Multiple user accounts on clerk computers

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
marmat
Member
Posts: 58
Joined: Thu Dec 23, 2010 9:12 am

Multiple user accounts on clerk computers

Postby marmat » Sun Jan 23, 2011 7:11 pm

My stake is in the process of planning some upgrades. A few upgrades are happening now.

What is the best practice for multiple user accounts for Windows on these computers? Is that encouraged or discouraged?

I know during the setup instructions I've seen (Dell 740) it talks about creating a CLERK login that will also be an administrator account.

Should we be creating multiple user accounts, and also making them administrator accounts?

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Sun Jan 23, 2011 7:27 pm

marmat wrote:My stake is in the process of planning some upgrades. A few upgrades are happening now.

What is the best practice for multiple user accounts for Windows on these computers? Is that encouraged or discouraged?

I know during the setup instructions I've seen (Dell 740) it talks about creating a CLERK login that will also be an administrator account.

Should we be creating multiple user accounts, and also making them administrator accounts?


The MLS 3.3 release notes said "Those using computers with Windows 7 (as well as those using XP) will not be required to run MLS as a Windows administrator."

So it appears that finally with MLS 3.3 we will have the option of setting up MLS user accounts that don't have to be administrator accounts. However, we don't have any updated installation instructions, and no guidance as to what permissions an account must have in order to run MLS 3.3.

So unless someone here has done some experimenting and can share their results, you're sort of on your own.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

russellhltn
Community Administrator
Posts: 20775
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Sun Jan 23, 2011 10:19 pm

The setup instructions posted on mls.lds.org indicate that all MLS users are to use ONE account, that it is to be called "Clerk", the password is specified by the instructions, and that it have local Windows Administrator rights.

While the MLS 3.3 instructions indicate that it no longer needs to have Admin rights, we can't assume that there is any change in the other requirements.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Sun Jan 23, 2011 11:06 pm

RussellHltn wrote:While the MLS 3.3 instructions indicate that it no longer needs to have Admin rights, we can't assume that there is any change in the other requirements.
Until the instructions found in other documents (such as the Policies and Guidelines for Computers Used for Church Record Keeping) change or are superceded I would be inclined to agree. The MLS 3.3 release notes are the only place I have seen so far indicating there may be a change in policy forthcoming.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

russellhltn
Community Administrator
Posts: 20775
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Mon Jan 24, 2011 12:09 am

Even if we could, I'm not sure as it would be wise to do so. Sooner or later, you'd go to use the computer and find that it is locked (probably because the screen saver kicked in) by "Brother Smith". Where's Brother Smith? Oh, he had to run one of his kids home. He should be back in 20 minutes. Sure, with Admin rights you could force log him off. Hopefully the forced shutdown won't corrupt MLS.

The idea of everyone having their own login comes from business where most of the time people have their own computers and you need accountability on who did what. In areas where the computer is in a common area, making people log off and back on with their own ID just doesn't work that well. Not unless you want to become the security ogre. Even then, I predict that you'll find that you'll be more effective in being known as a ogre then in getting compliance.

Has anyone had problems where they needed to know who did what to a computer - that could be determined if everyone did use their own login? The only one I can think of is I'd like to know who changed the time/date on some computers. Unfortunately, I don't think Windows leaves that good of an audit trail.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Mon Jan 24, 2011 7:08 am

I agree that multiple accounts can be problematic. But there are definite benefits that can come from scaling back the permissions on the Clerk account to not be a full administrator. That seems worthy of some research, even if it's not an officially supported configuration yet.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

marmat
Member
Posts: 58
Joined: Thu Dec 23, 2010 9:12 am

Postby marmat » Mon Jan 24, 2011 9:53 am

Appreciate the replies on this. I would agree for the Church computers have a single login as instructed during the setup process documentation "Clerk" to just keep it at that. Simplifies things not having to manage multiple accounts and also makes it easier for people to use.

But as was stated, this could change if some other policy information is added/changed.

russellhltn
Community Administrator
Posts: 20775
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Mon Jan 24, 2011 10:25 am

aebrown wrote:But there are definite benefits that can come from scaling back the permissions on the Clerk account to not be a full administrator. That seems worthy of some research, even if it's not an officially supported configuration yet.


Unless things have changed with Windows 7, the next step down is "Power User".

With the movement of the data directory, it may be compatible with "User". However, I'm not sure if updates sent via Send/Receive would install correctly. At this point a beta unit might be able to test. A non-beta unit cannot since there are not upgrades to the only version that supports this.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

busman
New Member
Posts: 20
Joined: Wed Sep 01, 2010 8:16 am
Location: Gresham Oregon USA

Postby busman » Fri Jan 28, 2011 10:46 am

I too saw the MLS3.3 announcement and as I was configuring a replacement computer, I tried it on WinXP.

Windows XP (I have never worked with Win 7) requires at least one user with Admin rights to always exist. On the Personalize Your Software screen, when it asks for the name and you enter "Clerk", you are creating a second user with Admin rights. The primary user is "Administrator" (note the capital A). This user is primarily for use by HQ, but you can use it. The password is in the setup instructions.

MLS communications requires the computer name to be LU-##### where the ##### is the unit number with leading zeros as needed. The communication software sends to HQ as part of the initialization of the "Send Receive" the computer name, the user name, and I believe the user password. Also sent is some combination of the computer serial number, the MAC address and ???. It also sends the last password it received from HQ on the last MLS transmission. If any of the computer identification and passwords don't match, you get a quick disconnect and the "Error 2 - Unauthorized" . The only way to then communicate is for the Stake Tech Spec, Ward Clerk, or Bishop to contact HQ. They much prefer you go thru the Stake Tech Spec.

If you follow the setup instructions exactly, your final logon screen will show just one user, "Clerk". If you add a user, you will see two users and have to choose. If you downgrade "Clerk", which I did to "Limited", you will see two users, "Administrator" and "Clerk". "Clerk" will still work, still transmit to HQ, and seems with my limited testing, to work OK. I did not take time to let the screen time-out. Because downgrading "Clerk" revealed the "Administrator" login, which I didn't want people to be tempted to try to use, and because I did not do an exhaustive test, I felt it better to go back to the standard setup. What I have done, with Stake Presidency support and over their signatures, was to distribute a policy document to all wards and stake leaders outlining proper use of the computer. It primarily re-states church policy customized to our stake and reminds users that it is a tool, not a toy, and installing software is not permitted without providing the Stake Tech Spec with the license and install media. We took the position that ward computer users are trustworthy or they shouldn't have their callings.

russellhltn
Community Administrator
Posts: 20775
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Fri Jan 28, 2011 11:22 am

busman wrote:Because downgrading "Clerk" revealed the "Administrator" login, which I didn't want people to be tempted to try to use,


That can be fixed by switching to "classic" login. All of our unit computers are like that.
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.


Return to “Clerk Computers”

Who is online

Users browsing this forum: No registered users and 1 guest