Access Security problems

[DblDogDare]

I have attempted to secure my database , but am running into some problems. I created the new .mdw file. I created groups and set permissions. However, for some reason other people can still log into the DB. Also, the users, including myself do not have to enter any passwords. Now, I cannot run the Security Wizard to make changes, add users etc. It says "I must be a member of ADMINS.....", which I am a member of. I cannot add or remove groups, create or delete, etc. These are all greyed out. I believe I need to start all over. My questions are;

1.) Can I delete my .mdw file and replace with the system.mdw and just start over. Or can I just join the system.mdw file and recreate a new .mdw file.
2.) I have also read in this forum that I may or may not have to create a new DB and import all my forms, tables, queries, etc. Will I have to do this?

Obviously I have done something wrong creating my .mdw. BTW, I do know my Name, Org and ID, so is there a way to use these and go back into my .mdw and re-construct?

Any help is greatly appreciated.

 

[Autoeng]

Go to another computer, copy system.mdw and overwrite the copy on your machine.

 

[The_Doc_Man]

I suspect part of your problem is that you have failed to block the hole that exists when you copy SYSTEM.MDW to another place to rename it, or when you create a new .MDW for your new DB.

The problem is that the default .MDW and all .MDW files you create are based on the default SYSTEM.MDW concept. Namely, the default user of a machine is its administrator. So SYSTEM.MDW and any newly-created .MDW files have you as user Admin who is, by default, a member of the Admins group. (Note carefully that trailing 'S' - which means Admin is an Admins user.)

OK, the way to prevent the unwanted logins takes just a little more effort. First and foremost, your .MDW must not be named SYSTEM.MDW. Second, you must have an Admins account that is NOT named Admin. Third, once you have another account that will be your REAL Admin equivalent, you make the Admin user part of the Users group BUT NOT PART OF THE ADMINS GROUP! You MUST create and set up the rights for the new Admins account BEFORE you change the group membership of the old Admin account.

Once that is done, log out and log back in as your new user. Be sure to make the files have new owners - either the Admins group or the name of the REAL Admin account.

OK, now the tricky part. All users MUST be a member of the Users group, but this does not mean they cannot be members of other groups. So what you do is, create a new group to functionally replace the Users group, having the same properties as group Users. Then add everyone to the newly created group. Then (crucial step) take away all rights from group Users. This explicitly includes the 'Open Exclusive' right, which is a permission code on the database object itself, not on tables. You CANNOT remove group Users from all users. Access won't let you. But it will not stop you from establishing over-restrictive permission sets.

Depending on just how vindictive you want to be, you can take away ALL rights from group Users. Just remember that you will have to assign your users to the new Users group before you let them back in.

Once you have done this, you should quickly get rid of all persons opening the database from the wrong workgroup. They will log out in frustration and complain. When they complain, you can chastise them for their sloppy use of corporate resources.