Using InstallShield 2012 Professional to install a ASP.NET website, and a custom app pool running in securitry context of a network service account. When I test the website, I encounter a permissions issue (file permissions), and the website fails with the message "Error: Access is Denied.".
Using InstallShield, I set permissions to each file for read access to the user "Authenticated Users". I set the permissions within the InstallShield ISM file by navigating to "Application Data" -> "Files and Folders"
Select each folder in the "Destination computer's folders"
Right-click each folder in the "Destination computer's folders"
Select context menu "Properties"
Click button "Permissions"
Add entry in "Name(s):" section for user "Authenticated Users", and domain is blank (select "Read & Execute", "List Folder Contents", "Read")
... then perform this action over and over again for each folder, then for each file.
Once I test, I find I have the problem. If I navigate to the actual files installed on the server and review, they appear correct, but do not function correctly. Infact, I - as a Authenticated User - do not have permissions to navigate the folder structure, but because I am an admin I can tweak the permissions and get in. If I manually reset these permissions on each of these files (and related folders) the website functions correctly. This means the app pool setup, the file copy, and the network service account are all functioning correctly, and the problem is strictly related to the permissions on the files IIS is trying to access.
Has anyone had this problem, and overcome it? If so, how? (I would prefer to avoid using InstallScript to set permissions.)
Notes:.
when considering settings in the "General Information" area, specifically the "Locked-Down Permissions" property - the behavior of file level permissions settings in InstallShield will differ. When selecting "Traditional Windows Installer handling", I was never successful adding explicit permissions. I noticed when doing so, all inherited permissions on the folder would dissappear. Additionally, while it appears the permissions are set in Windows, they behave like they are not set. Manual manipulation tests would show they were not correctly set.
When setting the "Locked-Down Permissions" property to "Custom InstallShield handling", I was able to add a permission and all inherited permissions remained intact. With this, I was able to apply the desired permissions to the root installation directory in the "Application Data"->"Files and Folders" area, and because I elected "Custom InstallShield handling" I am able to select the check box "Apply these permissions to child objects" in the advanced area of the permissions area of a folder property.
Steps to finalize and fix my problem:
In InstallShield (ISM file)...
Navigate to "General Information" (Lefthand pane)
Set Locked-Down Permissions to "Custom InstallShield handling"
Navigate to "Application Data"
Right-click the root folder where program is to be installed
Click "Properties"
Click button "Permissions"
Right-click top half of screen in white box area labeled "Name(s)"
Select context menu item "New"
Remove domain user leaving this field blank
Added user "Authenticated User"
Select check boxes in lower area ("Read & execute", "List Folder Contents", "Read")
Click button "Advanced"
Check checkbox "Apply these permissions to child objects"
Click button "OK"
Click button "OK"
Click button "OK"
Recompile installation program and install. Now works.
Related
I'm trying to make a shortcut in windows Server 2016 DC Server. The frequent work is finding users and resetting their passwords. And I want to do it quickly and simply with a shortcut.
I've found a run command that triggers the search window. But there are not all settings in the context menu (right click menu).
The command is:
rundll32 dsquery.dll openquerywindow
It has no "reset password" option in the context menu.(only/ Open Home Page, Send Mail, Properties).
Is there a better way to do this?
Unfortunately, there's no a keyboard shortcut in AD Users and Computers app. Or i'm missing something?
I have a report set up for a department. The data is accessed on a replicated server on the backend with a fixed password.
What I normally do is add a new role for the user accessing the report as a browser, then they can see the report and work from there.
However, the machine that is being used to access a new report is logged on under a general user account and neets to remain this way, the report that is being accessed is confidential and can only be accessed by certain staff members.
I have played around with the security settings to see if windows authentication would work but i struggled.
What I was hopping to achieve was the following:
let a user access the report on the machine via a password to run the report (preferably their user log on detais even though the machine will be logged on under a different user).
If this is not possible, would it be possible to create a password protected report using parameters?
apologies If i am not clear, I am happy to explain further if needed.
As far as I know it is only possible to protect a report using AD credentials. This works fine, but is not useable if there are non-AD users who have to access the report.
What you can do is generate an SSRS report as a password protected PDF using SQL-RD and send it on a schedule.
You could try setting the access to the report itself at the report level. In Reporting Services you navigate to the report and click the down arrow to the right of the report name.
On the next screen you make sure the Security tab is highlighted. You can then add groups or users (Domain\User) and their roles for that report. Even though this is not password protecting the report it is limiting access to only authorized individuals.
I have come up with a work around.
I have added the users I wanted to have access to the Security tab.
Using powershell I have created a script to ask for credentials to open "internet explorer" as the user I want to have access.
Start-Process -FilePath "C:\Program Files\internet explorer\iexplore.exe" http://PATHTOMYREPORT -Credential (Get-Credential)
From here I then created a batch file that would execute this powershell script for me
#ECHO OFF
PowerShell.exe -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\powershellscript.ps1'"
I then created a shortcut to the batch file on the desktop, in the shortcut options I set it to run as minimized so the batch file output wouldnt appear, i renamed the shorcut after my report. Gave it an inconspicuos icon.
So what happens when someone double clicks the icon?
they get asked for their organisation log on details in a neat window.
when they enter their details the report should open successfully in internet explorer provided they have been added as a report browser to the security element of the report as outlined by #B.Serbele.
If a non intended user opens it, enters their details, it just crashes out.
No doubt you may find issues with this, i.e. someone can access the C drive and delete the powershell script or shortcut etc etc.
But its the best I could do with the set up we have at the moment.
Hope it may help someone.
I'm unable to create database using DB2 Command Line Processor (DB2 Express C). I wrote a simple operation to create a database :
db2=> create database wiki
It's showing me an error :
SQL1092N The requested command or operation failed because the user
ID does not have the authority to perform the requested command or
operation. User ID: "VINAYAKP".
I've never worked on DB2 before. Also, from First Steps; it is just opening a prompt and it displays nothing. I'm using a thin client. Kindly tell me about this error and how to resolve it. Also, need to know any alternate way other than using the command line processor.
Note: I'm using Windows OS
Thanks
As the above answer didn't seem to work for me, I'm adding my solution. (command line only) [windows]
I simply launched db2cmd as the db2admin user (default).
To achieve this, execute the following command in command prompt:
runas /noprofile /user:db2admin db2cmd
This will launch a new cmd window logged in as the admin user. You can now execute any db2 commands from this window.
To resolve this issue you need to have the DB2 services started as Domain account, not a local account. In order to change the DB2 services to a Domain account do the following:
1.) Go to Start->Control Panel->Administration Tools->Services.
2.) Find the DB2-0 process right click on it and pick "Properties".
3.) Pick the "Log On" tab.
4.) Then choose "This account" radial button, then "Browse".
5.) A window will pop up called Select User click the Advanced button, then click "Find Now".
6.) A list of all users on the machine will be shown, choose the domain user and select "OK".
7.) To save the change click "Apply" then "OK".
8.) Restart the service/instance.
I have an app which needs administrator privileges to do some things. I'd like to just show the UAC prompt when it starts, and then be elevated. I'm not sure how to do this, but I'm hearing about things like manifests and whatnot but not seeing a plain answer anywhere.
You need an app manifest that demands elevated privileges. Here's a quote from a blog that answers this:
First, you can create a manifest file by adding an “Application
Manifest File” Item to your project (default name: app.manifest), then
you can set it through the Application Tab in the Project Properties.
If you want to change the Windows User Account Control level in your
manifest file, all you need is to set the value of the level attribute
of the requestedExecutionLevel node with one of the following:
asInvoker (default): the application will run using the current Windows user provileges
requireAdministrator: the application requires an Administrator user
highestAvailable: highest privileges for the current user will be used
http://dariosantarelli.wordpress.com/2007/11/21/vs2008-embedding-uac-manifest-options/
I have installed the latest VisualSVN (2.0.5) and its trac-package on WindowsXP, but ran into a problem. The trac system works, except the "Timeline" tab. When I clicked on it, I saw
Oops…
Trac detected an internal error:
OperationalError: attempt to write a readonly database
Does anybody have any idea, why it does not works? Everything was installed and configured using its manual.
change the owner of the folder where the TRAC enviroment lives
this is check the user that runs the VisualSVN service and give access to this user to the folder where trac runs
this fix me issue
As user163175 said you have to change the owner (or give permission to the web server user).
To do this on Windows (Server Standard) you need to:
Go to your trac directory (where all the your trac projects live, the one you set as PythonOption TracEnvParentDir) in explorer
Right click and select Properties
Click on the Edit... button
Click Add... button
Type "NETWORK SERVICE" in to the Enter the object names to select input
Click the Check Names button.
Click on OK
Click on the new NETWORK SERVICE user/group
Check off "Full Control"
Click Apply
That should do it (at least that worked for me).