Can we assign 1 system.mdw file to a DB on a network?

[pnsmack]

Good Afternoon Everyone,

I'm Paul, I'm new to this service, and it looks like a tremendous resource ! Thanks in advance for your help.

Here's my situation :
-------------------------------
I have an MS Access 2000 DB, and I've followed all of the standard "Secure An Access DB" steps--- I've created a separate .mdw file, changed the password for the user "Admin", imported all of the objects as the new "Admins group" user so that all of the objects are owned by the new administrator (not the user "Admin&quot.

Our network is set up such that each client has MS Access installed on their own computer, and therefore each user has their own ".mdw" file and launches MS Access from their own computer.

What I'd like to know is this : How do we force ALL network users to use the workgroup information file that I've created solely for this database, and NOT use their own ".mdw" file ? Is this even possible ? For some reason, the workgroup information file applies to me from my computer, but when other folks open the database, they get logged in as default user "Admin", so I think that the database is letting them in with their own ".mdw" file. I've changed the password for "Admin", so at the very least I was expecting Access to pop up a "Enter Password:" box, but no dice. They just get logged in as user "Admin" and there is no password prompting whatsoever.

Any ideas ? I would think that there HAS to be some way to specify "1 workgroup information file" for "1 database file". I can't imagine that Microsoft would leave such a backdoor so wide open ! As far as command-line options go--- I know that you can specify a workgroup in command line (/WRKGRP) from a shortcut icon, but that still doesn't close the security loophole--- somebody could simply open Access, navigate to the DB file, and open it, thereby circumventing the password issue (I tried this and did it).

Please help !!!!!!!
Thanks a million,
Paul

 

[mdthornton]

Yes this is possible....

The way I do this is to launch Access via a shortcut in which you specify the workgroup file explicitly. The
shortcut itself would be something like:

%mybin%\msaccess.exe /wrkgrp \\server\apps\xyz.mdw xyz.mdb

The other way is to get your users to join your workgroup
via the workgroup administrator. This is fine if you have a single workgroup file for your organisation but not when you
have multiple files. Good Luck,
Mike T

 

[pnsmack]

Mike,
Thanks for the info. But is there some way to enforce use of the .mdw file without use of a shortcut or users joining the workgroup ?

The problem I'm having is that even after I change the password for "Admin" in the database, users are still able to log in as "Admin" with no password.

Needless to say, this is a security problem.

If somebody can launch Access from their "Start" menu, and then click "File...Open" on the database and still get in, why even have security ?

It just seems to me that Microsoft has to have built in a way for a database file to be linked to a .mdw file that overrides all the other .mdw files out there.

Any more ideas ?
Thanks !
Paul

 

[maggieb]

Is Admin the owner of the database and all objects? What I have done in the past is create a new Administative user (I usually used 'Developer') and change the ownership of everything to the new user. Then change the rights for the Admin user.

 

[pnsmack]

Maggie (? I presume ?),

No, Admin is no longer the owner of the db & all objects. I created a new Administrative user who owns everything after I imported all of the objects into a database while logged in as that new user).

The problem is this--- I want everybody to be prompted for a userid/password at login. I changed the password for "Admin", but people are still able to get into the database (even though "Admin" user has no privileges).
So the big problem is this--- users on our network are not impacted by the "Admin" password change.

That's another thing--- how can we get MS Access to prompt for a password at startup instead of using a user's "system.mdw" file ?

As far as I can tell, having a "shortcut icon" that links the DB with a workgroup information file is pretty worthless as far as security is concerned--- because if people can launch MS Access from their desktop and then get into the database with their standard "system.mdw" files, where's the security ?

Granted, they are getting into the system as a user named "Admin" with no privileges, but how do you start Access without having it automatically pass "Admin" as the user ?

Please help as this is very frustrating. I miss Oracle and UNIX....1 server, 1 database, 1 system-level-table that stores the passwords and userids. Everybody logs in from their little client boxes, they make their request to the big, bad single server, the big/bad single server decides if it wants to let them in, and everybody's happy.
None of this C:\system.mdw, D:\system.mdw, Security Wizard stuff...

 

[mdthornton]

Having the database window come up with no permissions is the best I've got to. I agree entirely with your sentiments but I guess that's the way it is. If you're new to the Access world you'll find many more annoying features like this :-(

Good Luck,
Mike T

 

[nivlac]

Paul,

Let me check a few things tonight on my database. I may have your solution. It will be long, so I may need to email it to you if that's okay. If you've already figured it out, drop me a quick note at ruchsa@samcstl.org. Otherwise, I'll prepare the steps involved in securing your database effectively. (Yes, even our I.S. department here was surprised by the complexity of my security measures. Maybe I should switch jobs. lol.)

Nivlac

 

[dneufarth]

Paul,

Have you read and followed the MS Access FAQ procedure?

If not, try going to

http://support.microsoft.com/default.aspx?scid=/support/access/content/secfaq.asp#_Toc493299660

Dave

 

[pnsmack]

Dave,
Yes, I've followed the general procedures from Microsoft's very own "technet" knowledge base.

I think what I'd like to know is this :

Is there a way to force the users on the network to use my new workgroup information file without them having to run the "WRKGADM.exe" program to specify that workgroup file ?

In other words, it would make loads of sense to be able to put the .mdb and .mdw file on a network shared drive, and then somehow make the 2 files linked at the network or database level instead of having to configure userid/password issues at the level of each and every user.
Can this be done ?

As it stands, unless the users specify my workgroup information file (.mdw), the system attempts to log them in as &quot;Admin&quot; every time. You would think that this would fail because I changed the Admin password to be non-blank, but I suppose that since the user's password information is in a file that they own (i.e.--- in THEIR workgroup information file, not mine, and not stored in the database itself), I can see where UID : <Admin> PASSWORD : <NULL> would work. Of course, once they're in the database as &quot;Admin&quot;, they have no privileges, but it's still inconvenient to have to run wrkgadmn.exe for everybody, especially when they might have other MS Access apps that they would like to use that have different .mdw files.

Thanks !
Paul

 

[dneufarth]

I may be mistaken, but when I played with the securing process a year or so ago I had the same problem you're encountering.

I then went back and followed the FAQ process and using a unique MDW file. Upon attempting to open the secured database using default system.mdw the prompt for user and password did appear.

Explicit specification of MDW in shortcut or joining are the only choices. No implicit association between MDW and database exists as far as I know.


Dave

 

[pnsmack]

Dave,

What about the other users on your network ? When they tried to open the database WITHOUT specifying your new .mdw file via WRKGADMN.exe, were they prompted for a password ?

If so, maybe I'm doing something wrong, but if I interpret all of the white-papers correctly :

IN ORDER TO link the .mdw and .mdb files, you have 1 of 2 options :

1. Users run WRKGADMN.exe and specify the .mdw file as their default
2. Users launch application via a shortcut which specifies /WRKGRP in the command line

Have I missed anything ?
Thanks,
Paul

 

[mikehoot]

You need create a unique .mdw file. Then log into your unsecured db using a shortcut to this mdw. Now go through the securing process and your new secure db will be limited to this mdw file. Again, add a pw to user ADMIN and add another user with ADMINS permissions. Then remove ADMINS permissions from user ADMIN.

I think the problem you are having at the moment is that although you are using a seperate mdw on your network, it has the same properties as the local mdw on your users PCs.

Let me know how you get on

:-9

 

[maggieb]

I don't use the pesky WRKGADMN.exe, I make a copy of the system.mdw, copy it to a network location and rename it. This is the .mdw that I use on the shortcut to open the database.

 

[dneufarth]

Paul,

I'm sure no one could access the database without the proper workgroup. It was A97; I haven't tried securing an A2000 database.

You might check on this &quot;remove the Open/Run permission from the database container for the Users group through the security menus or through code. This will prevent someone from opening the database by using another workgroup information file or the default System.mda/mdw. In Microsoft Access 97, the User Level Security Wizard is supposed to remove the Open/Run database permissions for the Users group, but fails to do so.&quot;

Only other thing I can suggest is experiment on a newly created test database and follow the FAQ instructions to the letter. Perhaps you overlooked something.

Dave

 

[mikehoot]

MaggieB

You might think the program is pesky, and I would probably agree, but if you copy the system.mdw file then the original has exactly the same properties as your network copy.

Even if you apply permissions using your copy, the original system.mdw file retains admin rights. As Access uses username &quot;Admin&quot; by default (unless you have forced passwords by adding a PW to username &quot;Admin&quot any user can access you db just by opening Access.

You need to create a NEW mdw file, with unique Workgroup ID. Then secure your db with using this.

Unless you do this, anyone with a standard sytem.mdw file has full permissions to your db.

Pesky or not, it serves a purpose! Blame Microsoft!

;-9

 

[maggieb]

Mikehoot:

Obviously, I remove all permissions for the Admin user within the secured database, and take him out of the Admins group. Permissions are stored with the Database, so even if a user logs in using Admin without using the 'new' .mdw, they are not able to get into anything. I also create all objects using a specific user, so that Admin does not own anything. It seems to have worked for me so far!

 

[tgikristi]

Paul,

I am having the exact same question/problem as you describe in your original post--I know its been a long time, but I was wondering if you found any solutions?

Thanks,
tgikristi

 

[pnsmack]

tgikristi,

I wish I could give you a better answer, but the only thing I can tell you is :
1. Use a desktop shortcut that routes folks through the workgroup information file you created for the database.
2. If you've secured the database properly, then people shouldn't be able to log in as &quot;Admin&quot;.

Soon after I made my initial post (some time ago), I re-secured the database and it worked okay. The only thing I can figure is that I must've left out an important step along the way.

Also--- if you're doing &quot;development&quot; work in a copy of the &quot;.mdb&quot; file, make sure you're not just copying &quot;.mdb&quot; files back and forth, even if they use the same workgroup information file. Always---- ALWAYS make sure you &quot;import&quot; any new forms/queries/tables/etc as the administrator in the original (production) database. This way, importing the object will ensure that it gets imported as the administrator userid, and therefore &quot;owned&quot; by the administrator userid, and therefore it should be secure.

I think my initial &quot;beef&quot; was with the fact that MS Access isn't a true client-server database, but rather a &quot;file sharing&quot; database, hence my initial post wondering &quot;how&quot; to make an MS Access workgroup information file the &quot;official&quot; file for an entire network. I don't think I ever found out that this could be done. Probably SQL*Server has the closest thing resembling Oracle. I was so used to administering Oracle DB's for a couple of years that I had gotten used to the concept of a centralized server that people have to log in to in order to have a database 'session'. In MS Access, this isn't the case. Unless you split the interface and the backend tables, the entire DB resides in one big file.

Hope this helps. Good luck. The only thing I can say is make absolutely sure that you've followed the secure steps, and use the shortcut with the /WRKGRP option specified.

ALSO --- you can pass the Windows NT login userid on the shortcut command line. Just use /USER %username% (The %username% will grab their network userid...helpful if you're mirroring their database accounts to have the same name as their login userid).