Best practice for Windows user logins

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
cougs
New Member
Posts: 33
Joined: Wed Dec 29, 2010 5:57 pm

Best practice for Windows user logins

Postby cougs » Thu Jun 30, 2011 4:17 pm

Does your ward use a separate Windows login for clerks vs. auxiliaries? Currently our setup is that everybody uses the same Windows user account, which means auxiliaries may potentially access some sensitive information stored in the clerk's 'My Documents' folder.

Is there a best practice on this or is it not something to worry about? Any issues with running MLS across multiple Windows users?

russellhltn
Community Administrator
Posts: 20750
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Thu Jun 30, 2011 4:33 pm

The MLS setup instructions indicates that all MLS users are to use the same Windows Login. It even specifies what the login as password are to be.

Policies and Guidelines for Computers Used by Clerks for Church Record Keeping states "The MLS database is stored on the computer’s hard drive. Other confidential files should not be stored on the hard drive. They should be saved on external media and locked in storage when not in use."

I can't say that any of us are thrilled by the Windows login policy, but if you don't follow it, then you get to be an unpaid beta tester.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

crislapi
Senior Member
Posts: 1265
Joined: Mon Jul 07, 2008 3:05 pm
Location: USA

Postby crislapi » Thu Jun 30, 2011 7:06 pm


russellhltn
Community Administrator
Posts: 20750
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Thu Jun 30, 2011 7:55 pm

crislapi wrote:The current version of MLS is "supposed" to support multiple user accounts.


The release notes state that it no longer needs to be a admin account, but I don't recall any authoritative source saying that multiple Windows accounts for MLS users were acceptable. Did I miss something?
Have you searched the Wiki?

Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

crislapi
Senior Member
Posts: 1265
Joined: Mon Jul 07, 2008 3:05 pm
Location: USA

Postby crislapi » Thu Jun 30, 2011 8:48 pm

cougs wrote:Does your ward use a separate Windows login for clerks vs. auxiliaries?

Answering the original question, no, we do not. All users use the same Windows account in my stake. The closest I've seen is computers set up where the ward account is a limited user and the stake account is the only admin account. However, all ward users share the ward account. There are not multiple user accounts for the ward users.

RussellHltn wrote:The release notes state that it no longer needs to be a admin account, but I don't recall any authoritative source saying that multiple Windows accounts for MLS users were acceptable. Did I miss something?

No, and that is a good clarification. Admin vs non-admin account is not the same as multiple user accounts. Admin vs non-admin means the ward can be given an account where they cannot install software (or updates), change system time, as well as preventing other actions that can sometimes lead to problems. However, everyone could share this account. Multiple users would mean many different user accounts running MLS from their different profiles. Not the same.

MLS does now install in the "All Users" section instead of under the clerk profile, so in theory all the data in MLS is accessible to all user accounts, meaning multiple user profiles running MLS should work. However, what it "should" do vs what it "does" do often vary. I for one am not willing to test it out. MLS features have a tendency of not being fully vetted before they are released.

Whether it requires a new policy release or not I don't know. The old version of MLS installed under the Clerk profile and could only be run under that profile, which had to be an administrator account. It seems logical, then, that the instructions released at the time specifically mentioned not using multiple user accounts. MLS can now support it but the instructions have not been updated. But then again, nor have any of the instructions posted online around the same time. Logic tells me they are swamped so likely haven't gotten around to it. It probably really comes down to being an unpaid beta tester or not, I guess.

User avatar
aebrown
Community Administrator
Posts: 14690
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Fri Jul 01, 2011 4:26 am

crislapi wrote:... in theory all the data in MLS is accessible to all user accounts, meaning multiple user profiles running MLS should work.... It seems logical, then, that the instructions released at the time specifically mentioned not using multiple user accounts. MLS can now support it but the instructions have not been updated.


But I've seen no documentation nor user experience that says that MLS can support multiple user accounts safely even now. I have never heard of anyone doing a single test of MLS running under one user, then switching to another user and running another instance at the same time. Or one user running MLS and leaving it running while the screen saver locks the machine, then that person (the bishop, perhaps) is not available when someone else (the financial clerk, perhaps) needs to use MLS. Those are the kinds of scenarios that concern me if people start using multiple accounts to run MLS.

It's prudent, and indeed some official instructions have officially instructed us, to create at least one additional administrative account. And given that you have done this, I see no problem with scaling back the permissions of the single Clerk account that runs MLS, as Mikerowaved has done. But multiple users running MLS? That still sounds like an unapproved, unproven nightmare to me.
Questions that can benefit the larger community should be asked in a public forum, not a private message.


Return to “Clerk Computers”

Who is online

Users browsing this forum: No registered users and 1 guest