|
security
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
system.mdwlogin is listed as the "owner" and I've gimped the admin user, modified the user group permissions, etc. The problem is I think in the process I might have fragged my system.mdw. A long time ago I tried messing with ULS and now when I open my project, if the default mdw file is the "system.mdw", then the "owner " is listed as "unknown" and the admin user (the only one remaining) doesn't have the permissions necessary to administer most of my tables, etc. Is it possible to gimp the main/default mdw like that, and if so, can I just copy someone elses "pristine" mdw file over mine and sort of "start over" with a clean system.mdw file like that? (I don't have easy access to the install disk but, in an emergency, I could get it) Any help? Thanks, CW Cheese_whiz wrote:
> I made a WIF to go along with and 'secure' my database, and it seems That actually sounds OK. The owner information is stored in the mdb. Since > ok. My login is listed as the "owner" and I've gimped the admin > user, modified the user group permissions, etc. > > The problem is I think in the process I might have fragged my > system.mdw. A long time ago I tried messing with ULS and now when I > open my project, if the default mdw file is the "system.mdw", then > the "owner " is listed as "unknown" and the admin user (the only one > remaining) doesn't have the permissions necessary to administer most > of my tables, etc. you are opening using system.mdw, that workgroup doesn't have the owner in it so it shows as unknown. Also you have only one user called Admin, and it doesn't have any permissions to do anything, and rightly so. What *is* wrong though, is that you were able to open the mdb as Admin. If secured properly you shouldn't be able to even open it. Double-check the permissions (while logged into your secure WIF) that the Users Group doesn't still have permissions on the Database Object. Also verify that *every* object isn't owned by Admin. Your default mdw may be just fine. When using it, are you asked for a username/password? > Is it possible to gimp the main/default mdw like that, and if so, can If you think the system.mdw has been tainted, and you are using 2002 or > I just copy someone elses "pristine" mdw file over mine and sort of > "start over" with a clean system.mdw file like that? (I don't have > easy access to the install disk but, in an emergency, I could get it) 2003: Make sure your default WIF is set to system.mdw (check in Tools, security, workgroup administrator Close Access and delete system.mdw. Open Access and it'll create a pristine mdw. If you are using an earlier version, you can copy system.mdw from another computer. -- Joan Wild Microsoft Access MVP Joan,
Thanks! I think I got it now (famous last words). It didn't have anything to do with my system.mdw being messed up. I just didn't understand that changes I made in my "secure.mdw" would be reflected in the permissions available when the project was opened joined to the system.mdw. I still probably don't understand all of how that works, but I do now know that I can take away all of user "admin"'s rights while joined to my secure.mdw, and I can't even open the project using the system.mdw. By the same token, I could join to the secure.mdw, open the project with my owner Id, give admin all the rights, and he would be able to do about anything EVEN WHEN the project was opened while joined to the system.mdw (not that I'd want to do that....I've already taken away all his rights now). Anyway, thanks again....very helpful just to know that the owner was stored in the db...that got me thinking. CW Show quoteHide quote "Joan Wild" wrote: > Cheese_whiz wrote: > > I made a WIF to go along with and 'secure' my database, and it seems > > ok. My login is listed as the "owner" and I've gimped the admin > > user, modified the user group permissions, etc. > > > > The problem is I think in the process I might have fragged my > > system.mdw. A long time ago I tried messing with ULS and now when I > > open my project, if the default mdw file is the "system.mdw", then > > the "owner " is listed as "unknown" and the admin user (the only one > > remaining) doesn't have the permissions necessary to administer most > > of my tables, etc. > > That actually sounds OK. The owner information is stored in the mdb. Since > you are opening using system.mdw, that workgroup doesn't have the owner in > it so it shows as unknown. Also you have only one user called Admin, and it > doesn't have any permissions to do anything, and rightly so. What *is* > wrong though, is that you were able to open the mdb as Admin. If secured > properly you shouldn't be able to even open it. Double-check the > permissions (while logged into your secure WIF) that the Users Group doesn't > still have permissions on the Database Object. Also verify that *every* > object isn't owned by Admin. > > Your default mdw may be just fine. When using it, are you asked for a > username/password? > > > Is it possible to gimp the main/default mdw like that, and if so, can > > I just copy someone elses "pristine" mdw file over mine and sort of > > "start over" with a clean system.mdw file like that? (I don't have > > easy access to the install disk but, in an emergency, I could get it) > > If you think the system.mdw has been tainted, and you are using 2002 or > 2003: > > Make sure your default WIF is set to system.mdw (check in Tools, security, > workgroup administrator > Close Access and delete system.mdw. > Open Access and it'll create a pristine mdw. > > If you are using an earlier version, you can copy system.mdw from another > computer. > > -- > Joan Wild > Microsoft Access MVP > > > Usernames, passwords, Groups, memberships are all stored in the workgroup
file. The permissions/owners are stored in the mdb. 'Admin' user and the 'Users' group are common to every workgroup file. This is why anyone can open someone else's mdb that's unsecured. Actually Access always uses security - using the system.mdw that ships with Access, it silently logs you in as 'Admin'. Since it's the same in every system.mdw, anyone can open your unsecure mdb using their system.mdw. The Admins group is *not* the same in every mdw. This is why you want to create a new mdw to secure your mdb. The Admins group will be different. You then remove all permissions from the Users Group, and ensure that 'Admin' doesn't own anything. Then only your secure mdw can be used to open your secure mdb. Hope that helps. -- Show quoteHide quoteJoan Wild Microsoft Access MVP Cheese_whiz wrote: > Joan, > > Thanks! > > I think I got it now (famous last words). It didn't have anything to > do with my system.mdw being messed up. I just didn't understand that > changes I made in my "secure.mdw" would be reflected in the > permissions available when the project was opened joined to the > system.mdw. > > I still probably don't understand all of how that works, but I do now > know that I can take away all of user "admin"'s rights while joined > to my secure.mdw, and I can't even open the project using the > system.mdw. By the same token, I could join to the secure.mdw, open > the project with my owner Id, give admin all the rights, and he would > be able to do about anything EVEN WHEN the project was opened while > joined to the system.mdw (not that I'd want to do that....I've > already taken away all his rights now). > > Anyway, thanks again....very helpful just to know that the owner was > stored in the db...that got me thinking. > > CW > > "Joan Wild" wrote: > >> Cheese_whiz wrote: >>> I made a WIF to go along with and 'secure' my database, and it seems >>> ok. My login is listed as the "owner" and I've gimped the admin >>> user, modified the user group permissions, etc. >>> >>> The problem is I think in the process I might have fragged my >>> system.mdw. A long time ago I tried messing with ULS and now when I >>> open my project, if the default mdw file is the "system.mdw", then >>> the "owner " is listed as "unknown" and the admin user (the only one >>> remaining) doesn't have the permissions necessary to administer >>> most of my tables, etc. >> >> That actually sounds OK. The owner information is stored in the >> mdb. Since you are opening using system.mdw, that workgroup doesn't >> have the owner in it so it shows as unknown. Also you have only one >> user called Admin, and it doesn't have any permissions to do >> anything, and rightly so. What *is* wrong though, is that you were >> able to open the mdb as Admin. If secured properly you shouldn't be >> able to even open it. Double-check the permissions (while logged >> into your secure WIF) that the Users Group doesn't still have >> permissions on the Database Object. Also verify that *every* object >> isn't owned by Admin. >> >> Your default mdw may be just fine. When using it, are you asked for >> a username/password? >> >>> Is it possible to gimp the main/default mdw like that, and if so, >>> can I just copy someone elses "pristine" mdw file over mine and >>> sort of "start over" with a clean system.mdw file like that? (I >>> don't have easy access to the install disk but, in an emergency, I >>> could get it) >> >> If you think the system.mdw has been tainted, and you are using 2002 >> or 2003: >> >> Make sure your default WIF is set to system.mdw (check in Tools, >> security, workgroup administrator >> Close Access and delete system.mdw. >> Open Access and it'll create a pristine mdw. >> >> If you are using an earlier version, you can copy system.mdw from >> another computer. >> >> -- >> Joan Wild >> Microsoft Access MVP Yes, very helpful. Makes a lot more sense when you know where the various
related bits of info are stored (db versus mdw). Thanks again. CW Show quoteHide quote "Joan Wild" wrote: > Usernames, passwords, Groups, memberships are all stored in the workgroup > file. The permissions/owners are stored in the mdb. > > 'Admin' user and the 'Users' group are common to every workgroup file. This > is why anyone can open someone else's mdb that's unsecured. Actually Access > always uses security - using the system.mdw that ships with Access, it > silently logs you in as 'Admin'. Since it's the same in every system.mdw, > anyone can open your unsecure mdb using their system.mdw. > > The Admins group is *not* the same in every mdw. This is why you want to > create a new mdw to secure your mdb. The Admins group will be different. > You then remove all permissions from the Users Group, and ensure that > 'Admin' doesn't own anything. Then only your secure mdw can be used to open > your secure mdb. > > Hope that helps. > > > -- > Joan Wild > Microsoft Access MVP > > Cheese_whiz wrote: > > Joan, > > > > Thanks! > > > > I think I got it now (famous last words). It didn't have anything to > > do with my system.mdw being messed up. I just didn't understand that > > changes I made in my "secure.mdw" would be reflected in the > > permissions available when the project was opened joined to the > > system.mdw. > > > > I still probably don't understand all of how that works, but I do now > > know that I can take away all of user "admin"'s rights while joined > > to my secure.mdw, and I can't even open the project using the > > system.mdw. By the same token, I could join to the secure.mdw, open > > the project with my owner Id, give admin all the rights, and he would > > be able to do about anything EVEN WHEN the project was opened while > > joined to the system.mdw (not that I'd want to do that....I've > > already taken away all his rights now). > > > > Anyway, thanks again....very helpful just to know that the owner was > > stored in the db...that got me thinking. > > > > CW > > > > "Joan Wild" wrote: > > > >> Cheese_whiz wrote: > >>> I made a WIF to go along with and 'secure' my database, and it seems > >>> ok. My login is listed as the "owner" and I've gimped the admin > >>> user, modified the user group permissions, etc. > >>> > >>> The problem is I think in the process I might have fragged my > >>> system.mdw. A long time ago I tried messing with ULS and now when I > >>> open my project, if the default mdw file is the "system.mdw", then > >>> the "owner " is listed as "unknown" and the admin user (the only one > >>> remaining) doesn't have the permissions necessary to administer > >>> most of my tables, etc. > >> > >> That actually sounds OK. The owner information is stored in the > >> mdb. Since you are opening using system.mdw, that workgroup doesn't > >> have the owner in it so it shows as unknown. Also you have only one > >> user called Admin, and it doesn't have any permissions to do > >> anything, and rightly so. What *is* wrong though, is that you were > >> able to open the mdb as Admin. If secured properly you shouldn't be > >> able to even open it. Double-check the permissions (while logged > >> into your secure WIF) that the Users Group doesn't still have > >> permissions on the Database Object. Also verify that *every* object > >> isn't owned by Admin. > >> > >> Your default mdw may be just fine. When using it, are you asked for > >> a username/password? > >> > >>> Is it possible to gimp the main/default mdw like that, and if so, > >>> can I just copy someone elses "pristine" mdw file over mine and > >>> sort of "start over" with a clean system.mdw file like that? (I > >>> don't have easy access to the install disk but, in an emergency, I > >>> could get it) > >> > >> If you think the system.mdw has been tainted, and you are using 2002 > >> or 2003: > >> > >> Make sure your default WIF is set to system.mdw (check in Tools, > >> security, workgroup administrator > >> Close Access and delete system.mdw. > >> Open Access and it'll create a pristine mdw. > >> > >> If you are using an earlier version, you can copy system.mdw from > >> another computer. > >> > >> -- > >> Joan Wild > >> Microsoft Access MVP > > > 
Other interesting topics
Object permissions
Front end, Back end, and restrictions on which Forms can open. Is someone hacking into our database? Office 2000 Access 2003 Exclusive Open Rights Security loophole via Excel!!! Using Access over the Internet Ability for a non-Admins user to create new users get error message when running a query workgroup files and 2007 help, I enabled the security wizard |
|||||||||||||||||||||||
