Find windows username to preform check on open (1 Viewer)

tmyers

Well-known member
Local time
Today, 06:38
Joined
Sep 8, 2020
Messages
1,090
I am tinkering with various ways to "lock down" my front end.

Up to this point, I have just made my users FE an .accdr (run time) file. It works, but looks junky in my opinion and is really easily bypassed.

I have also done simple VBA to hide the ribbon and navigation pane:
Code:
    DoCmd.ShowToolbar "Ribbon", acToolbarNo
    DoCmd.NavigateTo "acNavigationCategoryObjectType"
    DoCmd.RunCommand acCmdWindowHide

However, when I personally launch the app, I would like to have both visible to me. I have read a some on using VBA to check windows username and hold as a string. If I haven't gotten one to work yet however.

What would the code be to check the username of whos logged into windows and if it is my username, exit sub before the above code runs and disables those panes?
I did try:
That didn't work however.

Long story short, Code to check if windows username is say, tmyers, then exit.
 

tmyers

Well-known member
Local time
Today, 06:38
Joined
Sep 8, 2020
Messages
1,090
I think Environ("Username") would do the trick, but I hear that is not a good method to use as is easily bypassed.
 

theDBguy

I’m here to help
Staff member
Local time
Today, 03:38
Joined
Oct 29, 2018
Messages
21,357
I think Environ("Username") would do the trick, but I hear that is not a good method to use as is easily bypassed.
That's correct. It works, but a better method is recommended. Take a look at this one.

 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 05:38
Joined
Feb 28, 2001
Messages
26,996
Look at the methods suggested by isladogs in this thread:

 

theDBguy

I’m here to help
Staff member
Local time
Today, 03:38
Joined
Oct 29, 2018
Messages
21,357
Interesting. I have never dealt with properties before. How exactly do you call them?
Well, you don't have to use a self-healing property. That was just one way to apply it. But, as indicated in the code comments, you would use it like so:

modUser.Username
 

Isaac

Lifelong Learner
Local time
Today, 03:38
Joined
Mar 14, 2017
Messages
8,738
FWIW, I've spent a few years mulling over this "environ("username") is easily bypassed", and my personal opinion is, that statement is a major exaggeration.

It is bypassed as easily as changing one of your major system environment variables is, which is 100% impossible in 99% of all serious corporate environments. So, "know your environment"... If you're in an environment where nobody would OR could dream of spoofing that (not only could they not, but if they did, suddenly none of their single sign-on-based workstation functions & apps and sites would work at all!), then act accordingly to your comfort level.

Access is not usually coded to the standard of extremely skilled hackers-level security.

Environ("username") is what I have settled on, although fancier api's exist.
 

isladogs

MVP / VIP
Local time
Today, 10:38
Joined
Jan 14, 2017
Messages
18,186
FWIW, I've spent a few years mulling over this "environ("username") is easily bypassed", and my personal opinion is, that statement is a major exaggeration.

It is bypassed as easily as changing one of your major system environment variables is, which is 100% impossible in 99% of all serious corporate environments. So, "know your environment"... If you're in an environment where nobody would OR could dream of spoofing that (not only could they not, but if they did, suddenly none of their single sign-on-based workstation functions & apps and sites would work at all!), then act accordingly to your comfort level.

Access is not usually coded to the standard of extremely skilled hackers-level security.

Environ("username") is what I have settled on, although fancier api's exist.
@Isaac
You are of course entitled to your opinion but I disagree completely
Once you are aware how to spoof the Environ variable values it is trivial to do - so for those who know how, it is easily bypassed.
You don't need to be an extremely skilled hacker to do so.

There are 2 other methods of obtaining user names, neither of which can be spoofed
a) using an API - but this has to be adapted for 64-bit Access
b) using CreateObject("WScript.Network").UserName

The WScript approach is as simple as Environ but cannot be 'bypassed'. It is a much better method

For more details, see http://www.mendipdatasystems.co.uk/get-user-name/4594424315
 

Isaac

Lifelong Learner
Local time
Today, 03:38
Joined
Mar 14, 2017
Messages
8,738
@Isaac
You are of course entitled to your opinion but I disagree completely
Once you are aware how to spoof the Environ variable values it is trivial to do - so for those who know how, it is easily bypassed.
You don't need to be an extremely skilled hacker to do so.

There are 2 other methods of obtaining user names, neither of which can be spoofed
a) using an API - but this has to be adapted for 64-bit Access
b) using CreateObject("WScript.Network").UserName

The WScript approach is as simple as Environ but cannot be 'bypassed'. It is a much better method

For more details, see http://www.mendipdatasystems.co.uk/get-user-name/4594424315

EDITED BY THE_DOC_MAN - SECURITY ISSUE: ONE SENTENCE REMOVED. APOLOGIES TO ISAAC.

The way I did it is one of the recommended ways to prove it's spoof-able....but I still think you underestimate the lockdown environment of corporate settings such as where I am working.
 
Last edited by a moderator:

isladogs

MVP / VIP
Local time
Today, 10:38
Joined
Jan 14, 2017
Messages
18,186
I'm not underestimating corporate security in any way.
But I would ask you to remove your explanation of how you tested spoofing from post #10.
Its close enough to give a potential hacker information...therefore unhelpful in general
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 05:38
Joined
Feb 28, 2001
Messages
26,996
I am not going to immediately edit anything because I would prefer that @Isaac has a chance to edit his own post. However, I am aware of the request to modify the post to avoid too much exposure. Colin, is that fair?
 

theDBguy

I’m here to help
Staff member
Local time
Today, 03:38
Joined
Oct 29, 2018
Messages
21,357
I am not going to immediately edit anything because I would prefer that @Isaac has a chance to edit his own post. However, I am aware of the request to modify the post to avoid too much exposure. Colin, is that fair?
For future reference, and just in this case, I did a little experiment. I tried to hide @Isaac's post, so others won't see it. However, can't tell if it worked or not, because I can still see it.

@Isaac, please let me know if you can still see your "hidden" post and was able to delete it. If not, I can unhide it, so you can delete it.

Sorry, I'm still learning my way around the forum software.
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 05:38
Joined
Feb 28, 2001
Messages
26,996
Now I will enter with the techie side of this discussion. It IS possible to use the simple Environ("username") function if your system is locked down tight enough that you cannot modify environment variables. A group policy file that is a part of your system startup can disable this feature. If you cannot modify ANY of your environment definitions, you are safe in using the simple approach. Otherwise, try one of the more complex methods.
 

isladogs

MVP / VIP
Local time
Today, 10:38
Joined
Jan 14, 2017
Messages
18,186
@The_Doc_Man
Whilst I agree with the above comment, in my opinion using CreateObject("WScript.Network").UserName is no more complex than using Environ and it will always work whether or not a 'group policy lockdown' has been applied
 

Isaac

Lifelong Learner
Local time
Today, 03:38
Joined
Mar 14, 2017
Messages
8,738
I thought any robust technical discussion ought to include the method to spoof otherwise how can we get to the bottom of it? but if it falls afoul of the forum rules, I have no gripe about that I guess, your forum your rules. Thanks for the edit I'm not on a AWF much anymore due to being too busy and so I didn't see it until now.

I mean people go around all these years saying it can be easily spoofed I just feel like much would be served by someone testing it and actually reporting back yes it can or no it can't under various circumstances. in my circumstance it made no difference whatsoever and was not able to be spoofed but whatever. I haven't worked in a job where you would be allowed to change environment variables for at least 15 years but I realize not everyone is in the same environment, I was just making a point that it depends.

And, let's face it...whatever the environment is that someone is working where it is able to be easily spoofed, wouldn't that generally be the same environment where most likely they're logged in network username would be a very little meaning to anyone? Maybe a small business where it doesn't matter who logs on and everyone shares the same computer anyway? I think this was a good discussion regardless of I may have posted a bit too much. it was too much, but too much of good information! :)
 

Isaac

Lifelong Learner
Local time
Today, 03:38
Joined
Mar 14, 2017
Messages
8,738
For future reference, and just in this case, I did a little experiment. I tried to hide @Isaac's post, so others won't see it. However, can't tell if it worked or not, because I can still see it.

@Isaac, please let me know if you can still see your "hidden" post and was able to delete it. If not, I can unhide it, so you can delete it.

Sorry, I'm still learning my way around the forum software.
FYI I am still able to see my post. But your request and I mean my response to it may be outdated because I took too long to respond. Sorry I wasn't faster
 

theDBguy

I’m here to help
Staff member
Local time
Today, 03:38
Joined
Oct 29, 2018
Messages
21,357
FYI I am still able to see my post. But your request and I mean my response to it may be outdated because I took too long to respond. Sorry I wasn't faster
@Isaac No worries. I think when @The_Doc_Man edited your post, he made it visible again. Cheers!
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 05:38
Joined
Feb 28, 2001
Messages
26,996
I know that you can delete a post, permanently or temporarily, but that wasn't obvious for the post in question. I didn't toy with visibility. I don't even see how you would make a single post "hidden" but when I went to edit it, I didn't see any indication that anything was "different" about it.

Again, apologies for editing your post, @Isaac, but we had an objection on security grounds. I hesitated because to me it was barely on the fringes of being a hack-type response. But two others agreed it was just barely over the line before I decided to act. So don't worry about it having any effect on your account. Let me say this: If I was wrong in editing the post at all, it was because I erred on the side of caution.
 

Users who are viewing this thread

Top Bottom