Best practice for Windows user logins

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
Post Reply
cougs
New Member
Posts: 33
Joined: Wed Dec 29, 2010 5:57 pm

Best practice for Windows user logins

#1

Post by cougs »

Does your ward use a separate Windows login for clerks vs. auxiliaries? Currently our setup is that everybody uses the same Windows user account, which means auxiliaries may potentially access some sensitive information stored in the clerk's 'My Documents' folder.

Is there a best practice on this or is it not something to worry about? Any issues with running MLS across multiple Windows users?
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#2

Post by russellhltn »

The MLS setup instructions indicates that all MLS users are to use the same Windows Login. It even specifies what the login as password are to be.

Policies and Guidelines for Computers Used by Clerks for Church Record Keeping states "The MLS database is stored on the computer’s hard drive. Other confidential files should not be stored on the hard drive. They should be saved on external media and locked in storage when not in use."

I can't say that any of us are thrilled by the Windows login policy, but if you don't follow it, then you get to be an unpaid beta tester.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
crislapi
Senior Member
Posts: 1267
Joined: Mon Jul 07, 2008 4:05 pm
Location: USA

#3

Post by crislapi »

The current version of MLS is "supposed" to support multiple user accounts. This has been discussed elsewhere on the forum so I'd direct you there:
https://tech.lds.org/forum/showthread.p ... -computers
https://tech.lds.org/forum/showthread.p ... or-profile
https://tech.lds.org/forum/showthread.p ... #post63350
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#4

Post by russellhltn »

crislapi wrote:The current version of MLS is "supposed" to support multiple user accounts.

The release notes state that it no longer needs to be a admin account, but I don't recall any authoritative source saying that multiple Windows accounts for MLS users were acceptable. Did I miss something?
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
crislapi
Senior Member
Posts: 1267
Joined: Mon Jul 07, 2008 4:05 pm
Location: USA

#5

Post by crislapi »

cougs wrote:Does your ward use a separate Windows login for clerks vs. auxiliaries?
Answering the original question, no, we do not. All users use the same Windows account in my stake. The closest I've seen is computers set up where the ward account is a limited user and the stake account is the only admin account. However, all ward users share the ward account. There are not multiple user accounts for the ward users.
RussellHltn wrote:The release notes state that it no longer needs to be a admin account, but I don't recall any authoritative source saying that multiple Windows accounts for MLS users were acceptable. Did I miss something?
No, and that is a good clarification. Admin vs non-admin account is not the same as multiple user accounts. Admin vs non-admin means the ward can be given an account where they cannot install software (or updates), change system time, as well as preventing other actions that can sometimes lead to problems. However, everyone could share this account. Multiple users would mean many different user accounts running MLS from their different profiles. Not the same.

MLS does now install in the "All Users" section instead of under the clerk profile, so in theory all the data in MLS is accessible to all user accounts, meaning multiple user profiles running MLS should work. However, what it "should" do vs what it "does" do often vary. I for one am not willing to test it out. MLS features have a tendency of not being fully vetted before they are released.

Whether it requires a new policy release or not I don't know. The old version of MLS installed under the Clerk profile and could only be run under that profile, which had to be an administrator account. It seems logical, then, that the instructions released at the time specifically mentioned not using multiple user accounts. MLS can now support it but the instructions have not been updated. But then again, nor have any of the instructions posted online around the same time. Logic tells me they are swamped so likely haven't gotten around to it. It probably really comes down to being an unpaid beta tester or not, I guess.
User avatar
aebrown
Community Administrator
Posts: 15153
Joined: Tue Nov 27, 2007 8:48 pm
Location: Draper, Utah

#6

Post by aebrown »

crislapi wrote:... in theory all the data in MLS is accessible to all user accounts, meaning multiple user profiles running MLS should work.... It seems logical, then, that the instructions released at the time specifically mentioned not using multiple user accounts. MLS can now support it but the instructions have not been updated.

But I've seen no documentation nor user experience that says that MLS can support multiple user accounts safely even now. I have never heard of anyone doing a single test of MLS running under one user, then switching to another user and running another instance at the same time. Or one user running MLS and leaving it running while the screen saver locks the machine, then that person (the bishop, perhaps) is not available when someone else (the financial clerk, perhaps) needs to use MLS. Those are the kinds of scenarios that concern me if people start using multiple accounts to run MLS.

It's prudent, and indeed some official instructions have officially instructed us, to create at least one additional administrative account. And given that you have done this, I see no problem with scaling back the permissions of the single Clerk account that runs MLS, as Mikerowaved has done. But multiple users running MLS? That still sounds like an unapproved, unproven nightmare to me.
Questions that can benefit the larger community should be asked in a public forum, not a private message.
Post Reply

Return to “Clerk Computers”