Remote administer security settings by updating .mdw 2

[votegop]

Anything wrong with remote-administering security settings by distributing updated .mdw's? If my client adds a new employee, I'll need to add their security settings to the .mdw. I don't want this long-distance client to do it themselves (don't want them to belong to ADMINS).

Anyone see a drawback? (BTW - I've searched posts and FAQ)

Jay Evans

 

[LittleSmudge]

I do it regularly.

Make use eveyone is logged off before you do it though.


( I have an executive closedown routine that allows me to force users off the remote database if I need to. That ensures that even if someone has gone home at the end of the day and left themselves logged on - I can clear all users of the system whilst being 100's of miles away. - you might consider doing something similar. )

G LS

 

[votegop]

Thanks LittleSmudge.

It sounds like you are doing real remote administration using a remote access program. I was going to simply email the revised .mdw to the client and have them replace the existing .mdw, or do it via CD with a setup utility.

Are you doing real-time administration?

 

[Junior1544]

I am the admin to a couple of database's... I also have a backup admin... I have setup a form that will do most of the user admin stuff rather easily... they never need to see the back end of the database...

All you would need to do is modify this a little bit...

You can make a different group in the .mdw, and have that have all the same rights as the users group...
In this form's on load event i check the group of the current user, and if it's not in this special group, then it cancel's loading the form...

Then in this form i have it so that my other admin can do lots of stuff... make new accounts, delete accounts, reset people's passwords to blank... you know, all that stuff... it seems to work great for me... it free's me up from reseting people's passwords and stuff...

Also, I have a form right in the database that my users use to change their own passwords...

I Use user level security but i have added alot of custom stuff to it... I force a password change every 90 days... i think it's pretty good...

One think i would suggest if you would like to go this route, make it so that through this form, the people can only add people to the regulare user group, so that not every one will become these (as i call them) user admins...

Just an idea for you...

--James
junior1544@jmjpc.net
Life is change. To deny change is to deny life.

 

[LittleSmudge]

Not so much Real admin - but I do have relote access to the server that the database is on.

So I can log everyone off
Then rename the old System.mdw
Then copy over the new one
( Then I leave them to work out if they can log back in next morning ) ( HI )




G LS

 

[RobPotts]

HEllo Junior1544,

I am very interested in your security set up. Does it use the standard Microsoft Access security. Can you tell me some more about this. Or send me a sample of it.

Thanks in dvance
Rob!
Robeetpotts1@hotmail.com

 

[Junior1544]

The app I referenced uses standard access user level security... then I built the other things around that... If you'd like to see some of the things I have put together i can put together an access 2k vertion of a file for you to look through...

--James
junior1544@jmjpc.net
Life is change. To deny change is to deny life.

 

[RobPotts]

Hi James

Would most of it work on 97 with a bit of tweeking. I can get access t0 2K but my database is in 97.

Rob!

 

[Junior1544]

i've never used access 2k, but i do use dao for my recordsets (i didn't create this database, and the creator used dao, so i havn't learned ado yet...)

so it might work...

The code in the file i have is uncommented, but it's pretty simple and strait forward...

Just give me a place to send it and it'll be on it's way...

--James
junior1544@jmjpc.net
Life is change. To deny change is to deny life.

 

[RobPotts]

James

Thanks again for a nice little sample DB and the help off the forum you've given me. Much appreciated have a star.

Rob! [Bigcheeks]

 

[MichaelRed]

junior1544

I would appreciate the opportunity to 'review' your accomplishments.

MichaelRed
m.red@att.net

Searching for employment in all the wrong places

 

[tomvdduin]

Junior,

I am also very interested in the code. I contacted Rob Potts to send it to me. I hope you don't mind?

I am going to use it, because i work on a temporary basis for this firm. I only devellop a system, so they have to add/remove new users.

greetz

Tom

 

[Junior1544]

no problem Tom, Glad to share

I can send what I have to if you'd like... I don't know if it's the same as what Rob sent because he's made some mod's to it... Nice mods, but it does different things now

--James
junior1544@jmjpc.net
Life is change. To deny change is to deny life.

 

[tomvdduin]

Junior,

I'm back on the office right now. I send you an e-mail. Can you send me what you have?

greetz

Tom

 

[tomvdduin]

I have a small question: do you have to be part of the Admins group to administer users? Or can I give a group the previlages to do so?

I want to give some other guy the opportunity to enter a new user of the system.

greetz

Tom

 

[MichaelRed]

'admins' is JUST a group. The permissions for any group (incl Admins) is just whatever the group permissions are. Anyone with the propper permissions can 'administer' user and/or group permissions.

Just guessing, but your use of the default group name suggests that you need to review the whole secutity issue carefully, as one of the steps is to remove ALL permissions from the default admins group when setting up Ms. A. Security.

MichaelRed
m.red@att.net

Searching for employment in all the wrong places

 

[tomvdduin]

Michael,

You're absolutely right!
I currently don't use the admin login name, it is now only a user, not part of the admins group. I've made a new login name that has taken over all the rights of admin and is owner of the DB.

Can you tell me what rights I have to give to a person to administer the login users?

greetings,

Tom

 

[MichaelRed]

Why bother with details? Just give the 'Admin' group all rights to all objects, inclu the capability to create. Just about covers it. If, strangely, some-one is only a "partial?" admin, review the rights you want them to NOT have and remove these specifically. Rember that the rights are ADDITIVE, so any capability confered by being a member of another Group will concurently apply, unless they have a seperate UserName for the seperate group. In general, you SHOULD have more than one "full" admin, just to cover the 'wayward bus' contingency.

MichaelRed
m.red@att.net

Searching for employment in all the wrong places

 

[tomvdduin]

Michael,

Well, I want to be the only admin. I don't want to give others the possibility to change things in the DB.

Just a thought at this moment: I also can make a .mde file of de DB, then they can't change things, am I right?

groeten (dutch for greetings

Tom

 

[MichaelRed]

soooooooooooo,

you have PROOF that the 'wayward bus' theory doesn't apply to this specific instance, or that it is in general flawed?


MichaelRed
m.red@att.net

Searching for employment in all the wrong places