Help needed

[AccessHope]

I have a multiple user access database on share drive with user-security level created. I created myself as administrator, and remove default Admin from Admin group. Removed permission from user group and joined workgroup file which I created as "MBS work group.mdw". I created shortcut on user's computer. I believe the syntax is correct

"C:\Program Files\Office 2003\OFFICE11\MSACCESS.EXE" /wrkgrp "\\ServerName\MBS Database\MBS Work Group.mdw" "\\ServerName\MBS Database\MBS.mdb"

Everything works fine. When I directly double click the database (MBS.mdb), it pops up a login box. However, when other user double clicks the database directly (not from shortcut) from their station, login window doesn't pop up. It allows them to access the database. I saw the work group file used default System.mdw

My question is how can I restrict them by double clicking the database without go through shortcut? Why my database security not protect user access without give user name and password. I tried by joined user’s work group file to MBS work group.mdw. It works, but I don’t want let user manually to do that one by one.

Is there anybody can help me go through this problem?

 

[AccessHope]

Database security

Why, other user still uses their default system.mdw file when they double click this database on share drive. I joined the MDB.mdw work group file to this database. It works fine when user open database through the shortcut, but when they double click it, they can get in without give password and user name. I checked I couldn't change the database owner from default Admin to myself. Is this a reason cause this problem? If so, how should I change database ownership for Access 2003?

Any idea?
Thanks

 

[Banana]

Sounds like it's not set up right.

See, the default setting for every Access (mind you, Workgroup file applies to Access, not to individual dbs) is to log users in as "Admin".

If you do not remove this user "Admin" from Admins group, anyone with default workgroup file can still access it without password.

To prevent this, you need to give Admin a password, then log in as another user that is also a group of Admins, remove Admin from the group, and give it NO rights whatsoever then recreate the database (either by security wizard or full import into a blank database to change all objects' owner from Admin to that user.

HTH.

 

[AccessHope]

Thank you Banana for your advice.

I have a work group file call MBS.mdw. This database is joined on this workgroup file. is this correct? Do I need to join the workgroup file since I didn't modify the default work group file? I gave a password for Admin user and remove Admin user from Admins group. I assign all objects owner to myself, but couldn't assign database owner to myself.

All the work i have done is on MBS.mdw file. I didn't work on system.mdw.
So, you said "Workgroup file applies to Access, not to individual dbs". What does that mean? Which workgroup file should appear if I check the Tool->Security->Workgroup Administrator for my database? On my computer it shows MBS.mdw since I joined to this workgroup file. Somehow, when users double click this database on share drive, they are using their local System.mdw. I don't know how to enforce them to use this MBS.mdw on share drive if without through the shortcut.

 

[The_Doc_Man]

The currently joined workgroup is a REGISTRY entry, which means it is per user, per machine. Not per database.

Even if you use workgroup administrator program to create a new workgroup, it is a COPY of SYSTEM.MDW - or, more precisely, SYSTEM.MDW is a copy of the workgroup created by WRKGADM. So if you created your new workgroup but didn't tweak the Admin user (no "s") by making it not a member of the Admins ("s") group, you didn't finish the customization.

Fortunately, it is possible to make the Users group pretty dumb and make the Admin USER a member of the Users group but not of the Admins group. To prevent this from killing the DB permanently, create another user account for yourself that is a member of Admins group BEFORE you remove the Admins group from the Admin account. In fact, create/set up your new admin account and exit from the database. Then and only then, remove Admin user from Admins group.

 

[AccessHope]

Hi, thank you “The Doc Man”.
I think I did exactly what you have explained. I created myself as administrator, assign a password to default Admin and removed default Admin user from Admins group. I took off all the privilege from Users. I did exactly what you have said. I just don’t know why the database can be access by user without give password and user name. Is there any step I missed to complete?
You said “workgroup file is per user, per machine.” Is that means I need to manually join user’s machine to my customized MBS.mdw workgroup file?
So, for the database deploy on share drive. If users directly double click this database, it should run their own Access application MSACCESS.EXE file and the default System.mdw file since their machine didn’t join to this MDB.mdw workgroup file, is this correct? I can restrict them by manually join to MBS.mdw file (currently, it is on share drive). But, I don’t think this is correct. I just wondered how should then been blocked from the database when they directly double clicking the database.

 

[AccessHope]

Hi, Banana:
I followed your idea, I recreated the database after created myself as admin and removed default admin from admins group.
I checked the database owner changed to my name instead of default Admin.
The Login screen asking for user name and password only pop up on my local screen, when other user double click this database from other station. It still using their local default system.mdw file and owner is unknown.
They still can access the database without give user name and password.

What should I do? Why I can't restrict user access to the database by double click it. Do i have to manually to join their work group file one by one?

Thanks

 

[Banana]

As I indicated above, you have to change your database objects' owner from Admin to your new Administrator username. You see, everything you did prior to securing, were created by "Admin" so therefore anyone logging in as Admin owns the whole database.

To fix that, either use security wizard, or create new database (make sure you are logged in as your administrating user name and Admin has no permissions), then export all of your old database into this new blank database. The owner should be now your administering username.

 

[AccessHope]

Hi, Banana:
Thank you for your response. From your pervious comments, I thought it maybe the database owner (it was Admin) caused this problem. So, I removed default admin from admins groups, gave no rights to default admin. I logged in as myself (in Admins group), I recreated the database, and the new database shows my name as database owner. Everything works fine on my station. But, when I put this database on our share drive, other user still can get in by double clicking it. From their station, they used their local machine default system.mdw file and I checked this database owner show “Unknow” from their station.
It looks they are using their system.mdw file by default; it didn’t block them at all.

 

[The_Doc_Man]

If using the default SYSTEM.MDW file doesn't block the users, you didn't secure the database correctly. Did you remember to join the new workgroup BEFORE you tried to secure everything? (That isn't meant as an insult; it is just a procedural thing that some folks overlook.)

 

[AccessHope]

Thank you for your comments to help me on that.
For sure, that I joined this customized work group file before I do something else, and put this database and work group file on share drive.
I don't know why. It looks didn't use this work group file when open the database from other users station. They used their own system.mdw file.

Thanks