Restricted users & Third Party Software

Question

Restricted users are unable to open third party software however network admin users can. Is Ranger preventing the software from running?

Symptoms

Various error messages maybe displayed.

The error would normally suggest a permissions issue for example 'unable to open application because unable to write to file, or unable to update registry or unable to open database etc.

When an application starts it may have to read or write to parts of the registry and or local program and system files that the user is unable to access. As a network user (domain user) the user may have insufficient permissions to modify the registry, local program files or system files or it could be due to a privilege issue like local policy or hardware requirement.

Cause

Depending on the age and design of the software, it may have been designed for a stand-alone environment. If the software was designed for 9x or stand-alone use it may expect the user to have full control of the pc which is not the case in a NT based networked environment.

Software designed for Windows 2000/XP or with network usage in mind would be developed for a multi user environment where users have different levels of control and access.

By default when a network user logs on they would be granted only guest privilege. This means they only have limited access to the registry and only have read permission on the majority of the local program and system files.

If this is the case and the software expects the user to be able to access or have privilege over the whole machine then when the user starts the program it may not handle this configuration, the software will probably fail to load and will probably display an error message indicating the user has insufficient permission to a file or folder i.e. error code 5 access denied. Alternatively the program starts but does not function correctly.

Resolution

The first thing you need to check is whether Ranger is involved in preventing the users from running the software.

Checking active security settings

To do this check that LAN Ranger is not reporting a security violation or that a Ranger React rule has not been triggered closing the application down. If a security violation is being reported then it would indicate a security setting within Ranger is stopping the application from running.

To test this possibility disable Ranger's active security against the group the user belongs to (or move the user into a test group and make sure the group settings are identical in order to fairly test the fault and not the different group settings) and then try running the software again.

If the software loads, it would suggest the software is being closed because of Ranger's security in which case turn the security section back on but only enable one part of the security at a time testing the software each time until you identify which setting is causing the problem.

Checking Ranger policies

If you have disabled Ranger's active security and the software still fails to load, uninstall the Ranger client from the workstation and create a new test user with the same group memberships making sure the user has a new profile. Logon and try the software again.

If the software now works it would suggest the problem is down to policy restrictions, reinstall the Ranger client and log the user back on allowing Ranger to apply the security and policies against this user.

If you then find the software fails to start Ranger could be involved. Create a configuration dump and log a support call providing the test results and screen shots.

Windows or Software Issue

If you have performed the previous tests and the software still fails to start then it would appear that Ranger is not part of the problem and therefore it would indicate the problem is with the software installation or the users privilege.

Please note the following recommendation are only made as a suggestion to aid with the identification of the problem and may not be viable as part of a final solution.

To test give the network users additional access and privilege on the local pc by adding the domain users into the local power users or administrators group. Try giving the domain users the minimum additional access in order to allow the software to function properly.

Please note that by adding the network domain users into the local power user or administrator group the inherent Windows security is being reduced or removed which is not recommended in environments without Ranger however because Ranger provided workstation security based on the users network group membership you can still enforce security over the user and prevent them exploiting this privilege and corrupting or changing the machine.

If these changes allow you to run the software you may consider investigating the problem further by trying to identify the actual files, folders or registry keys the software is trying to access so that you can then grant domain users full control to these specific areas instead of using the local group membership.

Instructions

Disabling Rangers Active Security

Open Ranger administrator and then go to the security section, select the group that the user belongs to and turn off the active security by un ticking the 'apply security' setting. Apply the setting and then test the software by logging on as a secure user.

If you prove the problem relates to Rangers Active Security, test each part of active security for example Title Checks, by enabling one section at a time and then testing the software until it fails to load again.

Once you know which security section is causing the problem, look through the settings to see what might be causing the conflict. If you are unable to find the cause contact your Ranger support.

Ranger Policies

To test Ranger policies, uninstall the Ranger client and then create a new user and make sure the software works. To identify which policy is causing the problem take a copy of the groups current policy settings (copy them to a test group) and then set all the policies to gray. Reinstall the Ranger client and log the user on allowing the Ranger security to be applied but because all the policies are grayed they will be ignored.

Test the software works and then go through restoring a few policies at a time testing the software as you go. When you find the software stops functioning you then need to break down the last group of policies applied, by repeating the same trail and error testing until you get to the policy that is causing the software conflict.

Once you have proved which policy is causing the problem contact your Ranger support.

Windows Security

To make domain users a member of the local power user or administrator group logon to the network as a domain admin user, browse to the local users and groups MMC and then browse the power user or administrators group. Modify the required group and add the domain users group into the local group membership list. The next time a network user logs onto the machine they will have full control over the local pc.

For the group membership changes to take affect the user must be logged out and then logged back on for it to pick up the changes.

An alternative to going to a local machine and changing local group security is to make the network user a member of the domain admin's group. Make sure the domain admin's group is lower in the Ranger group priority listing to ensure the user logs on against Ranger in the secure group. This time the individual user will automatically be granted full control over the local pc. If you find this works you will still need to go through the process of testing the local group membership solution as leaving the user a member of domain admin's is not advised but it maybe a quicker way to initially test if permissions or privilege have a part to play.

Testing

During each test, record the username and Ranger Group displayed in the Ranger splash screen (if shown). Try running the application, if the software fails to start record the error message displayed and take a screen shot if possible.

If you find the error is related to Ranger security then contact your Ranger Support with your findings including; the test results, screen shots and configuration dump.