Inherited support but no password

[Ellen]

I've inherited the responsibility of supporting an Access
2000 application written by another programmer. When I
startup the front-end, it prompts for a login in the
application. My end user knows several IDs that can get
us into the app so that's fine. But I can't get into
everything I need to as a programmer. I did find that I
can get the database menu to open if I first just open
Access, click the database menu toolbar on, then open the
front-end mdb. This lets me get into the objects for
design work. But, I can't get into things like Linked
Table Manager, Security, and other options from the usual
full Access interface.

Thanks for any help.
Ellen

 

[Ellen]

I think I just found my answer in another newsgroup. If I
hold the Shift key down when starting the front-end mdb,
I have all the Access menus.
Ellen

 

[Guest]

That does work, unless (of course) the old administrator has disabled this ability by the AllowBypassKey method. Further, the "Setup..." option allows for the Special Keys (like F11 to bring up the database window) to be toggled on or off. So, if you want to further keep folks from being able to get into the menus, database window, etc, you should remember that allowing the SHIFT and F11 keys, as well as keeping the menus avaiilable does not truly secure your database.

I need to find out what I've done wrong. I've followed the directions in the Security Faq perfectly, from what I can tell, but I cannot figure out why our local Access expert is able to get in. It's mind-boggling. I've disabled and coded everything I was able to find.

Derek

----- Ellen wrote: -----

I think I just found my answer in another newsgroup. If I
hold the Shift key down when starting the front-end mdb,
I have all the Access menus.
Ellen

 

[Joan Wild]

I need to find out what I've done wrong. I've followed the directions in

the Security Faq perfectly, from what I can tell, but I cannot figure out
why our local Access expert is able to get in. It's mind-boggling. I've
disabled and coded everything I was able to find.

Derek

You missed a step in the FAQ. Every sentence, every phrase in fact, must be
followed.

When you say that your Access expert can get in, is this using the default
system.mdw workgroup?

 

[Guest]

I read-read-read the Faq (to quote some other MVPs) and went through it as a checklist. Yes, I certainly could have missed something. However, I really don't want to try again until my expert gets back in town. I think he might be in the office this afternoon after 2 months of travel to roll out his inventory Cycle Counting system.

Our IS department estimated over 1000 hours to develop the system in Cobol/JCL. He did it in less than 2 weeks, and that's only because he was debating on To Secure or Not To Secure.

I'm not sure HOW he got in. He said he'd show me when he got back to the office. I don't believe he used the default system.mdw file (I'm in 2000). The Admin user is a user who doesn't even have access to Open/Run the database. I missed this step my first attempt of securing a db

Thanks for the questions. I read somewhere that "You only fail when you give up trying.

Dere

----- Joan Wild wrote: ----

the Security Faq perfectly, from what I can tell, but I cannot figure ou
why our local Access expert is able to get in. It's mind-boggling. I'v
disabled and coded everything I was able to find
You missed a step in the FAQ. Every sentence, every phrase in fact, must b
followed

When you say that your Access expert can get in, is this using the defaul
system.mdw workgroup

 

[Joan Wild]

Please post back after you talk with him.

Perhaps it's the Users Group that has permission to Open/Run the database,
not the Admin user.

--
Joan Wild
Microsoft Access MVP

I read-read-read the Faq (to quote some other MVPs) and went through it as

a checklist. Yes, I certainly could have missed something. However, I
really don't want to try again until my expert gets back in town. I think
he might be in the office this afternoon after 2 months of travel to roll
out his inventory Cycle Counting system.

Our IS department estimated over 1000 hours to develop the system in

Cobol/JCL. He did it in less than 2 weeks, and that's only because he was
debating on To Secure or Not To Secure.

I'm not sure HOW he got in. He said he'd show me when he got back to the

office. I don't believe he used the default system.mdw file (I'm in 2000).
The Admin user is a user who doesn't even have access to Open/Run the
database. I missed this step my first attempt of securing a db.

 

[Guest]

Well, I have a macro that runs on startup that tracks users getting into and leaving the database with a timestamp. And I have evidence of him getting in at 10pm and 2am - times when none of my users would be at the office - he's working on a project that's on the graveyard shift. And he's admitted to those times. Those timestamps have been captured (CurrentUser()) as Admin logon.

I will certainly get back to the ng after speaking with him. I'm just dumbfounded.

Thanks, Joan. It should be Monday at the latest.
Derek

----- Joan Wild wrote: -----

Please post back after you talk with him.

Perhaps it's the Users Group that has permission to Open/Run the database,
not the Admin user.

--
Joan Wild
Microsoft Access MVP

I read-read-read the Faq (to quote some other MVPs) and went through it as

a checklist. Yes, I certainly could have missed something. However, I
really don't want to try again until my expert gets back in town. I think
he might be in the office this afternoon after 2 months of travel to roll
out his inventory Cycle Counting system.Cobol/JCL. He did it in less than 2 weeks, and that's only because he was
debating on To Secure or Not To Secure.office. I don't believe he used the default system.mdw file (I'm in 2000).
The Admin user is a user who doesn't even have access to Open/Run the
database. I missed this step my first attempt of securing a db.

 

[Guest]

Joan, here's what I learned. Since I need to keep the database in a common area, and I'm not sure HOW he did this, he was able to get in through the actual database, not the shortcut that I provided. He tells me that Citrix does some quirky things with Access, from his observations

Each time I open the hidden database via my shortcut, it unhides the database file. So, I created a hidden folder and moved the database to the hidden folder, so who cares if it's not hidden in the hidden folder, right? Also, Citrix does not permit our users to view hidden file/folders, so it should remain hidden within the folder

I'm still going to look into what Citrix is doing to the mdw file - and I cannot get our IS department involved since they do not support MS Access, even deleting mdb files if they are brought to the IS dept's attention

Thanks for your help
Dere

----- Joan Wild wrote: ----

Please post back after you talk with him

Perhaps it's the Users Group that has permission to Open/Run the database
not the Admin user

--
Joan Wil
Microsoft Access MV

I read-read-read the Faq (to quote some other MVPs) and went through it a

a checklist. Yes, I certainly could have missed something. However,
really don't want to try again until my expert gets back in town. I thin
he might be in the office this afternoon after 2 months of travel to rol
out his inventory Cycle Counting systemCobol/JCL. He did it in less than 2 weeks, and that's only because he wa
debating on To Secure or Not To Secureoffice. I don't believe he used the default system.mdw file (I'm in 2000)
The Admin user is a user who doesn't even have access to Open/Run th
database. I missed this step my first attempt of securing a db

 

[Joan Wild]

Hi Derek,

Joan, here's what I learned. Since I need to keep the database in a

common area, and I'm not sure HOW he did this, he was able to get in through
the actual database, not the shortcut that I provided. He tells me that
Citrix does some quirky things with Access, from his observations.

I have secure databases on Citrix, and not experienced any issues.

Each time I open the hidden database via my shortcut, it unhides the

database file. So, I created a hidden folder and moved the database to the
hidden folder, so who cares if it's not hidden in the hidden folder, right?
Also, Citrix does not permit our users to view hidden file/folders, so it
should remain hidden within the folder.

It should not unhide the file when you open it via a shortcut. What is in
the target of the shortcut?

I'm still going to look into what Citrix is doing to the mdw file - and I

cannot get our IS department involved since they do not support MS Access,
even deleting mdb files if they are brought to the IS dept's attention.

You said you followed the FAQ precisely, but how did you create the mdw to
secure your database?

 

[Guest]

Hi, Joan. Since the thread is getting long, I'll snip all but your most recent comments...



----- Joan Wild wrote: -----


I have secure databases on Citrix, and not experienced any issues.

DW: I'm not sure that it's a Citrix thing, and my coworker has been working odd shifts. I'll see if I can get some time with him tomorrow to discuss.

It should not unhide the file when you open it via a shortcut. What is in
the target of the shortcut?

DW: "R:\Program Files\Microsoft Office\Office\MSACCESS.EXE" "X:\Common\Derek\database\MOST Request.mdb" /wrkgrp x:\common\derek\most.mdw. R: is the application drive on the Citrix Server for my company.

You said you followed the FAQ precisely, but how did you create the mdw to
secure your database?

DW: I went into the wrkgadm.exe application (I'm in 2000) and created the workgroup information file. Name, Organization, and workgroup ID - I'm understanding that a 'key'-like string is created from these inputs.

I assigned a password to the Admin user to set up the logon procedure. Following this, I created a new user by my name, putting me in the Admins group, relogged on as myself, and removed Admin user from Admins group, restricting Admin user to Users group - without permission to even Open/Run database.

I used the Security Wizard to secure EVERYTHING to the Users group. Then I created users and a 'Manager' group for the folks that I want to have permissions to the application and forms. I was not able to see how the Wizard could do this, so I did this (the "manager" group and permissions) manually. (of course, this was after the 'secured' version created the .bak file...)

I only assigned permissions by Group, as it's easier to manage permissions that way and more global than user-based permissions.

When my teammate opens the database without the mdw file (defaulting to system.mdw), the database is not requiring him to login, and he gets in as Admin user. I'm dumbfounded.

Does it matter that the .mdb associated application in the Citrix environment is 97, or not because my shortcut directs the user to the right application (2000) before picking up the database and mdw file?

Thank you, Joan!
Derek

 

[Joan Wild]

It should not unhide the file when you open it via a shortcut. What is in
the target of the shortcut?

DW: "R:\Program Files\Microsoft Office\Office\MSACCESS.EXE"

"X:\Common\Derek\database\MOST Request.mdb" /wrkgrp
x:\common\derek\most.mdw. R: is the application drive on the Citrix Server
for my company.

I don't see anything wrong with that.

You said you followed the FAQ precisely, but how did you create the mdw to
secure your database?

DW: I went into the wrkgadm.exe application (I'm in 2000) and created the

workgroup information file. Name, Organization, and workgroup ID - I'm
understanding that a 'key'-like string is created from these inputs.

Good. I asked because sometimes people just copy system.mdw and give it a
new name - would result in no security since the mdw is no different than
system.mdw.

I assigned a password to the Admin user to set up the logon procedure.

Following this, I created a new user by my name, putting me in the Admins
group, relogged on as myself, and removed Admin user from Admins group,
restricting Admin user to Users group - without permission to even Open/Run
database.

Are you certain you were joined to your new workgroup when you did this?

I used the Security Wizard to secure EVERYTHING to the Users group. Then

I created users and a 'Manager' group for the folks that I want to have
permissions to the application and forms. I was not able to see how the
Wizard could do this, so I did this (the "manager" group and permissions)
manually. (of course, this was after the 'secured' version created the .bak
file...)

When my teammate opens the database without the mdw file (defaulting to

system.mdw), the database is not requiring him to login, and he gets in as
Admin user. I'm dumbfounded.

Login to your database and check what permissions the built-in Users group
has on the Database object - the wizard doesn't always remove all
permissions for the Users Group

Does it matter that the .mdb associated application in the Citrix

environment is 97, or not because my shortcut directs the user to the right
application (2000) before picking up the database and mdw file?

No your shortcut is doing this. Also note that in 2000, there is a problem
with the wizard - see item 10 in the FAQ.

 

[Joan Wild]

Beyond the Users group permissions not being totally removed? How can I

ensure they are fully removed?

As it says in step 10, while logged in to your secure mdw, create a new
database and import all objects from your database.

Then reassign permissions to your groups manually.

 

[TC]

(snip)

I'm still going to look into what Citrix is doing to the mdw file - and I

cannot get our IS department involved since they do not support MS Access,
even deleting mdb files if they are brought to the IS dept's attention.


But how can you safely continue in that environment? What is to stop IS
deleting all your database & workgroup files, after you have fixed your
problem?

TC

 

[Guest]

Good question. Nothing can be done to stop them. We're in an NT environment and, well, they have Administrator access to any PC in the company, as well as the file server.

I've tried to put the files (previously) in my personal folder on a fileserver. But if I do that, my users cannot access my folder - and the Administrators still have access to it.

When it comes to the heirarchy, I guess that even though they don't have permissions in the MDW to get in, they still rule the network.

Derek
----- TC wrote: -----



(snip)

I'm still going to look into what Citrix is doing to the mdw file - and I

cannot get our IS department involved since they do not support MS Access,
even deleting mdb files if they are brought to the IS dept's attention.


But how can you safely continue in that environment? What is to stop IS
deleting all your database & workgroup files, after you have fixed your
problem?

TC

 

[Guest]

Thanks, Joan. I'll give it a shot
Dere

----- Joan Wild wrote: ----
ensure they are fully removed

As it says in step 10, while logged in to your secure mdw, create a ne
database and import all objects from your database

Then reassign permissions to your groups manually