Re: Deny Interactive Logon but Allow Runas

New comments below...

"HEMI-Powered" <none@xxxxxxx> wrote in message
news:Xns99D8EDE1AAE83ReplyScoreID@xxxxxxxxxxxxxxxx
Ben added these comments in the current discussion du jour ...


You'll have to forgive my denseness, then. If you really are an
IBM Business Partner, why don't you ask THEM why whatever this
top-secret app does that makes it "flaky" and have them either
fix it or replace it.

The app isn't secret, I just didn't think it was specifically relivant to
the discussion, its actually called Business Modeler. We've told them its
flaky, and they know it causes us problems, but we're a fairly small
company, so whether they'll listen to our feedback or not I don't know. Even
if they did decide to fix some of the issues it could be a while before any
update or new version is released.

Once installed correctly, without error, and running, absent HD
or memory problems perhaps, software seldom gets "corrupt".
Again, there are exceptions to any rule here, but SW doesn't need
to have its oil and filter replaced, it just runs unless/until a
bug appears, a Registry key gets corruped - which DOES happen
even on well-behaved and stable apps, or some other anomoly
occurs. I understand that you don't use this apparent POS but you
do support it. Perhaps you should delve deeper into this yourself
and save both personal grief and grief for your internal
customers who cannot work.

I know it 'shouldn't get corrupt, but the feedback from our consultants is
that they've been on site, and the software stopped working properly, (I
will try and get more specific feedback on 'how' exactly it stopped working
properly) apparently another consultant that was onsite from another company
had a similar issue in the past, and suggested uninstallilng and
re-installing, which our consultant did, and this fixed the issue.

This paragraph makes no sense whatsoever. What is
"virtualisation" anyway? Do you mean that it pages to
pagefile.sys too much? As to memory, I believe you said you're
running XP Pro SP2? Is it 32 or 64-bit? If the former, 4 gig is
all you can install, and the top gig isn't normally addressable
by SW or even Windows. Again, if your secret app is really so bad
yet somehow indespensible, I cannot understand why you've not
beaten on on its developer.

By 'virtualisation' I mean having the base build laptop, which is a member
of our domain, running with WinXP, Office etc so they can do day to day
work, and pick up email. They would also have VM Workstation installed (Like
MS Virtual PC), and have a virtual machine running inside the VM
Workstation, and having this VM setup so its a standalone workstation, users
get local admin rights, it doesn't have any network configured, (this stops
users from being able to downloading any malware etc), and just runs the
Business Modeler software. If the software needs uninstalling/re-installing
then the user can do this, (We use this setup for other IBM software that
requires less memory, and it works quite well). Currently we're running
32bit, and I know this is limited to 4gb, its also limited because I don't
think there are many laptops that support more than 4gb memory anyway, even
64bit ones, certainly no laptop from Dell supports more than 4gb.

The trouble is, as an IBM business parter, we're tied to using this
software. And, you have to understand IBM, and that we're only a small
company, they don't have to listen to our feedback. They have 140 different
products, just under their websphere set, let alone all the other product
sets they have. Personally, I think this means they don't spend enough time
testing, and working out all of the bugs in the different products.

I'm not very familiar with user-specific restrictions except the
obvious via accounts and perhaps restricting certain security
rights for given files. But, even if you could stop your users
from installing SW, how would that help you? Are you saying that
your users are incorrectly installing new apps or mangling older
ones, and that is what is causing your "flaky" app to hiccup?

No, i'm saying I don't want our users to be able to install software because
its against company policy, thats why they aren't local admins. It also
reducing the risk of malware installing itself. BUT until IBM fix the issues
with Business Modeler, the users need to be able to re-install this
particular application.

It isn't that I want to beat up on you personally, but even if I
were able to help technically, perhaps by some judicious reading
or from prior personal experience, you simply haven't given any
facts that would point to suggested fixes. It's your business to
reveal what is really going on here or keep it confidential, but
you're asking a peer-to-peer user help NG to diagnose a problem
with no knowledge as to the app is, other things going on with
the systems having "flaky" problems, whether you've checked their
HW, etc. And, is it even remotely possible that malware may be
the cause?

I appreciate that I could have given more information on the app, but I
needed to be careful because of the nature of the subject, (it probably
doesn't look good when an IBM partner posts to a Microsoft forum saying the
IBM software is flaky and causing problems). I was hoping there would be
some standard method of fixing this issue, that would be generic to most
software, whether it was IBM Business Modeler, Microsoft Office, or any
other 3rd part app.

I'm fairly certiain its not hardware or malware related, the laptops we're
running this on are brand new Dell Latitude D630s with 4gb ram, we've tested
on 3, each brought at different times in the past 2 months, so its not
likely to be a dodgy batch. The laptops were clean installs, and run
symantec client security, which should detect most malware, (although its
not impossible that this is causing some problems).

Ben

Ben

"HEMI-Powered" <none@xxxxxxx> wrote in message
news:Xns99D8657CCA8AEReplyScoreID@xxxxxxxxxxxxxxxx
Ben added these comments in the current discussion du jour
...

Hi,

We have a number of consultants who use a piece of very
flaky software, which some times requires

you don't say what this is, but have you considered getting
something un-flaky? unless this is very old legacy software
and there is no newer version, or it is custom-written, or
the like, you may have a problem but if you provide some
hints as to what your users really want to do, maybe somebody
could give you an intelligent suggestion.

uninstalling/re-installing, or having fix-packs installed.
As our users don't have local admin rights they usually have
to come to the IT department, and we put them in a kind of
'maintenance mode' so they can perform the necessary tasks,
this is just basically a group that is a member of the local
admins group. When in the office this isn't a problem.
However, if they are out on site, and they need to
reinstall, this causes problems.

One solution would be to put them 'maintenance mode/local
admin group' for the entire time they are on a client site,
but obviously this opens a number of security holes.

Another solution would be to create a secondary user that
does have local admin rights, and to use this with the runas
command to uninstall/re-install, or perform other admin
tasks.

However, I know our users, once they know the username &
password, they will try to login as this user, as its easier
than having to keep using runas, which then opens the same
security holes as putting their standard users in the local
admin group.

Is there someway of allowing a user to logon using runas,
but deny the interactive logon? I've tried enabling 'Deny
log on locally' via GP, but this also denies the user Runas.

Or is there a 3rd way of doing this, that I'm missing? Our
users need to be able to do certain admin functions, such as
re-install software, when on a clients site, to perform
their job properly, however, we don't want them running in
admin mode all the time.

Ben

P.S We're running Windows XP SP2, on a Win 2003 R2 Domain

You list some rather bizarre and difficult to implement
alternatives but again, wouldn't getting more stable software
be more appropriate?

--
HP, aka Jerry






--
HP, aka Jerry


.

Relevant Pages

  • Re: Deny Interactive Logon but Allow Runas
    ... an IBM Business Partner, why don't you ask THEM why whatever ... The app isn't secret, I just didn't think it was specifically ... to IBM until they fix/replace their crap SW or refund your money. ... allow even one local admin and expect "flaky" software to be ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Atheists: Americas most distrusted minority
    ... personal and business ethics. ... There are other platforms if you don't like Windows, ... So does IBM. ... competition for a new word processor is difficult. ...
    (rec.arts.sf.tv.babylon5.moderated)
  • Re: [OT]: IBMs view on how chips make valued-added proposition
    ... > IBM's Computer-Server Business ... > also stands to be a long-term revenue builder for IBM, ... instead of standardizing on Intel chips as many competitors have ... IBM also has been selling more servers that run on the free Linux ...
    (comp.os.vms)
  • Re: Rocket Software sells stock for $92m
    ... I'd be Very surprised if a competitor was investing in the U2 business ... D3 people here than those with other platforms. ... and reflective of that market than others. ... U2 never fit into the way IBM sells software. ...
    (comp.databases.pick)
  • Re: PSI MIPS (was: Links to decent why the mainframe thrives article)
    ... Indeed Intel has not widely deployed SOI, ... Copper, IBM invented it and now virtually all semiconductor companies, ... in some of the same markets that x86 competes. ... spends almost $6B on their semiconductor business alone. ...
    (bit.listserv.ibm-main)
Loading