Deny Interactive Logon but Allow Runas


B

Ben

Hi,

We have a number of consultants who use a piece of very flaky software,
which some times requires uninstalling/re-installing, or having fix-packs
installed. As our users don't have local admin rights they usually have to
come to the IT department, and we put them in a kind of 'maintenance mode'
so they can perform the necessary tasks, this is just basically a group that
is a member of the local admins group. When in the office this isn't a
problem. However, if they are out on site, and they need to reinstall, this
causes problems.

One solution would be to put them 'maintenance mode/local admin group' for
the entire time they are on a client site, but obviously this opens a number
of security holes.

Another solution would be to create a secondary user that does have local
admin rights, and to use this with the runas command to
uninstall/re-install, or perform other admin tasks.

However, I know our users, once they know the username & password, they will
try to login as this user, as its easier than having to keep using runas,
which then opens the same security holes as putting their standard users in
the local admin group.

Is there someway of allowing a user to logon using runas, but deny the
interactive logon? I've tried enabling 'Deny log on locally' via GP, but
this also denies the user Runas.

Or is there a 3rd way of doing this, that I'm missing? Our users need to be
able to do certain admin functions, such as re-install software, when on a
clients site, to perform their job properly, however, we don't want them
running in admin mode all the time.

Ben

P.S We're running Windows XP SP2, on a Win 2003 R2 Domain
 
Ad

Advertisements

H

HEMI-Powered

Ben added these comments in the current discussion du jour ...
Hi,

We have a number of consultants who use a piece of very flaky
software, which some times requires

you don't say what this is, but have you considered getting
something un-flaky? unless this is very old legacy software and
there is no newer version, or it is custom-written, or the like,
you may have a problem but if you provide some hints as to what
your users really want to do, maybe somebody could give you an
intelligent suggestion.
uninstalling/re-installing, or having fix-packs installed. As
our users don't have local admin rights they usually have to
come to the IT department, and we put them in a kind of
'maintenance mode' so they can perform the necessary tasks,
this is just basically a group that is a member of the local
admins group. When in the office this isn't a problem.
However, if they are out on site, and they need to reinstall,
this causes problems.

One solution would be to put them 'maintenance mode/local
admin group' for the entire time they are on a client site,
but obviously this opens a number of security holes.

Another solution would be to create a secondary user that does
have local admin rights, and to use this with the runas
command to uninstall/re-install, or perform other admin tasks.

However, I know our users, once they know the username &
password, they will try to login as this user, as its easier
than having to keep using runas, which then opens the same
security holes as putting their standard users in the local
admin group.

Is there someway of allowing a user to logon using runas, but
deny the interactive logon? I've tried enabling 'Deny log on
locally' via GP, but this also denies the user Runas.

Or is there a 3rd way of doing this, that I'm missing? Our
users need to be able to do certain admin functions, such as
re-install software, when on a clients site, to perform their
job properly, however, we don't want them running in admin
mode all the time.

Ben

P.S We're running Windows XP SP2, on a Win 2003 R2 Domain
You list some rather bizarre and difficult to implement
alternatives but again, wouldn't getting more stable software be
more appropriate?
 
B

Ben

HP,

The software is a piece of IBM software, and it would be nice if the
software were less flaky, or if there were a 3rd part alternative, I've
suggested this on a number of occasions. However we're an IBM business
partner, and tied in to using the specific piece of software in question.

I don't personally use the software, but I've been told by the guys that do,
that occasionally an install can become 'corrupt' and needs re-installing. I
don't know how true this is, the user who told me isn't the greatest end
user. The users may also need to install a fix-pack, which you have to be an
admin to install. One of the problems is they may go to a site, and find the
client has version 6 of the software, with fix pack 2, so they need to get
the install on their laptop to the same level as the client, this way any
'modeling' you do is guaranteed to work. But the next day they might go on
another site and find the client running v5.3 with fix pack 6.

We've tried virtualisation, running VMware, and giving the users local admin
rights to the virtual machine, which they can then install and uninstall
until their hearts content, however, this bit of software is so memory
hungry, that you have to have at least 4gb of RAM installed, with minimum
2gb dedicated to the VM to be able to run it anywhere smoothly enough to be
able to work on it.

What I'd 'like' is to say users can't install ANY software except this, this
and this. I don't know whether software restriction policies would be a
workable option, maybe we could add the install files hash or something..

Ben
 
S

Steven L Umbach

The problem is even if you could find a way once they know administrator
credentials they could undo any restrictions you put on the computer anyhow
if they are skilled and determined enough. There are third party runas
solutions that can encode a password used to run a script that could be
something to look at. Cpau is a free one from http://www.joeware.net . Group
Policy Software Restriction Policies is something else that may help prevent
installing of unauthorized software even for local administrators though it
can be bypassed in Safe Mode though it is very unlikely they would know
that.

Steve
 
H

HEMI-Powered

Ben added these comments in the current discussion du jour ...
HP,

The software is a piece of IBM software, and it would be nice
if the software were less flaky, or if there were a 3rd part
alternative, I've suggested this on a number of occasions.
However we're an IBM business partner, and tied in to using
the specific piece of software in question.

You'll have to forgive my denseness, then. If you really are an
IBM Business Partner, why don't you ask THEM why whatever this
top-secret app does that makes it "flaky" and have them either
fix it or replace it.
I don't personally use the software, but I've been told by the
guys that do, that occasionally an install can become
'corrupt' and needs re-installing. I don't know how true this
is, the user who told me isn't the greatest end user. The
users may also need to install a fix-pack, which you have to
be an admin to install. One of the problems is they may go to
a site, and find the client has version 6 of the software,
with fix pack 2, so they need to get the install on their
laptop to the same level as the client, this way any
'modeling' you do is guaranteed to work. But the next day they
might go on another site and find the client running v5.3 with
fix pack 6.

Once installed correctly, without error, and running, absent HD
or memory problems perhaps, software seldom gets "corrupt".
Again, there are exceptions to any rule here, but SW doesn't need
to have its oil and filter replaced, it just runs unless/until a
bug appears, a Registry key gets corruped - which DOES happen
even on well-behaved and stable apps, or some other anomoly
occurs. I understand that you don't use this apparent POS but you
do support it. Perhaps you should delve deeper into this yourself
and save both personal grief and grief for your internal
customers who cannot work.
We've tried virtualisation, running VMware, and giving the
users local admin rights to the virtual machine, which they
can then install and uninstall until their hearts content,
however, this bit of software is so memory hungry, that you
have to have at least 4gb of RAM installed, with minimum 2gb
dedicated to the VM to be able to run it anywhere smoothly
enough to be able to work on it.

This paragraph makes no sense whatsoever. What is
"virtualisation" anyway? Do you mean that it pages to
pagefile.sys too much? As to memory, I believe you said you're
running XP Pro SP2? Is it 32 or 64-bit? If the former, 4 gig is
all you can install, and the top gig isn't normally addressable
by SW or even Windows. Again, if your secret app is really so bad
yet somehow indespensible, I cannot understand why you've not
beaten on on its developer.
What I'd 'like' is to say users can't install ANY software
except this, this and this. I don't know whether software
restriction policies would be a workable option, maybe we
could add the install files hash or something..

I'm not very familiar with user-specific restrictions except the
obvious via accounts and perhaps restricting certain security
rights for given files. But, even if you could stop your users
from installing SW, how would that help you? Are you saying that
your users are incorrectly installing new apps or mangling older
ones, and that is what is causing your "flaky" app to hiccup?

It isn't that I want to beat up on you personally, but even if I
were able to help technically, perhaps by some judicious reading
or from prior personal experience, you simply haven't given any
facts that would point to suggested fixes. It's your business to
reveal what is really going on here or keep it confidential, but
you're asking a peer-to-peer user help NG to diagnose a problem
with no knowledge as to the app is, other things going on with
the systems having "flaky" problems, whether you've checked their
HW, etc. And, is it even remotely possible that malware may be
the cause?
 
H

HEMI-Powered

Steven L Umbach added these comments in the current discussion
du jour ...
The problem is even if you could find a way once they know
administrator credentials they could undo any restrictions you
put on the computer anyhow if they are skilled and determined
enough. There are third party runas solutions that can encode
a password used to run a script that could be something to
look at. Cpau is a free one from http://www.joeware.net .
Group Policy Software Restriction Policies is something else
that may help prevent installing of unauthorized software even
for local administrators though it can be bypassed in Safe
Mode though it is very unlikely they would know that.
At the company I am retired from, they first implemented
draconian rules for Windows 2000 and now XP that completely stops
ordinary users from installing/uninstalling anything,
modifying/deleting system files, nothing at all. This is done
centrally when a user logs into what once was a Novell NOS and is
now Windows Server, I think. Each department has a single or
multiple number of designated dept. admins appointed by the
manager who does have the permission to change systems. Once
these rules were implemented after we finally moved off Windows
95 - not even 98 - virtually all user-error problems disappeared.

Now, this sort of Big Brother application of central rule works
well in a very large company with the resources to use built-in
security in the O/S or NOS, buy utilities to do it, as you
suggest above, or write code in Visual C++, Java, whatever that
will custom alter end-user systems to accomplish management's
goals. I left the company barely 6 months after 9/11 and
beginning in late 2002 and more into 2003-2005 or so, I know
they've clamped down more and more to not only save internal
customer support manpower but also in a company-wide effort to
reduce hacking, malicious sabotage, malware, whatever. And, the
entire network sits behind multiple proxy servers to protect the
"clean" side from the "dirty" side.

I gave up being a Registered MS Basher some time back, but I
think most folks even moderately savvy about XP's so-called
security know that it is just plain marketing hype and bullshit.
No, I repeat, NO secure software would allow a user to bypass
system administrator rules by booting into Safe Mode any more
than it would allow an end-user to change system PWs, BIOS
settings, and all the other things that can cause heartburn to a
large support staff. Now, do the users like this? Not hardly!
But, my company, like most large corporations, has an old-
fashioned, somewhat romantic notion that they're in business to
make money and PCs are an important tool to accomplish business
plans, but they are NOT toys nor hobbyist playthings.

Sole proprietarship companies either do their own tech support or
higher it done. Big companies have IT staffs to do it. It is from
the "mom and pop" size very small firms, to small, to mid-size
companies that are in the most trouble because their managements
either do not understand what it really takes to run a complex
network or they cannot or will not allocate manpower or financial
resources. That's a tough row to hoe, and one that the OP hasn't
give much insight as to what his management's direction(s) are.

I'm running off at the mouth here mainly because the general
problem described in this thread that is often summarized by some
OP as "how do I restrict folders or apps or installs or even
individual files other than via account?". This is seen here and
in many other peer-to-peer help NGs and I have yet to see a fully
implementable way to do all of this with XP unless some special
means are taken - read: spend some money.
 
Ad

Advertisements

B

Ben

New comments below...

HEMI-Powered said:
Ben added these comments in the current discussion du jour ...


You'll have to forgive my denseness, then. If you really are an
IBM Business Partner, why don't you ask THEM why whatever this
top-secret app does that makes it "flaky" and have them either
fix it or replace it.

The app isn't secret, I just didn't think it was specifically relivant to
the discussion, its actually called Business Modeler. We've told them its
flaky, and they know it causes us problems, but we're a fairly small
company, so whether they'll listen to our feedback or not I don't know. Even
if they did decide to fix some of the issues it could be a while before any
update or new version is released.
Once installed correctly, without error, and running, absent HD
or memory problems perhaps, software seldom gets "corrupt".
Again, there are exceptions to any rule here, but SW doesn't need
to have its oil and filter replaced, it just runs unless/until a
bug appears, a Registry key gets corruped - which DOES happen
even on well-behaved and stable apps, or some other anomoly
occurs. I understand that you don't use this apparent POS but you
do support it. Perhaps you should delve deeper into this yourself
and save both personal grief and grief for your internal
customers who cannot work.

I know it 'shouldn't get corrupt, but the feedback from our consultants is
that they've been on site, and the software stopped working properly, (I
will try and get more specific feedback on 'how' exactly it stopped working
properly) apparently another consultant that was onsite from another company
had a similar issue in the past, and suggested uninstallilng and
re-installing, which our consultant did, and this fixed the issue.
This paragraph makes no sense whatsoever. What is
"virtualisation" anyway? Do you mean that it pages to
pagefile.sys too much? As to memory, I believe you said you're
running XP Pro SP2? Is it 32 or 64-bit? If the former, 4 gig is
all you can install, and the top gig isn't normally addressable
by SW or even Windows. Again, if your secret app is really so bad
yet somehow indespensible, I cannot understand why you've not
beaten on on its developer.

By 'virtualisation' I mean having the base build laptop, which is a member
of our domain, running with WinXP, Office etc so they can do day to day
work, and pick up email. They would also have VM Workstation installed (Like
MS Virtual PC), and have a virtual machine running inside the VM
Workstation, and having this VM setup so its a standalone workstation, users
get local admin rights, it doesn't have any network configured, (this stops
users from being able to downloading any malware etc), and just runs the
Business Modeler software. If the software needs uninstalling/re-installing
then the user can do this, (We use this setup for other IBM software that
requires less memory, and it works quite well). Currently we're running
32bit, and I know this is limited to 4gb, its also limited because I don't
think there are many laptops that support more than 4gb memory anyway, even
64bit ones, certainly no laptop from Dell supports more than 4gb.

The trouble is, as an IBM business parter, we're tied to using this
software. And, you have to understand IBM, and that we're only a small
company, they don't have to listen to our feedback. They have 140 different
products, just under their websphere set, let alone all the other product
sets they have. Personally, I think this means they don't spend enough time
testing, and working out all of the bugs in the different products.
I'm not very familiar with user-specific restrictions except the
obvious via accounts and perhaps restricting certain security
rights for given files. But, even if you could stop your users
from installing SW, how would that help you? Are you saying that
your users are incorrectly installing new apps or mangling older
ones, and that is what is causing your "flaky" app to hiccup?

No, i'm saying I don't want our users to be able to install software because
its against company policy, thats why they aren't local admins. It also
reducing the risk of malware installing itself. BUT until IBM fix the issues
with Business Modeler, the users need to be able to re-install this
particular application.
It isn't that I want to beat up on you personally, but even if I
were able to help technically, perhaps by some judicious reading
or from prior personal experience, you simply haven't given any
facts that would point to suggested fixes. It's your business to
reveal what is really going on here or keep it confidential, but
you're asking a peer-to-peer user help NG to diagnose a problem
with no knowledge as to the app is, other things going on with
the systems having "flaky" problems, whether you've checked their
HW, etc. And, is it even remotely possible that malware may be
the cause?

I appreciate that I could have given more information on the app, but I
needed to be careful because of the nature of the subject, (it probably
doesn't look good when an IBM partner posts to a Microsoft forum saying the
IBM software is flaky and causing problems). I was hoping there would be
some standard method of fixing this issue, that would be generic to most
software, whether it was IBM Business Modeler, Microsoft Office, or any
other 3rd part app.

I'm fairly certiain its not hardware or malware related, the laptops we're
running this on are brand new Dell Latitude D630s with 4gb ram, we've tested
on 3, each brought at different times in the past 2 months, so its not
likely to be a dodgy batch. The laptops were clean installs, and run
symantec client security, which should detect most malware, (although its
not impossible that this is causing some problems).

Ben
 
H

HEMI-Powered

Ben added these comments in the current discussion du jour ...
The app isn't secret, I just didn't think it was specifically
relivant to the discussion, its actually called Business
Modeler. We've told them its flaky, and they know it causes us
problems, but we're a fairly small company, so whether they'll
listen to our feedback or not I don't know. Even if they did
decide to fix some of the issues it could be a while before
any update or new version is released.

try using the old-fashioned method - withold all future payments
to IBM until they fix/replace their crap SW or refund your money.
or, keep pounding on IBM through your business partner rep to at
least recommend an alternative. the reason I kept asking what it
was is that no one, certainly not me, can predict what may be
happening nor even suggest ways of finding alternative apps.
e.g., "Google is your best friend" but is 100% useless unless you
have something to search for, thus if you or anyone tried some
Googling for a program with Business Modeler's purpose, perhaps
you'd be more successful.
I know it 'shouldn't get corrupt, but the feedback from our
consultants is that they've been on site, and the software
stopped working properly, (I will try and get more specific
feedback on 'how' exactly it stopped working properly)
apparently another consultant that was onsite from another
company had a similar issue in the past, and suggested
uninstallilng and re-installing, which our consultant did, and
this fixed the issue.

you're a small company but you have consultants? what the hell
good are (highly?) paid consultants who're on-site if all they do
is tell you the symptoms, i.e., it stopped working again, but do
no-thing to fix it, don't recommend you do anything, don't
examine the problematic PCs, nothing. I'd fire them too!
By 'virtualisation' I mean having the base build laptop, which
is a member of our domain, running with WinXP, Office etc so
they can do day to day work, and pick up email. They would
also have VM Workstation installed (Like MS Virtual PC), and
have a virtual machine running inside the VM Workstation, and
having this VM setup so its a standalone workstation, users
get local admin rights, it doesn't have any network
configured, (this stops users from being able to downloading
any malware etc), and just runs the Business Modeler software.
If the software needs uninstalling/re-installing then the user
can do this, (We use this setup for other IBM software that
requires less memory, and it works quite well). Currently
we're running 32bit, and I know this is limited to 4gb, its
also limited because I don't think there are many laptops that
support more than 4gb memory anyway, even 64bit ones,
certainly no laptop from Dell supports more than 4gb.

I undstand this but not the term. I assume you've tried running
BM (interesting acronym!) on other PCs not running under some
convoluted VM? if yes, does it run better, same, or worse? if
better, then start looking at the way you've set up the cascaded
virtual machines for the trouble, which may also explain mis-use
or overuse of memory. again, though, unless acted upon by some
external force, I can't see why BM would suddenly stop running
and need to be installed, absent something in your VM scheme
that, say, corrupts a client, i.e., end-user's, Registry or some
critical file(s) on their PC. It just doesn't happen that normal
running software suddenly gets corrupt and needs a re-install and
certainly NOT continuously.

as to the memory issue, you said earlier that BM is a memory hog
and wants all of the 4 gig (really 3). is their a pagefile
problem or something native to the client PC XP install that mis-
manages available memory? have you had your people or the
consultant run Task Manager or any utility software that will
tell you for sure where the memory drain(s) are other than BM?
and, once more, why cannot IBM tell you why THEIR SW a) hogs so
much memory and b) constantly needs re-installs.
The trouble is, as an IBM business parter, we're tied to using
this software. And, you have to understand IBM, and that we're
only a small company, they don't have to listen to our
feedback.

I do understand IBM and the nature of being a business partner,
which is why I suggested having your accounts payable people
withold all future payments/royalties/whatever, and have your
legal people document all of this. also, if the failure of BM is
a cause of provable damage to your company, no matter how small,
such as lost revenue, lost profits, lost productivity, legal
remedies can be instituted against IBM at their expense to
recover your damages.

They have 140 different products, just under their
websphere set, let alone all the other product sets they have.
Personally, I think this means they don't spend enough time
testing, and working out all of the bugs in the different
products.

NO company spends enough time testing! and, ALL developers make a
business decision as to how much of their time and resources they
want to devote to fixing problems. often, they just release the
code as-is and let their customers fend for themselves.

one other question comes to mind wrt all 140 products, including
BM: has IBM released any updates or new version upgrades? if yes,
did that help? if no, why not?
No, i'm saying I don't want our users to be able to install
software because its against company policy, thats why they
aren't local admins. It also reducing the risk of malware
installing itself. BUT until IBM fix the issues with Business
Modeler, the users need to be able to re-install this
particular application.

I understand this, also. see my long post about company policy.
but, your company simply must get it through their heads that
they cannot have their cake and eat it too, i.e., they can't NOT
allow even one local admin and expect "flaky" software to be
fixed long-distance. and, your management must not at all
understand cash-flow and return-on-investment if you're paying
local consultants at any hourly rate to just tell you that it
quit again.
I appreciate that I could have given more information on the
app, but I needed to be careful because of the nature of the
subject, (it probably doesn't look good when an IBM partner
posts to a Microsoft forum saying the IBM software is flaky
and causing problems). I was hoping there would be some
standard method of fixing this issue, that would be generic to
most software, whether it was IBM Business Modeler, Microsoft
Office, or any other 3rd part app.

you say that IBM won't listen to you, so why should you care
where you post about their crap? moreover, this is an MS-
sponsored NG perhaps, but it isn't run by or for MS and AFAIK, no
MS employees visit here. which brings the question does IBM or
its business partner scheme have anything akin to a NG or web
site or KB you can go to for help?
I'm fairly certiain its not hardware or malware related, the
laptops we're running this on are brand new Dell Latitude
D630s with 4gb ram, we've tested on 3, each brought at
different times in the past 2 months, so its not likely to be
a dodgy batch. The laptops were clean installs, and run
symantec client security, which should detect most malware,
(although its not impossible that this is causing some
problems).

OK. if you've exhausted all of the obvious things, that leaves
just two: 1) beat on MS, not IBM, as to why their O/S won't run
an MS-certified piece of SW and 2) at least try to dismantle that
complex VM scheme you've got until you are sure it has nothing to
do with the apparent instability of BM. intermittant problems
that cannot be reliably repeated are very difficult to diagnose
so often one must try to diagnose by exclusion.
 
B

Ben

HP,

I've arranged a meeting this afternoon with some of the BM consultants to
discuss issues such as how we've complained to IBM, what response we've
received, and how we can escalate it further. Also if we know/can find out
why BM hogs so much memory. So I will post back my findings after that.

For now, I've posted some more comments below...

HEMI-Powered said:
try using the old-fashioned method - withold all future payments
to IBM until they fix/replace their crap SW or refund your money.
or, keep pounding on IBM through your business partner rep to at
least recommend an alternative. the reason I kept asking what it
was is that no one, certainly not me, can predict what may be
happening nor even suggest ways of finding alternative apps.
e.g., "Google is your best friend" but is 100% useless unless you
have something to search for, thus if you or anyone tried some
Googling for a program with Business Modeler's purpose, perhaps
you'd be more successful.

I'll find out this afternoon what has been said, and how its been escalated
within IBM. I don't know IF we actually pay to be a business partner. I know
to become one we had to have a certain number of certifications, and do a
certain amount of business selling their products. I will find out for sure
this afternoon.
you're a small company but you have consultants? what the hell
good are (highly?) paid consultants who're on-site if all they do
is tell you the symptoms, i.e., it stopped working again, but do
no-thing to fix it, don't recommend you do anything, don't
examine the problematic PCs, nothing. I'd fire them too!

Wrong sort of consultant - my fault, we've called them 'Consultants'
historically - these aren't computer consultants, they are our Business
Analysts consultants, who go onsite, and use Business Modeler to look at
internal business processes. Most of them aren't very computer literate, to
be honest. They know how to use BM, but nothing about the internal workings.
I undstand this but not the term. I assume you've tried running
BM (interesting acronym!) on other PCs not running under some
convoluted VM? if yes, does it run better, same, or worse? if
better, then start looking at the way you've set up the cascaded
virtual machines for the trouble, which may also explain mis-use
or overuse of memory. again, though, unless acted upon by some
external force, I can't see why BM would suddenly stop running
and need to be installed, absent something in your VM scheme
that, say, corrupts a client, i.e., end-user's, Registry or some
critical file(s) on their PC. It just doesn't happen that normal
running software suddenly gets corrupt and needs a re-install and
certainly NOT continuously.

We don't run BM under VM, we tried, but its to slow, to the point of being
able to type a sentance, then sit and watch as each charactor apears. We run
other IBM software under VM, and it works without issue, mostly. However,
due to BM requiring so much memory, by the time you have a base build with
says 4GB, (really 3gb) then install WinXP & Office, for day 2 day use, then
VMWare, and create a VM machine allocate that 2GB, then install WinXP in the
VM, which will use at least 512mb, it leaves 1.5GB or less inside the VM to
run BM. This is why we had to drop the VM idea for the BM users, and just
install it directly on the base build. It runs a lot faster on the base
build, but then gets this 'corruption' issue, when the user, who isn't a
local admin, has to re-install.
as to the memory issue, you said earlier that BM is a memory hog
and wants all of the 4 gig (really 3). is their a pagefile
problem or something native to the client PC XP install that mis-
manages available memory? have you had your people or the
consultant run Task Manager or any utility software that will
tell you for sure where the memory drain(s) are other than BM?
and, once more, why cannot IBM tell you why THEIR SW a) hogs so
much memory and b) constantly needs re-installs.

Will find out this afternoon.
one other question comes to mind wrt all 140 products, including
BM: has IBM released any updates or new version upgrades? if yes,
did that help? if no, why not?

I believe IBM have released a number of fix packs for products such as
WebSphere MQ, Process Server & Application Server etc, along with DB2, all
of which addressed specific issues.
I understand this, also. see my long post about company policy.
but, your company simply must get it through their heads that
they cannot have their cake and eat it too, i.e., they can't NOT
allow even one local admin and expect "flaky" software to be
fixed long-distance. and, your management must not at all
understand cash-flow and return-on-investment if you're paying
local consultants at any hourly rate to just tell you that it
quit again.

See above comments on the consultants. And I agree, management don't want
users to have local admin access, but want them to be able to re-install
software. I feel like I'm stuck between a rock and a hard place, trying to
impliment this, sometimes!
you say that IBM won't listen to you, so why should you care
where you post about their crap? moreover, this is an MS-
sponsored NG perhaps, but it isn't run by or for MS and AFAIK, no
MS employees visit here. which brings the question does IBM or
its business partner scheme have anything akin to a NG or web
site or KB you can go to for help?

There is, ibm.software.websphere...has a number of newsgroups underit, but I
posted a similar question to this back in Novemeber last year, and it still
has no answer. There are only a dozen or so posts, so it doesn't look like
anyone ever gets a reply, or answers. There is a KB on the IBM website, but
its a nightmare to search through, the site is painfully slow, and usually
timesout. I'll find out this afternoon if there is a better resource for
help/support.
OK. if you've exhausted all of the obvious things, that leaves
just two: 1) beat on MS, not IBM, as to why their O/S won't run
an MS-certified piece of SW and 2) at least try to dismantle that
complex VM scheme you've got until you are sure it has nothing to
do with the apparent instability of BM. intermittant problems
that cannot be reliably repeated are very difficult to diagnose
so often one must try to diagnose by exclusion.

I'll try and run some tools across the machines to try and find out exactly
what is causing the memory hog. Process Explorer from SysInternals should be
able to show something interesting.

Ben
 
Ad

Advertisements

H

HEMI-Powered

Ben added these comments in the current discussion du jour ...
HP,

I've arranged a meeting this afternoon with some of the BM
consultants to discuss issues such as how we've complained to
IBM, what response we've received, and how we can escalate it
further. Also if we know/can find out why BM hogs so much
memory. So I will post back my findings after that.

For now, I've posted some more comments below...

Ben, I've left the entire thread between you and I in place and
interleaved some longer comments for you. Please scroll down.
And, if I've come across as some kinda twit, I apologize, I've
just been having a tough time as you'll see below trying to get
into your head a bit to understand your issues and frustrations.
I'll find out this afternoon what has been said, and how its
been escalated within IBM. I don't know IF we actually pay to
be a business partner. I know to become one we had to have a
certain number of certifications, and do a certain amount of
business selling their products. I will find out for sure this
afternoon.
I think you are right; it is more of a preferential treatment
source for small and medium size businesse. IBM is organized
along the size of a company and it's potential for business with
them and have an organization that I always thought was a classic
example of the left hand not knowing what the right hand was
doing. So, since they have small, medium, and enterprise, i.e.,
very large, sales and support organizations, you can actually be
called on or investigate on your own and get one of these 3 and
they literally do not know what their own company, IBM, is doing
in the other 2!

I found that very frustrating when I sat for hours listening a
presentations on HW and SW my company was evaluating only to find
out that the IBM unit I was in actually couldn't even sell to me!
So, in your case, while your friendly IBM sales droid and/or
business partner rep may or may not get paid by your company and
may or may not listen to you, in fact, may or may not even pass
on or escalate your issue within IBM, you DO pay for the software
itself, do you not? And, whatever the number of PCs on your WAN
in whatever geographic locations they are, obviously not where
you live and work, I am certain that you either paid a ton of
money to license, i.e., buy the SW that is "flaky" or you may
even be paying a monthly or quarterly license fee, sort of like
leasing the SW. In the case of my company, we had about every way
you could think of to acquire and maintain IBM products, from HW
and SW to training and support, etc.

Now, keeping in mind what I said above wrt the arcane way IBM is
- or, at least was, organized for sales and support, there may be
IBM people local to your internal customers at some sort of
regional center but not necessarily a short distance away. e.g.,
they may be HQ in a large city someplace in state(s) you have
offices or plants. But, and this is important, depending on the
terms of the license agreement with IBM, you MAY be paying for
support as well as pure usage. Again, I'm not necessarily
accusing you of some black ops thing here, but I just don't know
enough about your situation to make intelligent comments wrt IBM.
If your company IS paying for support directly or indirectly, why
aren't you getting it? And, if you're not satisfied, why not stop
the payments if you can?

I am neither an attorney nor a purchasing person, so you have to
take my comments and suggestions at face value, if you can, and
confer privately within your own company. I can say this with
confidence, however, since I had experience. If your company is
paying a periodic license fee for Business Modeler and you stop
payment, it is a VERY good idea for your company attorney to
advise you first. At the least, you get the IBM sales droid and
the district manager in to talk. Describe your needs and your
intent, but obviously do not threaten anything. IF your company
does decide to temporarily withold licensing/leasing payments on
any IBM PCs, servers, SQL, NOS, application SW, whatever, then it
is a VERY good idea to place the fees into an escrow account of
sorts. The reason for this is two-fold: 1) your bean counters
won't accidently ding your boss's budget or use money they think
they are "saving" somehow on another project and 2) it makes your
legal case FAR stronger should you decide to seek damages in
court. Perhaps there's even a 3), which would be to counter an
IBM lawsuit for non-payment.

The bottom line here seems to me to be how to gain some leverage
since so far you've been unsuccessful in implementing a technical
fix yourself, with your admins, or even consultants, and you need
help desperately. So, while it may turn out to be a technical
issue either with IBM itself or through some obscure interaction
with some other SW you run, it may also be a management/business
problem you need to solve first.
Wrong sort of consultant - my fault, we've called them
'Consultants' historically - these aren't computer
consultants, they are our Business Analysts consultants, who
go onsite, and use Business Modeler to look at internal
business processes. Most of them aren't very computer
literate, to be honest. They know how to use BM, but nothing
about the internal workings.
Ben, I've been whacking on you quite hard because the terms you
use are either unfamiliar to me totally or you're using them in
non-traditional ways. You implied to me, or I perceived you did,
that it was a technical consultant telling you that he/she had
exhausted all attempts to get BM to run in a stable way. What I
now interpret you to mean is that you are paying business
consultants who you pay to assist your employees to USE BM, not
fix it. Is that right?

So, now that I have a somewhat clearer understanding, that
probably explains why your company appears to me as wed at the
hip to this particular app - your company may be relying to a
great degree on what BM tells your people and the consultants
that you should or should not do from a business standpoint. If I
have that at all correct, then "flaky" SW means lost revenues and
lost profits. See where I'm going here?
We don't run BM under VM, we tried, but its to slow, to the
point of being able to type a sentance, then sit and watch as
each charactor apears. We run other IBM software under VM, and
it works without issue, mostly. However, due to BM requiring
so much memory, by the time you have a base build with says
4GB, (really 3gb) then install WinXP & Office, for day 2 day
use, then VMWare, and create a VM machine allocate that 2GB,
then install WinXP in the VM, which will use at least 512mb,
it leaves 1.5GB or less inside the VM to run BM. This is why
we had to drop the VM idea for the BM users, and just install
it directly on the base build. It runs a lot faster on the
base build, but then gets this 'corruption' issue, when the
user, who isn't a local admin, has to re-install.

OK. I am having real problems following your comments and
comparing what I think you're saying to my personal experience
with IBM, small, medium, and large-scale computer systems,
Windows, etc. I thought you'd said, or again, I simply perceived
it, that you were 2 or 3 layers deep into some weird VM system
based on an SQL server or some such thing that your IT people
apparently put into place to protect the system from dumb or
malicious employees, malware, whatever. No, I'm not insulting
your people, those are the goals of a properly run IT department,
it just isn't what end-users want to hear. Managers really don't
want to disect IT issues, they want to run a business and lack of
ability to model their business - whatever your goods or services
are - and get on with the job. And, I perceive that you are
caught somewhere in the middle. Maybe you're feeling heat from
above or maybe you're just a good support person trying to help
associates that cannot work.
Will find out this afternoon.


I believe IBM have released a number of fix packs for products
such as WebSphere MQ, Process Server & Application Server etc,
along with DB2, all of which addressed specific issues.
Again, I really do not understand nearly enough to comment
intelligently, so I'll just throw out some thoughts here. LARGE
HW/SW systems typically release "service packs" not unlike the
way that MS does, in bits and pieces and periodically in large
chunks, like a Windows SP. Your systems software people, network
people, security people, admins, etc. obviously install this
stuff and test it internally - at least, I sure as hell hope they
do! - and if it don't work, they don't install it across the
company. In my personal experience somewhat earlier in my career
where I was responsible for all CAD and PC support, training,
testing, etc. for engineering in a very large company, Chrysler,
that it was not at all uncommon for something to go bump in the
night during testing. Thus, we'd send people in on a Sunday to do
the enterprise upgrades and have them in before everybody arrived
on Monday morning for work. Several times/year, we'd have to
literally lock all of engineering out for awhile, uninstall a
service pack, and roll the system back, analagous to doing a
system restore via a Windows RP. I imagine you can see that MY
management wasn't all that exited about 10,000 people, or some
part of that, sitting on their hands for hours - they had this
silly-ass view that their job was designing cars!
See above comments on the consultants. And I agree, management
don't want users to have local admin access, but want them to
be able to re-install software. I feel like I'm stuck between
a rock and a hard place, trying to impliment this, sometimes!


There is, ibm.software.websphere...has a number of newsgroups
underit, but I posted a similar question to this back in
Novemeber last year, and it still has no answer. There are
only a dozen or so posts, so it doesn't look like anyone ever
gets a reply, or answers. There is a KB on the IBM website,
but its a nightmare to search through, the site is painfully
slow, and usually timesout. I'll find out this afternoon if
there is a better resource for help/support.
Look, Ben, I need to stand down here. I'm not really helping you,
but am probably annoying the hell outta you. I'll just say this:
unless your company is literally a mom and pop store and YOU are
its sole IT "department", I think you need to stop trying to get
unofficial help and throw some money at this. e.g., hire a
technical consultant to come in, analyze your system and find the
root cause. I won't go into the subject of quality control, but
suffice it to say that any real problem may have multiple
problems, but has at least one so-called "root cause". You can
fix ALL the other problems, and I think you've made a valiant
attempt to do that, but if you don't find and fix the root cause,
the problem will continue. And, "root cause" isn't at all the
same thing as "main cause", meaning "biggest". It may be a
niggling small detail somebody overlooked, maybe at IBM, maybe at
your company, maybe by the people that designed your IT system
(s).
I'll try and run some tools across the machines to try and
find out exactly what is causing the memory hog. Process
Explorer from SysInternals should be able to show something
interesting.
Since this is a Windows XP issue, albeit a complex one, clearly
the place to start is to have your users just look at the
processes running in Task Manager. In case you're not all that
familiar with it, you can quickly sort on process name, which
includes all the background tasks not just the stuff on your
people's Taskbar, CPU usage on a real-time basis, memory usage
real-time, HD and memory page faults, read/write request to your
HDs or network servers, etc. Certainly, more sophisticated tools
would be better. Again, I'm not trying to insult you or whack on
you but neither of us know the other so I have no real clue as
to what you mean by "run some tools across the machines", so I
will just say this:

GOOD LUCK, I THINK YOU'RE GONNA NEED IT!. To the extent you want
to continue with a dialog here or anywhere, I'll try to be
helpful and tone down being judgmental and we'll go from there.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top