At the end of last year, we upgraded our network to a whole bunch of lovely new desktops and a super-duper Windows 2003 server (replacing our old NT4 server). Thanks to Google search and Microsoft TechNet I have been able to come somewhat to grips with Active Directory and even managed to set up a few useful Group Policies.
I have also managed to set up appropriate levels of access for most of the users, so that we haven't simply had students with low level access and almost all the staff as administrators!
Unfortunately, Quickbooks managed to throw me a curly one in the form of this error:
User Access Rights Problem: Your user account for Windows was created with restricted access to system resources. This will prevent Quickbooks from operating properly. Please contact your system administrator and ask him or her to grant you standard user rights.I searched high and low for a solution to this problem without joy. Eventually, when pushed by higher priority jobs, I just made all the users of Quickbooks administrators (against my better judgement...) and left it for later.
Later came, and I order a trial version of QB 2007, which I hoped might have solved this problem.
It didn't. Back to the google drawing board.
I did find a fairly convoluted hack that involved making a QuickBooksUser group, and changing permissions on certain directories and registry keys to allow this group full access. I couldn't get it to work with group policy, and it just seemed a bit unreliable.
So. I thought outside the box for a minute (which is very much against my normal nature :-P) and came up with this partial solution: I created the QuickBooksUser group as above, but rather than try to fiddle all the keys and directories, I simply made that group a member of the local (NB: Local, not domain or global) administrators group on the boxes that had quickbooks installed, like this:
In control panel, go to User Accounts, and then select the Advanced tab, and click the Advanced button. This brings up the "Local Users and Groups" dialogue. On the right, open Groups, and then double-click on Administrators. You can then click "Add" and type in QuickBooksUsers and OK all the way...
So to describe this another way: All the users who need to use Quick Books, when they log on to one of the computers that has it installed, are made into Administrators while on that computer ONLY. Yes, this is a security flaw in that I have given them permissions that they need not have. However, they are limited to doing bad things on that computer only.
So I feel I have limited the risks, while still allowing necessary use of an important program, without giving them full domain admin rights.
In other news: this has solved another problem that I have had. Many staff members have their own notebook computers. By me not giving them full administrator privileges, they are limited in their ability to install programs, run certain programs and generally managed their own PCs (all of which are used for personal as well as school business).
My existing solution has been to set them up a local account on their computer, give it admin rights, and teach them how to use the "run as" command. Worked sometimes, but not a seamless solution.
This new trick works perfectly well for this too... Just search for the individual user whose computer it is, and add them to the Administrators group. And there you go, they can trash their own computer to their heart's content, without me putting the whole domain at risk!