Can't access MLS from another Windows account

Discussions around the setup, operation, replacement, and disposal of clerk computers, not to include using MLS
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Can't access MLS from another Windows account

#11

Post by Mikerowaved »

I was assured by an MLS developer that this was not a planned security feature, so I'm allowed to discuss the problem and how to fix it in the forum.

Recapping a bit, when running MLS as a different Windows user, MLS would pop-up the error message shown in the first post of this thread. If that same User right-clicked on MLS and ran MLS as an admin, MLS would run without a hitch. However, when you went back to run MLS as "Unit xxxxx" (former "Clerk" account), it would hang indefinitely while starting until you killed the process. As far as I can tell, this error ONLY occurs after setting up new PC's with the LDS Provisioning tool that comes pre-installed.

I traced it down to a file that had one permission missing compared to other files in that folder. That file was:

C:\ProgramData\LDS Church\MLS\data\strings\str_tab0.data

Adding the missing permission back allowed MLS to run as Unit xxxxx again.

The bigger problem I see is it appears the LDS Provisioning tool is setting the permissions in the ProgramData folder differently than has been used before and this is affecting the ability to run MLS as a different Windows user. The following shows the old way of setting permissions for a typical file under ProgramData\LDS Church\:

Code: Select all

Type   Principal        Access         Inherited From
----   ---------        ------         --------------     
Allow  Users            Full Control   C:\ProgramData\Lds Church\MLS\
Allow  SYSTEM           Full Control   C:\ProgramData\
Allow  Administrators   Full Control   C:\ProgramData\
Allow  Clerk            Full Control   C:\ProgramData\
The new way sets the permissions on that same file as:

Code: Select all

Type   Principal        Access         Inherited From
----   ---------        ------         --------------     
Allow  SYSTEM           Full Control   C:\ProgramData\
Allow  Administrators   Full Control   C:\ProgramData\
Allow  Clerk            Full Control   C:\ProgramData\
Allow  Users            Read & Execute C:\ProgramData\Lds Church\MLS\
Allow  Users            Write          C:\ProgramData\Lds Church\MLS\
Setting the 'Users' permissions in the C:\ProgramData\Lds Church\MLS\ folder to Full Control, then allowing those permissions to propagate down to all files and folders under it will fix the problem.

PLEASE don't attempt this if you are unfamiliar with file and folder permissions. You could easily prevent MLS from running at all.
So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Can't access MLS from another Windows account

#12

Post by russellhltn »

Out of curiosity, what's the rights to ProgramData? I'm wondering if Windows 10 has different "User" rights for ProgramData? Although in both cases it seems to be inherited from the MLS directory rather than ProgramData.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Can't access MLS from another Windows account

#13

Post by Mikerowaved »

russellhltn wrote:Out of curiosity, what's the rights to ProgramData? I'm wondering if Windows 10 has different "User" rights for ProgramData? Although in both cases it seems to be inherited from the MLS directory rather than ProgramData.
I think you're on to something. I did a fresh install of MLS 3.8.5 under Windows 7, then Windows 10. In both cases it didn't create the ProgramData\LDS Church\ folder until AFTER MLS was run for the first time. This means it couldn't have been the installer OR the LDS Provisioning tool at fault for the bug.

The difference can be found in how Windows 7 and Windows 10 handle the creation and usage of entries in the ProgramData folder. After running MLS for the first time and selecting a language, I looked at the permissions of random files under the ProgramData\LDS Church\ folder in both the Windows 7 and Windows 10 machines. The ONLY difference was Windows 7 set the 'Users' group to 'Full Control', while Windows 10 set it to 'Read & Execute'. Wow, there's a big difference between those two permission levels.

PC's that upgraded to Windows 10 wouldn't see the problem, because it just kept the permissions previously set by Windows 7 intact. Even reinstalling MLS on a Windows 10 PC wouldn't see the issue, unless the user deleted the entire ProgramData\LDS Church\ folder, which isn't very likely. Again, this error ONLY shows up when trying to run MLS using a different Windows user than the one that installed it, so I doubt the support phone lines are ringing off the hook with this problem.

Searching the 'net I found many instances where this difference in how Windows 10 treats new folders in ProgramData has been responsible for program crashes and other unpleasant results. In other words, the MLS team wasn't the first to be bit by this.

So the "fix" I suggested a couple of posts ago would need to be applied if MLS is to be accessed from other Windows accounts. Otherwise, it's better to leave well enough alone. It's a one-time fix, not likely to be undone by future revisions of MLS or Windows.
So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Can't access MLS from another Windows account

#14

Post by russellhltn »

Mikerowaved wrote:The ONLY difference was Windows 7 set the 'Users' group to 'Full Control', while Windows 10 set it to 'Read & Execute'. Wow, there's a big difference between those two permission levels.
Curiouser and curiouser. Looking at a Win7 machine upgraded to Win10 as well as a Win7 machine, I find the same thing. For ProgramFiles, "Users" have read and execute rights to "This folder, subfolder, and files". "User" also has write rights to "This folder and subfolders" (but notice no "files").

Now, this laptop has a test install of MLS originally installed 3 years ago. The "LDS Church" folder has those same rights, but "MLS" has users set to "full control". Because "LDS Church" is different from "MLS", I don't think this is a Windows thing. I installed the current version of MLS onto the Win7 machine, and the rights were set as expected. So I think it's a problem with MLS being able to set rights when running under Windows 10.

Note that "Creator Owner" has full rights, so whatever login that's used to initialize MLS will have no problems.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
User avatar
Mikerowaved
Community Moderators
Posts: 4734
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: Can't access MLS from another Windows account

#15

Post by Mikerowaved »

russellhltn wrote:Looking at a Win7 machine upgraded to Win10 as well as a Win7 machine, I find the same thing. For ProgramFiles, "Users" have read and execute rights to "This folder, subfolder, and files". "User" also has write rights to "This folder and subfolders" (but notice no "files").
When comparing the permissions of two PC's, I look at a sample of files, rather than looking at folders. For example, C:\ProgramData\LDS Church\MLS\data\mlslog.txt is one I often pick to look at.
russellhltn wrote:...I don't think this is a Windows thing.
russellhltn wrote:So I think it's a problem with MLS being able to set rights when running under Windows 10.
Which makes it a "Windows thing". :) If you google "Windows 10 ProgramData permissions", you'll find case after case of programs failing to run as expected because of the very same difference you just pointed out; namely, the permissions set by installers running on Windows 10, have different results than they did under Windows 7/8/8.1.
So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 34422
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: Can't access MLS from another Windows account

#16

Post by russellhltn »

Digging into this, I think I got the complete picture now. I'm tacking onto this thread as it's the more technical one and I'll be referencing Mikerowaved's post above.

The problem is way rights are set and how UAC (User Account Control) works.

In simple terms, whenever a program is run, it's given a token that represents the user's rights. If UAC is active (which it should be), when a program is run normally, it is given an access token that has the "Administrators" group filtered out of it. So, despite the fact the user is part of the Administrators group, the program can't use Administrator rights unless the program is launched "as administrator".

If you look at the rights that Mikerowaved posted, you'll quickly see that user "Clerk" will be able to function with no issues, but anyone else (such as "Stake Clerk") will run into problems unless they use "Run as administrator".

The solution is to fix the rights so as not rely on the Administrators group for access.

There's two ways of doing that:

If all Windows users are MLS users, then you can grant the "Users" group "Full Control" as Mikerowave posted above.

If some of the Windows users are NOT MLS users, then you can create a new user group "MLS Users", grant them "Full Control" and add all the unit logins to that group.

Either way, the key is to grant needed access without relying on the "Administrators" group.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.
Post Reply

Return to “Clerk Computers”