner-u2- [EMAIL PROTECTED] On Behalf Of IT-Laure Hansen Sent: Monday, March 17, 2008 9:59 AM To: u2-users@listserver.u2ug.org Subject: [U2] Windows 2003 server security on new users Universe 10.2 on Win2003 server SP2 (but was happening before SP2 as well): our set-up requires that users get created with the path to a valid Universe account in the user's profile tab. As soon as I do this, using the admin login on the server, the original permissions on the account are removed and all that remains are administrator and the new user. This is not acceptable, as Universe requires wide-open security (the effect of this is that other users can no longer even log to the account). I've been creating new users after hours because of this, and it's starting to drive me nuts! Does anyone know of a fix, either via change to Windows security policies, hotfixes etc? Thanks, Laure Hansen, City of Redwood City Information Technology 1017 Middlefield Road Redwood City, CA 94063 Tel 650-780-7087 Cell 650-207-3235 Fax 650-556-9204 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/ --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe
RE: RE: [U2] Windows 2003 server security on new users {unclassified}
I think it has more to do with Windows believing that if this folder is to be your Home folder, then only you should have access to it, and changing the permissions accordingly. A case of MS knows best ;-) It is better, IMHO, to setup the UV.LOGINS record for your users than use the windows profile to manage this. More control and less grief. Andrew Mack -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, 18 March 2008 2:19 p.m. To: u2-users@listserver.u2ug.org Subject: Re: RE: [U2] Windows 2003 server security on new users The problem you are experimenting has to do with either Windows understanding the user is an Administrator or a Local Administrator, or not finding where to go in the UVlogins file. - Original Message - From: IT-Laure Hansen Date: Monday, March 17, 2008 7:53 pm Subject: RE: [U2] Windows 2003 server security on new users To: u2-users@listserver.u2ug.org Hi Bill, I'm not a server/network person so please bear with me. We don't want our users to ever go to TCL. There is custom coding in the login paragraph to prevent this. Users get into a customized menu system. We also don't want the users to pick and choose the accounts they access; so, we have been setting them up with the account path in the profile tab, under the home folder, local path. This worked like a charm on Win2000, but ever since we upgraded to Win2003, creating new users resets the permissions to the selected account path as soon as we save the new user with that path as their local path. So the path is not truly to a user profile, but to their home directory. Since they share directories (we only have so many Universeaccounts), we don't want the permissions to be reset. I hope this makes more sense. If there is a better way to do this, please let me know: we've been doing this by rote and are obviously missing a piece of the equation. Thanks! Laure Hansen, City of Redwood City Information Technology 1017 Middlefield Road Redwood City, CA 94063 Tel 650-780-7087 Cell 650-207-3235 Fax 650-556-9204 [EMAIL PROTECTED] The information contained in this Internet Email message is intended for the addressee only and may contain privileged information, but not necessarily the official views or opinions of the New Zealand Defence Force. If you are not the intended recipient you must not use, disclose, copy or distribute this message or the information in it. If you have received this message in error, please Email or telephone the sender immediately. --- u2-users mailing list u2-users@listserver.u2ug.org To unsubscribe please visit http://listserver.u2ug.org/
