Page 2 of 2

Posted: Wed Jul 07, 2010 1:00 am
by russellhltn
Thanks, but it's already documented in the Wiki link given up-thread.

Posted: Wed Jul 07, 2010 5:32 am
by aebrown
scgallafent wrote:It should be possible to create a separate account with administrator privileges and then modify the local security policy to remove the administrators group from the "Change system time" rights group and add just the specific user.
That's essentially the technique that RussellHltn referred to above. In case you missed it, the direct link to the documentation in the wiki is under Preventionhttps://tech.lds.org/wiki/index.php?title=System_Date#Prevention.

Posted: Wed Jul 07, 2010 8:49 am
by scgallafent
RussellHltn wrote:Thanks, but it's already documented in the Wiki link given up-thread.
Missed that. That's what I get for thinking aloud late at night!

Posted: Wed Jul 07, 2010 12:52 pm
by crislapi
oregonmatt wrote:Since this problem seems to be a common theme, I think it would be a great idea for the software to check and see if the elapsed time from the current login date is reasonable (two weeks or less, maybe) and throw up a warning before allowing someone to completely log in. It always asks me the date when I start a tithing batch (but that is perhaps to allow backdating on 31 Dec...).

"Warning: Is is really August 4th? If it is, the clerks have really been slacking..." :D

Now to figure out where to give this feedback...
Not a bad idea. It seems a week or two (for General Conference) would be reasonable. Feedback and suggestions can be provided in the Wiki here.

The backdating on a batch is different than the time stamp set when logging in.
scgallafent wrote: It should be possible to create a separate account with administrator privileges and then modify the local security policy to remove the administrators group from the "Change system time" rights group and add just the specific user.
It's possible without having to create a separate administrator account. It's already been discussed here. RussellHltn also provided a link to this Wiki article in this thread. The problem, of course, is if the account is still an administrator account, then anyone can change it back.

As for creating limited use accounts, see RussellHltn's reply from above.
RussellHltn wrote:We would love to, but the MLS instructions specifically states that we're to use a common Administrator account for all MLS users. A few people have tried using a more limited account, but I don't know what their long-term success with upgrades are. There really is no way to do thorough testing given that we have no idea what the upgrades might be doing or when they'll arrive.

Posted: Wed Jul 07, 2010 4:50 pm
by bdayley
RussellHltn wrote:A few people have tried using a more limited account, but I don't know what their long-term success with upgrades are. There really is no way to do thorough testing given that we have no idea what the upgrades might be doing or when they'll arrive.
Doesn't a limited-user account stop send-and-receive as well? No receive, no updates.

Posted: Wed Jul 07, 2010 5:03 pm
by russellhltn
bbdd wrote:Doesn't a limited-user account stop send-and-receive as well? No receive, no updates.
I suppose you could set rights such that a s/r would bomb when using a limited use account. You'd have to make sure that it fails gracefully. But there's still the issue that SLC wants us to use just one account for all MLS use. Having seen various JAR files in the user area, I'm not sure what would happen if you try and use different accounts for MLS.

I still think that's taking on a bigger portion of tech support then one bargains for.

Posted: Thu Jul 08, 2010 12:42 pm
by mfmohlma
crislapi wrote:Not a bad idea. It seems a week or two (for General Conference) would be reasonable. Feedback and suggestions can be provided in the Wiki here.
Can't edit this wiki page. Mods, can we add this suggestion to the wiki? Thanks.

Posted: Thu Jul 08, 2010 12:47 pm
by lajackson
bbdd wrote:Why don't we use limited-rights user accounts on Windows for anyone who needs less than a clerk-level access? I don't understand why we run with admin-level accounts.

MLS was written such that the program requires administrative level login to keep the database updated as different folks do different types of work.

In addition, some administrative things happen in MLS, such as complete backups and other data rearranging, even when an Admin is not logged in.

It may change in the future. But for now, MLS needs administrator privileges or the database will become corrupted.

Posted: Thu Jul 08, 2010 1:29 pm
by aebrown
oregonmatt wrote:Can't edit this wiki page. Mods, can we add this suggestion to the wiki? Thanks.
Done. It is now in the General section of that page.