Setting and Checking Access Rights and User permissions
Background
Access rights and user permission issues are becoming increasingly significant to the operation of networked Vision installations as windows networks continue to migrate towards NT/2000/XP solutions.
The most relevant issues are
- Folder sharing and associated permissions
Can prevent access to server files if incorrectly set. Sharing and sharing permissions are relevant to all Windows versions. For Windows NT and later, sharing is correctly set during Vision installation. However, it might be incorrectly changed later. For Windows 98, sharing must be set up manually as described previously. - Registry Permissions
Can prevent Vision from retrieving and using important path information if incorrectly set. Registry permission is only relevant to Windows NT and later and is correctly set during Vision installation. However, it can be incorrectly changed later. - Network User accounts and permissions
Can prevent access to server files if incorrectly set and also problems with time synchronization. For multi-user systems, suitable users for operating Vision must be set up manually.
Indications of User permission problems
User permission problems can show themselves in the following ways in a VingCard Vision system
Unable To Store Facility Code Message
When starting Vision, a message is displayed: “Unable to store facility code. Check that….” Vision continues to partially operate, but certain functionality is unavailable. For example, attempts to make a Guest key will provoke the message “License limit exceeded’ .
This problem can be caused by problems with :
- Folder Sharing
- Registry Permissions
- Network User Accounts and Permissions
Vision Locklink module cannot access lock files
From a workstation, when you select the Vision Locklink module a message is displayed ‘File Not Found’. When you press ‘OK’ a more detailed error message appears in red text in the ‘Status’ panel.This problem can be caused by problems with
- Folder Sharing
- Registry Permissions
- Network User Accounts and Permissions
Vision does not complete a backup
The error message ‘Error: did not complete the backup!!!’ is received when attempting to make a backup or when running an autobackup. Either the backup path cannot be determined from the registry (due to insufficient registry permission) or the specified path can be determined but not written to by the currently logged on user.This problem can be caused by problems with
- Folder Sharing
- Registry Permissions
- Network User Accounts and Permissions
Workstation does not act on Time Synch message
A vision station (usually the server) issues a time synch command as determined by set up settings but one or more other stations do not synchronize their time.
This problem can be caused by problems with
- Network User Accounts and Permissions
How To Set Up User Permissions For Vision
Folder Sharing
The main Vision folder on the Vision server must be shared.
For Windows NT, 2000 & XP, the share is automatically made during installation.
For Windows 98 sharing has to be set manually. The process for this is described at step 2 of the ‘Installing VingCard Vision’ instructions.
You can check the share on the Vision server by using Windows explorer / My Computer, selecting the main Vision folder, right clicking, selecting Sharing and observing the share properties. They should be as outlined at Step 2 of the ‘Installing VingCard Vision’ instructions. If they are not, change them.
Registry Permissions
This is relevant to any PC on the Vision network running Windows NT, 2000 or XP.
Vision automatically sets the correct registry permissions during installation - but it is important that you were logged on with an administrator password during installation.
You can check and change these settings at the Vision server and at each workstation as follows:
The following steps assume that all Vision users belongs to the group "Everyone".
- Logon to the PC with Administrator access rights.
- Select Start > Run.
- Type regedt32.exe +
to run the 32 bit Registry Editor. - Select "HKEY_LOCAL_MACHINE"
- In the registry key tree, open the "SOFTWARE" key.
- Locate and highlight the "Vingcard" subkey.
- Select the menu option SecurityPermissions...
- Check the option "Replace Permission on Existing Subkeys"
- Verify that the group "Everyone" is listed in the member group listbox. If not, press ADD and add it to the list.
- Double-click the group "Everyone".
- Check the "Full control" radio-button and press OK.
- Press OK and select "Yes" to the question to confirm the changes.
- Exit the Registry Editor.
Network User Accounts and Permissions
This is relevant to any workstation on a Vision network where the server is either Windows NT, 2000 or XP.
Access to the server
Log on to each workstation using a typical user account for staff that will use Vision. Use Network neighborhood (or equivalent) to locate the server machine. Highlight and double click. If you gain access to the machine, then network permission is not a problem; if you are prompted for a user name and/or password, it may be. In order for Vision to work you need to log on to the server from the workstation.
If this is the problem, the best way to solve it permanently is to create compatible user accounts (same username and password) on the server and workstation PCs. In this way, the username and password that you type to log on to the workstation is also used to gain access to the server with no additional input required.
There are two basic ways to tackle this:
- Set up one account on the server, an equivalent account (same user and password) on each workstation and always log into each workstation with that account when using Vision.
- Set up multiple accounts on each workstation (in line with the property’s policy) and mirror each on the Vision server.
Put the server and all workstations on a common workgroup (such as ‘VingCard’). Create a user ‘Vision’ on the server and assign a password. Now create user accounts with the name ‘Vision’ and the same password on all workstations.
Log on to workstations using the ‘Vision’ accounts. You can also log onto the server with the ‘Vision’ account but it is not essential. The important thing is that the server receives any valid username/password combination from the workstation.
For more complex networks, possibly involving domain servers etc. things may be more complex. However, the basic theory is the same: try to find or set up a workstation account that automatically provides access to the shared Vision folder on the server. The final solution chosen must take account of other User / traceability issues relevant to the property where the Vision network is installed.
Note that on Windows 98 PCs, you may want to activate multiple users (in order to automatically supply a username and password to the Vision server).
You can do this via Control Panel > Passwords > User Profiles, check the ‘All users can customize….’ Tab. When you restart, use the new username and password to login. This will create the new user.
Note also that with a Windows XP server, if you set up a user without a password (which is allowed) and then try and log on and connect through Win 98/NT/2000 workstations using the same username but leaving the password blank, you will not be connected. Therefore, it is necessary to define and use a non-blank password.
Local Rights necessary in order for Time Synch to work
For the Vision time synchronization function to work each workstation running vision must be logged in with sufficient user rights to allow the date / time to be modified.
You can check this for each relevant user. If you can’t change date / time via Control Panel, then Vision will not be able to change it either. You must then increase User Rights.
Under Windows 2000, Standard User will work, Restricted User will not.
Under Windows NT, Power User will work, User will not.
Avoid Windows password (Windows 98 only)
For Windows 98 the very first time you start up Windows you might be asked to enter a password for Windows (as opposed to the network). VingCard Vision is protected by its own password system, therefore a Windows password is unnecessary.
To disable the windows password you must replace the existing password with an empty password. To do this click Start button/Settings/Control Panel/Password/Change Window Password. In this dialog, enter your existing password and leave the fields for New password and Confirm new password empty. Click OK.
Testing the Vision Network for Correct User Permissions
To test the Vision network for correct permissions.
- Log on to the server using the username and password that will normally be used. Start Vision.
- Log on to each workstation using a typical ‘lowest permission’ user at each.
- Start Vision at each PC and check that the ‘Unable to store facility code….’ Message is not displayed.
- Use setup to send a time synch message from the server to all workstations and check that they all act on it.
- Perform a backup from each workstation (or a representative selection) saving the backup files on the server machine.
If you have checked folder sharing, registry permissions and user access rights but you still suspect an access / permission problem you can also try the following:
Use server IP address instead of computer name
This can be tried on any operating system and for any version of Vision – but only where the server IP address is fixed (not dynamically allocated using DHCP).
At the workstation, Start > Run > Regedit.
Navigate to HKEY_LOCAL _MACHINE\Software\VingCard\Vision
Change VisionNetPath value from \\servername\vision format to \\Ipaddress\Vision (for example \\172.16.30.100\Vision )
Installing Microsoft ActiveSync
Any Vision PCs – server or workstations – that will be used to transfer data to and from the LockLink need Microsoft ActiveSync to be installed.
Microsoft ActiveSync is delivered along with VingCard LockLink units. Details of how to install it are given in Chapter 4 (LockLink) of this manual.
Enabling automatic logon in Windows NT / 2000 / XP
Automatic logon allows users to avoid the network login after a PC is started. In effect, this may mean that they avoid having to remember a suitable Windows password that is different to their VISION password.
Automatic Logon may be needed for users who do not share computers and wish to quickly log onto a network. Automatic Logon may also be used for networks who have one default logon for their users.
Setting Automatic Logon Manually
To configure Windows NT / 2000 / XP to automatically login will require the registry to be edited and the following instructions to be carried out.
- Run Regedit32.exe
- Open the following key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
- Within the above key enter the values normally entered into the following values: DefaultDomainName DefaultUserName DefaultPassword
- If DefaultPassword is not present to create a new value click Edit, choose Add Value. In the Value Name field type DefaultPassword. Select REG_SZ for the Data Type. In the String field type your password and save changes.
- In addition if no DefaultPassword string is specified, Windows NT automatically changes the value of the AutoAdminLogon key from 1 to 0, thus disabling AutoAdminLogon feature.
- From the Edit menu, choose Add Value. Enter AutoAdminLogon in the Value Name field. Select REG_SZ for the Data Type, enter 1 in the string field and save your changes.
- Finally if DONTDISPLAYLASTUSERNAME value is set to 1, Autoadminlogon does not function.
Setting Automatic Logon Automatically
It is also possible to set automatic logon using the Microsoft TweakUI program which can be installed into Control Panel. TweakUI is freely available on the internet and DOES work with all windows versions up to and including XP. Install TweakUI then use Help for instructions.
Automatic Logon Security Issues
For Windows 98/NT using auto logon can be a security risk, as the DefaultPassword is stored in plain text in the registry.
In Windows 2000, if you use the TweakUI program TweakUI Logon tab to set the registry entries, the DefaultPassword value name is NOT created at the Winlogon key. Instead, a
In Windows XP the password is also encrypted if you use TweakUI, although not at the registry location mentioned for Win 2000.
Set up Vision sub-networks using vc_net.ini
If you have more than one Vision installation connected to the same corporate network, you may wish to isolate the installations from each other to guard against unwanted interaction. You can do this by editing the vc_net.ini file on each PC.
VC_NET is a program that runs in the background on all PCs where Vision is running. It handles network communication between Vision stations. The VC_NET program uses a simple, one-entry INI file, vc_net.ini in order to allow networked PCs to mask out broadcast messages. This file is used by the VC_NET program to create a 'virtual network'.
VC_NET programs with a specific 'Site Value' will only receive messages from other VC_NET programs that have the same Value specified in this file. If this file does not exist, the default Site Value will be '1'.
The contents of a typical file VC_NET.INI are as follows :
[Site]
Value=1
Therefore, if a PC with Value=1 in its vc_net.ini file broadcasts a message, only other networked PCs that also have Value=1 in their own vc_net.ini files will act on the message.
Different 'sub-networks' can therefore easily be created by setting 'Value' to other values. This must be done on all PCs, not just the server.
For example, when a command is sent from Restorer.exe to shutdown all Vision stations, only those with a matching value in VC_NET.INI will be shut down.
Uninstalling VingCard Vision
To uninstall VingCard Vision 4.1:
Select Start > Settings > Control Panel > Add/Remove Programs.
Select Vision from the list of installed software, and click Change/Remove. Follow the instructions in the Uninstall program to uninstall VingCard Vision 4.1
1 comment:
I wrote an article about the latest Vingcard Vision (version 6), here's the link https://page.mysoftinn.com/en/vingcard-vision
The user manual of both version 5 and version 6 are included in the article.
Post a Comment