Win2K Permissions Expert Needed! 1

[TriggerDust]

Hello,

Here is my situation:
I have a Win2K DC, I have a a Win2K Citrix Metaframe XPa feature release 3 Server and I have a Win2K SQL 2000 Ent Server. I have ACCPAC as a published application on the Citrix server and the ACCPAC database sits on the SQL server. I have a test domain user account that is part of the 'Domain users' group only.

Here is my problem:
When I click on my Citrix published app icon from my workstation - citrix autheticates me perfectly and takes me into my ACCPAC login screen. When I log into ACCPAC, I get an error message: 'Invalid User ID. The connection user ID specified in the system database profile is not valid. Now, if I add that domain user account to the 'Domain Admin' group - it works perfectly. Obviously, this is a win2k permission issue but I cannot for the life of me, figure out where and what it is that needs those permissions. I do not want to add every domain user account to the Domain Admin group - that wouldn't be too cool. If anyone can offer any insight - I would be grateful!

 

[StNixon]

I've run into similar issues with old software running on newer operating systems. The writers assume the user has local administrator or poweruser rights (and that is a scary thought). Try checking the permissions of the files and folders associated with that application (including the top level folder). See if a user is blocked or not allowed access. It may be that the user does not have rights to the ACCPAC authentication file itself.
Now it can get worse, I've had it be a case of the user did not have permission to a particular registry setting (just need read access, but I had to give them full).
Hope this gives you a starting point.

 

[TriggerDust]

Yes, I have tried adding the Domain Users group to the Program directory on the Citrix Server where the application is installed and giving them full access but that didn't work. I have also tried giving the domain users group full access to the HKey_Local_Machine > Software registry key and this doesn't make any difference. Somewhere lies a file/directory or registry key that needs to have full access for the Domain Users group in order for it to work but I can't seem to find it.

thanks for your input.

 

[Andreh]

I have come across a similar problem myself in the citrix metaframe world; here are my suggestions that may help you out.

-Check that the user accounts are members of the "Authenticated Users" group. This could be another group you create which is populated by the users you wish to be able to run this program.
-On the domain security level, give Authenticated users the ability to "Log on Locally". This may be a bit higher than you would like but is not an administrator level - has solved my problem in the past. (This group may already be set up this way but by default the "Administrators" may be the only group with this right).

You will need to force refresh the security policy on all machines or allow 5 - 15 minutes for the domain replication to occur automatically.

Goodluck.

 

[GlenJohnson]

Invalid User ID. The connection user ID specified in the system database profile is not valid.
This didn't say access denied, it said Invlid User ID. Sounds like the users sid is not quite correct. Try creating a new dummy user account and see what happens. Good luck.

Glen A. Johnson
Johnson Computer Consulting
MCP W2K
glen@johnsoncomputers.us

http://www.johnsoncomputers.us

Want to get great answers to your Tek-Tips questions? Have a look at FAQ219-2884
"Watson, the game is afoot!"

 

[TriggerDust]

Hmmm....I think you may be onto something with the 'Authenticated Users' group...I will try this later as soon as I have a chance. I don't believe it is a SID issue, it doesn't matter how many accounts I create, they all do the same until they are added to the domain admin group - then all is fine. Thanks for your posts guys - i'll let you know what happens.

 

[TriggerDust]

Andreh,

Can you clarify this a little bit for me? I am unable to find the Authenticated Users group so I am unable to confirm or deny if the users are part of the group or not.
Also, once I am able to view this group to see who is in there, where do I look to see if they have the "Log On Locally" permission. Thanks for your help.

 

[ProfFate]

You cannot add a user to the "Authenticated Users" group. This is a dynamic/virtual group, it's not a physical group you can access. You can use it like a regular group and assign rights to it if you like.

My question to you, can this user log into the app if you don’t go through Citrix? Can you install the software on a workstation and run it?

MikeL

 

[TriggerDust]

ProfFate,

Yes, If I log directly into ACCPAC from a workstation - circumventing Citrix altogether, it works fine.

thanks,

 

[Andreh]

I used the "Authenticated Users" as an example but ProFate is correct; this i probably a bad example. Domain Users is probably a better example.

The best practice would be to create a new group specifically for this purpose so it can be tested first. Create a test user account that is added to this newly created group before modifying any of the populated groups for what i assume is a production environment.

The area you want to be looking at is the "Domain Security Policy". This is only within the domain controller's Control Panel, Administative Tools and "Domain Security Policy".

The below link shows what this interface look like:

http://www.comptechdoc.org/os/windows/win2kgraph/win2kdsp.html

The area of the tree within the "Domain Security Policy" you need to look/modify is called "User Rights Assignment". This can be found under Windows Settings, Local Policies and "User Rights Assignment.

This will list the security options for the whole domain.
**This is a powerful area so be aware that what you modify here can impact the whole domain**.

About 2/3rds down this list will be the option for "log on Locally". Add this group to this option by double clicking the option and adding the required group.

Goodluck

 

[TriggerDust]

Andreh,

Thanks for the response. I followed your instructions to the letter and am still receiving the same error. But as soon as they're in the Domain Admins group - voila - works like a friggin' charm....so I really don't know!

 

[ProfFate]

I think this might be a rights issue on your Citrix server, not necessarily a logon problem. I've seen things like this on Citrix servers and it turns out that the application is trying create/modify a file on the Citrix server, and the user doesn't have rights to do that. Try and use a program like FileMon to fine out what files are being accessed or created on the Citrix server. Then you can see if that user has rights into that directory or not. Here is a link to FileMon.

http://www.sysinternals.com/ntw2k/source/filemon.shtml

MikeL

 

[TriggerDust]

Yes, ProfFate - I have run FileMon on the Citrix server and gone through all the access lines and found nothing that indicates an Access Denied etc. Thanks for the good tip though!

-TD

 

[TriggerDust]

Ok, FINALLY I got this resolved.....the problem was all caused by the ODBC link between the Citrix Server and the SQL Data server. I had it configured to use NT authentication - just for the hell of it I tried SQL authentication and it worked! Simple liitle things'll kill ya'.

thanks to all who tried to assist and gave their input!