Re: Deny Interactive Logon but Allow Runas

Ben added these comments in the current discussion du jour ...

You'll have to forgive my denseness, then. If you really are
an IBM Business Partner, why don't you ask THEM why whatever
this top-secret app does that makes it "flaky" and have them
either fix it or replace it.

The app isn't secret, I just didn't think it was specifically
relivant to the discussion, its actually called Business
Modeler. We've told them its flaky, and they know it causes us
problems, but we're a fairly small company, so whether they'll
listen to our feedback or not I don't know. Even if they did
decide to fix some of the issues it could be a while before
any update or new version is released.

try using the old-fashioned method - withold all future payments
to IBM until they fix/replace their crap SW or refund your money.
or, keep pounding on IBM through your business partner rep to at
least recommend an alternative. the reason I kept asking what it
was is that no one, certainly not me, can predict what may be
happening nor even suggest ways of finding alternative apps.
e.g., "Google is your best friend" but is 100% useless unless you
have something to search for, thus if you or anyone tried some
Googling for a program with Business Modeler's purpose, perhaps
you'd be more successful.

Once installed correctly, without error, and running, absent
HD or memory problems perhaps, software seldom gets
"corrupt". Again, there are exceptions to any rule here, but
SW doesn't need to have its oil and filter replaced, it just
runs unless/until a bug appears, a Registry key gets corruped
- which DOES happen even on well-behaved and stable apps, or
some other anomoly occurs. I understand that you don't use
this apparent POS but you do support it. Perhaps you should
delve deeper into this yourself and save both personal grief
and grief for your internal customers who cannot work.

I know it 'shouldn't get corrupt, but the feedback from our
consultants is that they've been on site, and the software
stopped working properly, (I will try and get more specific
feedback on 'how' exactly it stopped working properly)
apparently another consultant that was onsite from another
company had a similar issue in the past, and suggested
uninstallilng and re-installing, which our consultant did, and
this fixed the issue.

you're a small company but you have consultants? what the hell
good are (highly?) paid consultants who're on-site if all they do
is tell you the symptoms, i.e., it stopped working again, but do
no-thing to fix it, don't recommend you do anything, don't
examine the problematic PCs, nothing. I'd fire them too!

This paragraph makes no sense whatsoever. What is
"virtualisation" anyway? Do you mean that it pages to
pagefile.sys too much? As to memory, I believe you said
you're running XP Pro SP2? Is it 32 or 64-bit? If the former,
4 gig is all you can install, and the top gig isn't normally
addressable by SW or even Windows. Again, if your secret app
is really so bad yet somehow indespensible, I cannot
understand why you've not beaten on on its developer.

By 'virtualisation' I mean having the base build laptop, which
is a member of our domain, running with WinXP, Office etc so
they can do day to day work, and pick up email. They would
also have VM Workstation installed (Like MS Virtual PC), and
have a virtual machine running inside the VM Workstation, and
having this VM setup so its a standalone workstation, users
get local admin rights, it doesn't have any network
configured, (this stops users from being able to downloading
any malware etc), and just runs the Business Modeler software.
If the software needs uninstalling/re-installing then the user
can do this, (We use this setup for other IBM software that
requires less memory, and it works quite well). Currently
we're running 32bit, and I know this is limited to 4gb, its
also limited because I don't think there are many laptops that
support more than 4gb memory anyway, even 64bit ones,
certainly no laptop from Dell supports more than 4gb.

I undstand this but not the term. I assume you've tried running
BM (interesting acronym!) on other PCs not running under some
convoluted VM? if yes, does it run better, same, or worse? if
better, then start looking at the way you've set up the cascaded
virtual machines for the trouble, which may also explain mis-use
or overuse of memory. again, though, unless acted upon by some
external force, I can't see why BM would suddenly stop running
and need to be installed, absent something in your VM scheme
that, say, corrupts a client, i.e., end-user's, Registry or some
critical file(s) on their PC. It just doesn't happen that normal
running software suddenly gets corrupt and needs a re-install and
certainly NOT continuously.

as to the memory issue, you said earlier that BM is a memory hog
and wants all of the 4 gig (really 3). is their a pagefile
problem or something native to the client PC XP install that mis-
manages available memory? have you had your people or the
consultant run Task Manager or any utility software that will
tell you for sure where the memory drain(s) are other than BM?
and, once more, why cannot IBM tell you why THEIR SW a) hogs so
much memory and b) constantly needs re-installs.

The trouble is, as an IBM business parter, we're tied to using
this software. And, you have to understand IBM, and that we're
only a small company, they don't have to listen to our
feedback.

I do understand IBM and the nature of being a business partner,
which is why I suggested having your accounts payable people
withold all future payments/royalties/whatever, and have your
legal people document all of this. also, if the failure of BM is
a cause of provable damage to your company, no matter how small,
such as lost revenue, lost profits, lost productivity, legal
remedies can be instituted against IBM at their expense to
recover your damages.

They have 140 different products, just under their
websphere set, let alone all the other product sets they have.
Personally, I think this means they don't spend enough time
testing, and working out all of the bugs in the different
products.

NO company spends enough time testing! and, ALL developers make a
business decision as to how much of their time and resources they
want to devote to fixing problems. often, they just release the
code as-is and let their customers fend for themselves.

one other question comes to mind wrt all 140 products, including
BM: has IBM released any updates or new version upgrades? if yes,
did that help? if no, why not?

I'm not very familiar with user-specific restrictions except
the obvious via accounts and perhaps restricting certain
security rights for given files. But, even if you could stop
your users from installing SW, how would that help you? Are
you saying that your users are incorrectly installing new
apps or mangling older ones, and that is what is causing your
"flaky" app to hiccup?

No, i'm saying I don't want our users to be able to install
software because its against company policy, thats why they
aren't local admins. It also reducing the risk of malware
installing itself. BUT until IBM fix the issues with Business
Modeler, the users need to be able to re-install this
particular application.

I understand this, also. see my long post about company policy.
but, your company simply must get it through their heads that
they cannot have their cake and eat it too, i.e., they can't NOT
allow even one local admin and expect "flaky" software to be
fixed long-distance. and, your management must not at all
understand cash-flow and return-on-investment if you're paying
local consultants at any hourly rate to just tell you that it
quit again.

It isn't that I want to beat up on you personally, but even
if I were able to help technically, perhaps by some judicious
reading or from prior personal experience, you simply haven't
given any facts that would point to suggested fixes. It's
your business to reveal what is really going on here or keep
it confidential, but you're asking a peer-to-peer user help
NG to diagnose a problem with no knowledge as to the app is,
other things going on with the systems having "flaky"
problems, whether you've checked their HW, etc. And, is it
even remotely possible that malware may be the cause?

I appreciate that I could have given more information on the
app, but I needed to be careful because of the nature of the
subject, (it probably doesn't look good when an IBM partner
posts to a Microsoft forum saying the IBM software is flaky
and causing problems). I was hoping there would be some
standard method of fixing this issue, that would be generic to
most software, whether it was IBM Business Modeler, Microsoft
Office, or any other 3rd part app.

you say that IBM won't listen to you, so why should you care
where you post about their crap? moreover, this is an MS-
sponsored NG perhaps, but it isn't run by or for MS and AFAIK, no
MS employees visit here. which brings the question does IBM or
its business partner scheme have anything akin to a NG or web
site or KB you can go to for help?

I'm fairly certiain its not hardware or malware related, the
laptops we're running this on are brand new Dell Latitude
D630s with 4gb ram, we've tested on 3, each brought at
different times in the past 2 months, so its not likely to be
a dodgy batch. The laptops were clean installs, and run
symantec client security, which should detect most malware,
(although its not impossible that this is causing some
problems).

OK. if you've exhausted all of the obvious things, that leaves
just two: 1) beat on MS, not IBM, as to why their O/S won't run
an MS-certified piece of SW and 2) at least try to dismantle that
complex VM scheme you've got until you are sure it has nothing to
do with the apparent instability of BM. intermittant problems
that cannot be reliably repeated are very difficult to diagnose
so often one must try to diagnose by exclusion.
Ben

Ben

"HEMI-Powered" <none@xxxxxxx> wrote in message
news:Xns99D8657CCA8AEReplyScoreID@xxxxxxxxxxxxxxxx
Ben added these comments in the current discussion du jour
...

Hi,

We have a number of consultants who use a piece of very
flaky software, which some times requires

you don't say what this is, but have you considered getting
something un-flaky? unless this is very old legacy software
and there is no newer version, or it is custom-written, or
the like, you may have a problem but if you provide some
hints as to what your users really want to do, maybe
somebody could give you an intelligent suggestion.

uninstalling/re-installing, or having fix-packs installed.
As our users don't have local admin rights they usually
have to come to the IT department, and we put them in a
kind of 'maintenance mode' so they can perform the
necessary tasks, this is just basically a group that is a
member of the local admins group. When in the office this
isn't a problem. However, if they are out on site, and
they need to reinstall, this causes problems.

One solution would be to put them 'maintenance mode/local
admin group' for the entire time they are on a client
site, but obviously this opens a number of security holes.

Another solution would be to create a secondary user that
does have local admin rights, and to use this with the
runas command to uninstall/re-install, or perform other
admin tasks.

However, I know our users, once they know the username &
password, they will try to login as this user, as its
easier than having to keep using runas, which then opens
the same security holes as putting their standard users in
the local admin group.

Is there someway of allowing a user to logon using runas,
but deny the interactive logon? I've tried enabling 'Deny
log on locally' via GP, but this also denies the user
Runas.

Or is there a 3rd way of doing this, that I'm missing? Our
users need to be able to do certain admin functions, such
as re-install software, when on a clients site, to perform
their job properly, however, we don't want them running in
admin mode all the time.

Ben

P.S We're running Windows XP SP2, on a Win 2003 R2 Domain

You list some rather bizarre and difficult to implement
alternatives but again, wouldn't getting more stable
software be more appropriate?

--
HP, aka Jerry






--
HP, aka Jerry






--
HP, aka Jerry
.

Relevant Pages

  • Re: Deny Interactive Logon but Allow Runas
    ... IBM Business Partner, why don't you ask THEM why whatever this ... The app isn't secret, I just didn't think it was specifically relivant to ... As our users don't have local admin rights they usually have ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Atheists: Americas most distrusted minority
    ... personal and business ethics. ... There are other platforms if you don't like Windows, ... So does IBM. ... competition for a new word processor is difficult. ...
    (rec.arts.sf.tv.babylon5.moderated)
  • Re: [OT]: IBMs view on how chips make valued-added proposition
    ... > IBM's Computer-Server Business ... > also stands to be a long-term revenue builder for IBM, ... instead of standardizing on Intel chips as many competitors have ... IBM also has been selling more servers that run on the free Linux ...
    (comp.os.vms)
  • Re: PSI MIPS (was: Links to decent why the mainframe thrives article)
    ... Indeed Intel has not widely deployed SOI, ... Copper, IBM invented it and now virtually all semiconductor companies, ... in some of the same markets that x86 competes. ... spends almost $6B on their semiconductor business alone. ...
    (bit.listserv.ibm-main)
  • Re: Alpha remembrance day
    ... wouldn't say that Alpha was late. ... having its own FAB was a way to be to market before any others by ... its FAB business, it may have had enough business to pay for upgrades. ... When he got in, IBM had already contracted ...
    (comp.os.vms)