MLS security - disabling ability to change Windows system time

Discussions around using and interfacing with the Church MLS program.
User avatar
ericb
Member
Posts: 105
Joined: Fri Feb 23, 2007 8:51 am
Location: Vancouver USA

MLS security - disabling ability to change Windows system time

Postby ericb » Mon Feb 26, 2007 1:48 am

I found this posted on another newsgroup - this utilizes a standard Windows security policy routine:
  • Start | Run | SECPOL.MSC
  • Select Local Policies | User Rights Assignment | Change System Time
  • Remove respective users/groups from the list who should not have access.
    • If you remove all users, you have two choices for changing the time -- do it in the BIOS, or add a user back in at this location, reboot, change the time, and remove the user again.
.
One other thought - you could create an additional Administrator user, and designate only that user (rather than a group) to have access to change the time.

Even better, why not make the default 'clerk' login restricted to ward clerks, and create an additional logon for all other ward users (and update the ability to change time as noted above)? Is there something special about user 'clerk' as it relates to MLS?

User avatar
thedqs
Community Moderators
Posts: 1038
Joined: Wed Jan 24, 2007 8:53 am
Location: Redmond, WA
Contact:

Postby thedqs » Mon Feb 26, 2007 7:37 am

ericb wrote:Even better, why not make the default 'clerk' login restricted to ward clerks, and create an additional logon for all other ward users (and update the ability to change time as noted above)? Is there something special about user 'clerk' as it relates to MLS?


No I have seen MLS run under other usernames. This seems to be the best solution, especially since Windows XP can do fast user switching so multiple people can be logged in at the same time. I don't know if MLS locks the database but if so then only one person can use MLS at a time.
- David

User avatar
mkmurray
Senior Member
Posts: 3241
Joined: Tue Jan 23, 2007 9:56 pm
Location: Utah
Contact:

Disclaimer

Postby mkmurray » Mon Feb 26, 2007 9:21 am

ericb wrote:I found this posted on another newsgroup - this utilizes a standard Windows security policy routine:
  • Start | Run | SECPOL.MSC
  • Select Local Policies | User Rights Assignment | Change System Time
  • Remove respective users/groups from the list who should not have access.
    • If you remove all users, you have two choices for changing the time -- do it in the BIOS, or add a user back in at this location, reboot, change the time, and remove the user again.
This procedure is not endorsed by the Church in anyway. Please use at your own risk.

It might be a good idea to back up data, configurations, etc., before performing a system change like this...just in case.

russellhltn
Community Administrator
Posts: 20749
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Mon Feb 26, 2007 11:47 am

Thanks for posting. I knew I had left that question unanswered here, but I didn't have the answer handy.

Even better, why not make the default 'clerk' login restricted to ward clerks, and create an additional logon for all other ward users (and update the ability to change time as noted above)? Is there something special about user 'clerk' as it relates to MLS?


According to the instructions that comes with Desktop 5.5, all MLS users are to use the "clerk" login. I've seen postings by others who have done differently, but we've been warned about the possibility of corrupting the MLS data. If you do use multiple logins for MLS, I would disable fast switching. MLS is not designed for multiple users accessing the files. In fact that might have been the reason we were warned about the whole multiple login leading to file corruption in the first place. (Or maybe Administrators like "clerk" force logging off other users when they had MLS open but had locked the machine. I doubt if MLS was designed to take that kind of abuse.)

In fact one of my tweaks to the standard desktop is to move all the MLS icons from "All Users" to just the clerk's area. That way no one can see them if they log on as anyone else. I also set the file rights such that only clerks, admins, etc can even see the files.

Additional logins for non-MLS users is OK and even suggested by the guidelines.

User avatar
thedqs
Community Moderators
Posts: 1038
Joined: Wed Jan 24, 2007 8:53 am
Location: Redmond, WA
Contact:

Postby thedqs » Mon Feb 26, 2007 2:59 pm

Question, what happens when you open MLS twice? Does it give an error saying that MLS is already open or that its source file is locked or does it allow you to open it twice? I would think the former.

Notice: I don't advise anyone trying this, but if someone did, make sure you have backed up your data first.
- David

User avatar
WelchTC
Senior Member
Posts: 2088
Joined: Wed Sep 06, 2006 7:51 am
Location: Kaysville, UT, USA
Contact:

Postby WelchTC » Mon Feb 26, 2007 3:18 pm

thedqs wrote:Question, what happens when you open MLS twice? Does it give an error saying that MLS is already open or that its source file is locked or does it allow you to open it twice? I would think the former.

Notice: I don't advise anyone trying this, but if someone did, make sure you have backed up your data first.

It does not allow you to load a 2nd instance. I just tried it on a test version. It does not do anything. I assume it discovers an existing instance running and just terminates the new instance.

Tom

User avatar
thedqs
Community Moderators
Posts: 1038
Joined: Wed Jan 24, 2007 8:53 am
Location: Redmond, WA
Contact:

Postby thedqs » Mon Feb 26, 2007 3:27 pm

I am assuming that is using the same user, or was that over two different users running MLS?

If the latter then you could have multiple people with access to MLS, just that if someone else is using MLS another person cannot, though they could use other functions of the computer.
- David

User avatar
WelchTC
Senior Member
Posts: 2088
Joined: Wed Sep 06, 2006 7:51 am
Location: Kaysville, UT, USA
Contact:

Postby WelchTC » Mon Feb 26, 2007 3:46 pm

thedqs wrote:I am assuming that is using the same user, or was that over two different users running MLS?

Same user. I have not tested different users.

Tom

User avatar
thedqs
Community Moderators
Posts: 1038
Joined: Wed Jan 24, 2007 8:53 am
Location: Redmond, WA
Contact:

Postby thedqs » Fri Mar 02, 2007 12:53 pm

I moved the rest of the thread to [thread=290]Other Uses for Ward Computer besides MLS[/thread] since the topic had drifted into that direction as mkmurray pointed out.
- David


Return to “MLS Support, Help, and Feedback”

Who is online

Users browsing this forum: No registered users and 1 guest