+ Post New Thread
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
MIS Systems Thread, SIMS and local Power Users in Technical; Hi all, This may have been asked before so sorry if it has. I need to add users to the ...
  1. #1

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57

    SIMS and local Power Users

    Hi all,

    This may have been asked before so sorry if it has.

    I need to add users to the local power users group during login (script if poss) so the staff can update their installed copy of SIMS.net. I have been informed that this is the best method as it will be less problematic in the future.

    How could i accomplish this with a straight forward script as i installed the update on the server and came in this morning (late as car broke down) and found no one could do the reg. I don't want to go around and update one at a time again like the last one.

    Hope you can help.

    Thanks.

  2. #2
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    The best way that i have found is to run Simsperm.bat on each station after install you can get it on the capita site, it give users write access to C:\IDAPI (I think it's called that), C:\Program Files\SIMS and a couple of reg keys. We've been running like that for 3 years with restricted users with no issues.

    Even better way is to add those settings to a GPO as then you don't have to visit each station.

    Take a look at the bottom of this link there is a html export of the settings.

    SiMS and Nova T


    Either of these ways means that you don't have users running as Power User or Admin neither of which i recommend.
    Last edited by cookie_monster; 9th June 2008 at 05:22 PM.

  3. Thanks to cookie_monster from:

    HodgeHi (9th June 2008)

  4. #3
    metalmonkey
    Guest
    If this is a domain, this can be done without the use of a script.

    Create or modify a group policy for the Computers, which utilises the 'Restricted Groups' option. Here you can specify what users have local admin rights.

    Be aware, using this will remove all manually set local membership to that group and therefore, if not done right, will cause you problems.

  5. 2 Thanks to metalmonkey:

    HodgeHi (9th June 2008), maniac (9th June 2008)

  6. #4

    maniac's Avatar
    Join Date
    Feb 2007
    Location
    Kent
    Posts
    3,087
    Thank Post
    210
    Thanked 432 Times in 312 Posts
    Rep Power
    145
    Quote Originally Posted by metalmonkey View Post
    If this is a domain, this can be done without the use of a script.

    Create or modify a group policy for the Computers, which utilises the 'Restricted Groups' option. Here you can specify what users have local admin rights.

    Be aware, using this will remove all manually set local membership to that group and therefore, if not done right, will cause you problems.
    Well I never knew that!! I've got a VBS script which does this for me, but this sounds a much more sensible option. What I would do thou is specify a domain group if it lets you, that way insted of editing a group policy everytime you want to add or a remore a user, you simply need to make the user a member of that group in your domain. I have two called Local Admins and Local Power Users on my domain which I use for those purposes, they are added as members of the repective local groups on all my workstations by my script.

    Mike.

  7. Thanks to maniac from:

    HodgeHi (9th June 2008)

  8. #5

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,159
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    125
    The restricted groups method is tidiest because it does remove all the odds and ends - it means you have one place you control membership of "special" groups.

    If you want to use a script it has to be machine startup - a logon script runs in the context of the user and they can't add themselves to power users (unless they're already an admin in which case they don't need to!)

  9. Thanks to srochford from:

    HodgeHi (9th June 2008)

  10. #6
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    @ maniac: yes it's an excellent feature for controling the members of local groups particularily making sure that only users you want in admins are in there.

    http://www.windowsecurity.com/articl...ed-Groups.html



    @ HodgeHi: I still wouldn't recommend making users local admins just for SIMS when it's just as easy to set the correct file permissions using GPO.

  11. Thanks to cookie_monster from:

    HodgeHi (9th June 2008)

  12. #7

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    I had a quick look at the simsperm.bat but wasn't sure how /what it did. The last line was user/domain. Do I need to specify the actual user names or just the user group or am I missing it entirely.

  13. #8
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Specify the user group e.g. domain users, i can't check at the moment but it'll be obviouse if it hasn't worked as domain users won't have write access to the SIMS program folders. You would need to run that on each station.

  14. Thanks to cookie_monster from:

    HodgeHi (9th June 2008)

  15. #9

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    Thanks for the replies. I will look into them tomorrow as I am at home now.
    I think I will look at the simsperm bat first as I don't really want to add the users to the local admins groups as the least rights the users have the better as they sometimes let the pupils use the machines when the staff are logged in themselves.

  16. #10
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    Take a look at the GPO option as well it's pretty easy to setup and then it's done the settings are in the link i posted above.

    I agree on not using the admins group i've found staff to be as bad as students for installing things if they can, power users also allows them to install a surprising amount of stuff, toolbars, browser helper objects all sorts.

    Good luck.

  17. #11
    tosca925's Avatar
    Join Date
    Aug 2005
    Location
    Midlands
    Posts
    1,547
    Thank Post
    4
    Thanked 4 Times in 4 Posts
    Rep Power
    22
    I use the GPO option as well. took bit of tweaking to get set up but once it is there is no problems and much more secure that making the users power users

  18. #12

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    I have looked at the SIMSperm.bat and not quite sure what i need to edit to make the file add the users to the security settings on the files. I think you need to edit the [domain]\<username> section but cannot see how it adds the users as it seems to be just an echo command and no where else has information about the username \domain.

    I have done a search on the sims support site for simsperm.bat and found nothing.

    What do i need to do to this file in order to add users to the security on these files? For example if i have a domain called school and a group called staff, what do i need to add the make it work?

    SIMSPerm.bat below:

    @echo off
    if "%1" == "" goto :usage
    SubInAcl /FILE %WINDIR%\SIMS.INI /GRANT=%1=F
    SubInAcl /SUBDIRECTORIES %ProgramFiles%\SIMS\*.* /GRANT=%1=F
    SubInAcl /KEYREG HKEY_LOCAL_MACHINE\SOFTWARE\Classes /GRANT=%1
    SubInAcl /KEYREG HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID /GRANT=%1
    SubInAcl /KEYREG HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Interface /GRANT=%1
    SubInAcl /KEYREG HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib /GRANT=%1
    goto :end
    :usage
    echo.
    echo "Usage simsperm [domain]\<username>"
    :end

  19. #13
    cookie_monster's Avatar
    Join Date
    May 2007
    Location
    Derbyshire
    Posts
    4,217
    Thank Post
    394
    Thanked 278 Times in 239 Posts
    Rep Power
    75
    jinnantonnix is right the command should be SIMSPERM yourdomain\youruser (or group), i just put that into another .bat file in the same folder so it calls simsperm.bat and passes the parameter.

  20. #14

    Join Date
    May 2006
    Location
    West Bromwich
    Posts
    2,192
    Thank Post
    300
    Thanked 215 Times in 185 Posts
    Rep Power
    57
    But if you're using Active Diretory, a neater solution is to look at the code and transfer its security changes to a group policy to be applied by Active Directory. This really is a much better way of doing it.
    I'm not sure i follow the above. Where about do i use the settings found in the batch file and apply them to GPO's? I don't go too deep into Group Policy usually as it tends to be a pain in the a**e.

    jinnantonnix is right the command should be SIMSPERM yourdomain\youruser (or group), i just put that into another .bat file in the same folder so it calls simsperm.bat and passes the parameter.
    I have just added the bat file to the Staff GPO for login and found that nothing changed. Am i going about it all the wrong way? I think i am but somethings not clicking at the moment. It's been a while since i touched the GPO.

    This is what i have done so far: I editied the Bat file to say mydomain\staff (as all users for sims are staff) and then applied the bat file to the Staff GPO assuming that it would set the permissions on the files and folders for the user when they log in.

    Is this not right?

    I also looked at the Restricted groups. I don't really get this though. How do you add the local power users group to the restricted group. Maybe an article. I read the linked one at windowssecurity but the guy was speaking some different language becuase i didn't really get what he was saying.

    Sorry for the lengthy topic on this just not getting it

  21. #15

    Join Date
    May 2007
    Location
    Birmingham
    Posts
    21
    Thank Post
    8
    Thanked 3 Times in 3 Posts
    Rep Power
    16
    You could use the following script:

    NET local group "power users" /add "Domain name\usergroup"

    e.g. NET local group "power users" /add "TGG\Teacher"

    Place this scripts in computer configuration - start up scripts in the GPO for OU computer group in question.

    To remove the group in the future just change the witch /add to /delete

  22. Thanks to AM_LHS from:

    HodgeHi (10th June 2008)



SHARE:
+ Post New Thread
Page 1 of 2 12 LastLast

Similar Threads

  1. Replies: 10
    Last Post: 7th November 2009, 12:12 AM
  2. Users as local admins for logon script?
    By actech in forum Windows
    Replies: 12
    Last Post: 14th May 2008, 09:04 PM
  3. SIMS December Update - Power Cut
    By ndavies in forum MIS Systems
    Replies: 5
    Last Post: 15th January 2008, 11:45 PM
  4. Add local users to xp home remotely
    By adamyoung in forum Windows
    Replies: 4
    Last Post: 28th June 2007, 11:56 AM
  5. Importing Users into Moodle from SIMS
    By Ric_ in forum Virtual Learning Platforms
    Replies: 16
    Last Post: 23rd January 2007, 09:34 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •