who can add users and change passwords?

Hi:

I have created a secured database for a client. For various reasons, I
don't want the client to have full persmissions for the database; they
aren't in the admins group. I have instead tried to create a second
group, called "localAdmin," for the admin-type person at the client. I
want this group to be able to do some basic admin-type stuff, including
adding new users and clearing passwords if users forget theirs.

I can't seem to accomplish this, though. When signing on as someone in
the LocalAdmin group, if I try to go to Tools/Security/user & group
accounts, I get the error message about not having read permissions for the
msysUserlist table and msysGroupList table. If I try to add a user via
VBA code, I get error
3033--you don't have permissions for the Tables object (code is below
for your reference).

Dim wrkDefault As Workspace
Dim usrNew As User
Dim usrTemp As User

Set wrkDefault = DBEngine.Workspaces(0)

With wrkDefault
' Create and append new User.
Set usrNew = .CreateUser(Me!username)
usrNew.pid = Me!pid
.Users.Append usrNew------------------>it fails here
the code goes on

I tried giving the localAdmin group administer permissions for the
database (which I hate to do, frankly), but even that didn't work.

Is there no way to accomplish this?

TIA

Jan

re: who can add users and change passwords?

"Jan" <jan@stempelconsulting.com> wrote in message
news:124ihmf5u855fbd@corp.supernews.com...[color=blue]
> Hi:
>
> I have created a secured database for a client. For various reasons, I
> don't want the client to have full persmissions for the database; they
> aren't in the admins group. I have instead tried to create a second
> group, called "localAdmin," for the admin-type person at the client. I
> want this group to be able to do some basic admin-type stuff, including
> adding new users and clearing passwords if users forget theirs.
>
> I can't seem to accomplish this, though. When signing on as someone in
> the LocalAdmin group, if I try to go to Tools/Security/user & group
> accounts, I get the error message about not having read permissions for
> the
> msysUserlist table and msysGroupList table. If I try to add a user via
> VBA code, I get error
> 3033--you don't have permissions for the Tables object (code is below
> for your reference).
>
> Dim wrkDefault As Workspace
> Dim usrNew As User
> Dim usrTemp As User
>
> Set wrkDefault = DBEngine.Workspaces(0)
>
> With wrkDefault
> ' Create and append new User.
> Set usrNew = .CreateUser(Me!username)
> usrNew.pid = Me!pid
> .Users.Append usrNew------------------>it fails here
> the code goes on
> I tried giving the localAdmin group administer permissions for the
> database (which I hate to do, frankly), but even that didn't work.
>
> Is there no way to accomplish this?
>
> TIA
>
> Jan[/color]




In order to add and delete users, you normally need to be a member of the
admins group. However, it would be possible for you to create a workspace
with the credentials of an Administrator programatically, so that a
non-admin person just presses a button and a new user is created. One way I
do this is to create an account with the name Automation, then I can create
the workspace:

Set wks = DBEngine.CreateWorkspace("Jet", "Automation", "MyPassword",
dbUseJet)

and do whatever from there. If your application is an mde, the code is
compiled and you don't need to worry about hard-coding the password as the
code is unreadable. If it is an mdb, there is the risk that someone could
read and extract the password. However, if someone knew enough to
understand the code and extract the password, they could break in anyway as
Access user-level security is broken (ie easily crackable) and unlikely to
be fixed.

re: who can add users and change passwords?

Anthony England wrote:[color=blue]
> "Jan" <jan@stempelconsulting.com> wrote in message
> news:124ihmf5u855fbd@corp.supernews.com...
>[color=green]
>> Hi:
>>
>> I have created a secured database for a client. For various
>> reasons, I don't want the client to have full persmissions for the
>> database; they aren't in the admins group. I have instead tried to
>> create a second group, called "localAdmin," for the admin-type
>> person at the client. I want this group to be able to do some basic
>> admin-type stuff, including adding new users and clearing passwords
>> if users forget theirs.
>>
>> I can't seem to accomplish this, though. When signing on as
>> someone in the LocalAdmin group, if I try to go to
>> Tools/Security/user & group accounts, I get the error message about
>> not having read permissions for the msysUserlist table and
>> msysGroupList table. If I try to add a user via VBA code, I get
>> error 3033--you don't have permissions for the Tables object (code
>> is below for your reference).
>>
>> Dim wrkDefault As Workspace Dim usrNew As User Dim usrTemp As User
>>
>> Set wrkDefault = DBEngine.Workspaces(0)
>>
>> With wrkDefault ' Create and append new User. Set usrNew =
>> .CreateUser(Me!username) usrNew.pid = Me!pid .Users.Append
>> usrNew------------------>it fails here the code goes on I tried
>> giving the localAdmin group administer permissions for the database
>> (which I hate to do, frankly), but even that didn't work.
>>
>> Is there no way to accomplish this?
>>
>> TIA
>>
>> Jan[/color]
>
>
>
>
>
> In order to add and delete users, you normally need to be a member of
> the admins group. However, it would be possible for you to create a
> workspace with the credentials of an Administrator programatically,
> so that a non-admin person just presses a button and a new user is
> created. One way I do this is to create an account with the name
> Automation, then I can create the workspace:
>
> Set wks = DBEngine.CreateWorkspace("Jet", "Automation", "MyPassword",
> dbUseJet)
>
> and do whatever from there. If your application is an mde, the code
> is compiled and you don't need to worry about hard-coding the
> password as the code is unreadable. If it is an mdb, there is the
> risk that someone could read and extract the password. However, if
> someone knew enough to understand the code and extract the password,
> they could break in anyway as Access user-level security is broken
> (ie easily crackable) and unlikely to be fixed.
>[/color]
Hi:

Thanks for the quick reply. Let me get this straight:

I need to create a user called "automation" in the admins group, give it
a password ("mypass"), and then in the code for creating a user, instead
of the
Set wrkDefault = DBEngine.Workspaces(0)
I would use
Set wrkDefault
=DBEngine.createWorkspaces("jet","automation","myp ass",dbusejet)
and then that would allow the non-admin user to add new users?

Please let me know if I've missed something.

Also, how would they clear passwords? I haven't been able to figure out
how to do that programmatically; the VBA way to do it seems to require
one to know the old password in order to change it to blank; but if the
user has forgotten their pass, you can't go that way. I had expected
the "localAdmin" folks to just go through the tools/security/user &
group accounts menus, but they can't do that unless they're in the
admins group. Any thoughts?

Jan

re: who can add users and change passwords?

"Jan" <jan@stempelconsulting.com> wrote in message
news:124ip07qn59k0a8@corp.supernews.com...[color=blue]
>
>
> Anthony England wrote:[color=green]
>> "Jan" <jan@stempelconsulting.com> wrote in message
>> news:124ihmf5u855fbd@corp.supernews.com...
>>[color=darkred]
>>> Hi:
>>>
>>> I have created a secured database for a client. For various
>>> reasons, I don't want the client to have full persmissions for the
>>> database; they aren't in the admins group. I have instead tried to
>>> create a second group, called "localAdmin," for the admin-type
>>> person at the client. I want this group to be able to do some basic
>>> admin-type stuff, including adding new users and clearing passwords
>>> if users forget theirs.
>>>
>>> I can't seem to accomplish this, though. When signing on as
>>> someone in the LocalAdmin group, if I try to go to
>>> Tools/Security/user & group accounts, I get the error message about
>>> not having read permissions for the msysUserlist table and
>>> msysGroupList table. If I try to add a user via VBA code, I get
>>> error 3033--you don't have permissions for the Tables object (code
>>> is below for your reference).
>>>
>>> Dim wrkDefault As Workspace Dim usrNew As User Dim usrTemp As User
>>>
>>> Set wrkDefault = DBEngine.Workspaces(0)
>>>
>>> With wrkDefault ' Create and append new User. Set usrNew =
>>> .CreateUser(Me!username) usrNew.pid = Me!pid .Users.Append
>>> usrNew------------------>it fails here the code goes on I tried
>>> giving the localAdmin group administer permissions for the database
>>> (which I hate to do, frankly), but even that didn't work.
>>>
>>> Is there no way to accomplish this?
>>>
>>> TIA
>>>
>>> Jan[/color]
>>
>>
>>
>>
>>
>> In order to add and delete users, you normally need to be a member of
>> the admins group. However, it would be possible for you to create a
>> workspace with the credentials of an Administrator programatically,
>> so that a non-admin person just presses a button and a new user is
>> created. One way I do this is to create an account with the name
>> Automation, then I can create the workspace:
>>
>> Set wks = DBEngine.CreateWorkspace("Jet", "Automation", "MyPassword",
>> dbUseJet)
>>
>> and do whatever from there. If your application is an mde, the code
>> is compiled and you don't need to worry about hard-coding the
>> password as the code is unreadable. If it is an mdb, there is the
>> risk that someone could read and extract the password. However, if
>> someone knew enough to understand the code and extract the password,
>> they could break in anyway as Access user-level security is broken
>> (ie easily crackable) and unlikely to be fixed.
>>[/color]
> Hi:
>
> Thanks for the quick reply. Let me get this straight:
>
> I need to create a user called "automation" in the admins group, give it
> a password ("mypass"), and then in the code for creating a user, instead
> of the
> Set wrkDefault = DBEngine.Workspaces(0)
> I would use
> Set wrkDefault
> =DBEngine.createWorkspaces("jet","automation","myp ass",dbusejet)
> and then that would allow the non-admin user to add new users?
>
> Please let me know if I've missed something.
>
> Also, how would they clear passwords? I haven't been able to figure out
> how to do that programmatically; the VBA way to do it seems to require
> one to know the old password in order to change it to blank; but if the
> user has forgotten their pass, you can't go that way. I had expected
> the "localAdmin" folks to just go through the tools/security/user &
> group accounts menus, but they can't do that unless they're in the
> admins group. Any thoughts?
>
> Jan[/color]


That's basically it. Clearing password simply means that you set the
password to a zero-length string. As to providing the original password,
that is the point of programatically creating a new workspace as a member of
the admins group. If you are in the admins group, you don't need to know
the old password to change it to a new one.
In the example below, I use a blank string for the old password:
usr.NewPassword "", strNewPwd

but since the old password isn't even looked at, I could have written
either:
usr.NewPassword strNewPwd, strNewPwd
or
usr.NewPassword "AbsoluteNonsense", strNewPwd

However, it doesn't really help readability.




Public Function ResetPassword(strUserName As String, _
strNewPwd As String) As Boolean

On Error GoTo Err_Handler

Dim wks As DAO.Workspace
Dim usr As DAO.User

Set wks = DBEngine.CreateWorkspace("Jet", "Automation", _
"MyPassword", dbUseJet)

Set usr = wks.Users(strUserName)

usr.NewPassword "", strNewPwd

ResetPassword = True

Exit_Handler:

If Not usr Is Nothing Then
Set usr = Nothing
End If

If Not wks Is Nothing Then
wks.Close
Set wks = Nothing
End If

Exit Function

Err_Handler:

Select Case Err.Number

Case 3029 ' Invalid account or password - error with our secret account
MsgBox "Unable to change password", _
vbExclamation, "Password Error"

Case 3033 ' Account has insufficient permissions - error with our secret
account
MsgBox "Unable to change password", _
vbExclamation, "Password Error"

Case 3265 ' strUserName relates to a non-existant user
MsgBox "Cannot locate user: " & strUserName, _
vbExclamation, "Password Error"

Case Else
MsgBox Err.Description, vbExclamation, "Error No: " & Err.Number

End Select

Resume Exit_Handler

End Function

re: who can add users and change passwords?

Thanks, Anthony. I'm going to try it (I hope I can squeeze in time
today but it might be tomorrow) and will let you know how it goes.

Jan

Anthony England wrote:[color=blue]
> "Jan" <jan@stempelconsulting.com> wrote in message
> news:124ip07qn59k0a8@corp.supernews.com...
>[color=green]
>>
>> Anthony England wrote:
>>[color=darkred]
>>> "Jan" <jan@stempelconsulting.com> wrote in message
>>> news:124ihmf5u855fbd@corp.supernews.com...
>>>
>>>
>>>> Hi:
>>>>
>>>> I have created a secured database for a client. For various
>>>> reasons, I don't want the client to have full persmissions for
>>>> the database; they aren't in the admins group. I have instead
>>>> tried to create a second group, called "localAdmin," for the
>>>> admin-type person at the client. I want this group to be able
>>>> to do some basic admin-type stuff, including adding new users
>>>> and clearing passwords if users forget theirs.
>>>>
>>>> I can't seem to accomplish this, though. When signing on as
>>>> someone in the LocalAdmin group, if I try to go to
>>>> Tools/Security/user & group accounts, I get the error message
>>>> about not having read permissions for the msysUserlist table
>>>> and msysGroupList table. If I try to add a user via VBA code,
>>>> I get error 3033--you don't have permissions for the Tables
>>>> object (code is below for your reference).
>>>>
>>>> Dim wrkDefault As Workspace Dim usrNew As User Dim usrTemp As
>>>> User
>>>>
>>>> Set wrkDefault = DBEngine.Workspaces(0)
>>>>
>>>> With wrkDefault ' Create and append new User. Set usrNew =
>>>> .CreateUser(Me!username) usrNew.pid = Me!pid .Users.Append
>>>> usrNew------------------>it fails here the code goes on I tried
>>>> giving the localAdmin group administer permissions for the
>>>> database (which I hate to do, frankly), but even that didn't
>>>> work.
>>>>
>>>> Is there no way to accomplish this?
>>>>
>>>> TIA
>>>>
>>>> Jan
>>>
>>>
>>>
>>>
>>>
>>> In order to add and delete users, you normally need to be a
>>> member of the admins group. However, it would be possible for
>>> you to create a workspace with the credentials of an
>>> Administrator programatically, so that a non-admin person just
>>> presses a button and a new user is created. One way I do this is
>>> to create an account with the name Automation, then I can create
>>> the workspace:
>>>
>>> Set wks = DBEngine.CreateWorkspace("Jet", "Automation",
>>> "MyPassword", dbUseJet)
>>>
>>> and do whatever from there. If your application is an mde, the
>>> code is compiled and you don't need to worry about hard-coding
>>> the password as the code is unreadable. If it is an mdb, there
>>> is the risk that someone could read and extract the password.
>>> However, if someone knew enough to understand the code and
>>> extract the password, they could break in anyway as Access
>>> user-level security is broken (ie easily crackable) and unlikely
>>> to be fixed.
>>>[/color]
>>
>> Hi:
>>
>> Thanks for the quick reply. Let me get this straight:
>>
>> I need to create a user called "automation" in the admins group,
>> give it a password ("mypass"), and then in the code for creating a
>> user, instead of the Set wrkDefault = DBEngine.Workspaces(0) I
>> would use Set wrkDefault
>> =DBEngine.createWorkspaces("jet","automation","myp ass",dbusejet)
>> and then that would allow the non-admin user to add new users?
>>
>> Please let me know if I've missed something.
>>
>> Also, how would they clear passwords? I haven't been able to
>> figure out how to do that programmatically; the VBA way to do it
>> seems to require one to know the old password in order to change it
>> to blank; but if the user has forgotten their pass, you can't go
>> that way. I had expected the "localAdmin" folks to just go through
>> the tools/security/user & group accounts menus, but they can't do
>> that unless they're in the admins group. Any thoughts?
>>
>> Jan[/color]
>
>
>
> That's basically it. Clearing password simply means that you set the
> password to a zero-length string. As to providing the original
> password, that is the point of programatically creating a new
> workspace as a member of the admins group. If you are in the admins
> group, you don't need to know the old password to change it to a new
> one. In the example below, I use a blank string for the old password:
> usr.NewPassword "", strNewPwd
>
> but since the old password isn't even looked at, I could have written
> either: usr.NewPassword strNewPwd, strNewPwd or usr.NewPassword
> "AbsoluteNonsense", strNewPwd
>
> However, it doesn't really help readability.
>
>
>
>
> Public Function ResetPassword(strUserName As String, _ strNewPwd As
> String) As Boolean
>
> On Error GoTo Err_Handler
>
> Dim wks As DAO.Workspace Dim usr As DAO.User
>
> Set wks = DBEngine.CreateWorkspace("Jet", "Automation", _
> "MyPassword", dbUseJet)
>
> Set usr = wks.Users(strUserName)
>
> usr.NewPassword "", strNewPwd
>
> ResetPassword = True
>
> Exit_Handler:
>
> If Not usr Is Nothing Then Set usr = Nothing End If
>
> If Not wks Is Nothing Then wks.Close Set wks = Nothing End If
>
> Exit Function
>
> Err_Handler:
>
> Select Case Err.Number
>
> Case 3029 ' Invalid account or password - error with our secret
> account MsgBox "Unable to change password", _ vbExclamation,
> "Password Error"
>
> Case 3033 ' Account has insufficient permissions - error with our
> secret account MsgBox "Unable to change password", _ vbExclamation,
> "Password Error"
>
> Case 3265 ' strUserName relates to a non-existant user MsgBox "Cannot
> locate user: " & strUserName, _ vbExclamation, "Password Error"
>
> Case Else MsgBox Err.Description, vbExclamation, "Error No: " &
> Err.Number
>
> End Select
>
> Resume Exit_Handler
>
> End Function
>
>[/color]

re: who can add users and change passwords?

It all worked beautifully. Thanks so much for the help.

Jan

Jan wrote:[color=blue]
> Thanks, Anthony. I'm going to try it (I hope I can squeeze in time
> today but it might be tomorrow) and will let you know how it goes.
>
> Jan
>
> Anthony England wrote:
>[color=green]
>> "Jan" <jan@stempelconsulting.com> wrote in message
>> news:124ip07qn59k0a8@corp.supernews.com...
>>[color=darkred]
>>>
>>> Anthony England wrote:
>>>
>>>> "Jan" <jan@stempelconsulting.com> wrote in message
>>>> news:124ihmf5u855fbd@corp.supernews.com...
>>>>
>>>>
>>>>> Hi:
>>>>>
>>>>> I have created a secured database for a client. For various
>>>>> reasons, I don't want the client to have full persmissions for
>>>>> the database; they aren't in the admins group. I have instead
>>>>> tried to create a second group, called "localAdmin," for the
>>>>> admin-type person at the client. I want this group to be able
>>>>> to do some basic admin-type stuff, including adding new users
>>>>> and clearing passwords if users forget theirs.
>>>>>
>>>>> I can't seem to accomplish this, though. When signing on as
>>>>> someone in the LocalAdmin group, if I try to go to
>>>>> Tools/Security/user & group accounts, I get the error message
>>>>> about not having read permissions for the msysUserlist table
>>>>> and msysGroupList table. If I try to add a user via VBA code,
>>>>> I get error 3033--you don't have permissions for the Tables
>>>>> object (code is below for your reference).
>>>>>
>>>>> Dim wrkDefault As Workspace Dim usrNew As User Dim usrTemp As
>>>>> User
>>>>>
>>>>> Set wrkDefault = DBEngine.Workspaces(0)
>>>>>
>>>>> With wrkDefault ' Create and append new User. Set usrNew =
>>>>> .CreateUser(Me!username) usrNew.pid = Me!pid .Users.Append
>>>>> usrNew------------------>it fails here the code goes on I tried
>>>>> giving the localAdmin group administer permissions for the
>>>>> database (which I hate to do, frankly), but even that didn't
>>>>> work.
>>>>>
>>>>> Is there no way to accomplish this?
>>>>>
>>>>> TIA
>>>>>
>>>>> Jan
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> In order to add and delete users, you normally need to be a
>>>> member of the admins group. However, it would be possible for
>>>> you to create a workspace with the credentials of an
>>>> Administrator programatically, so that a non-admin person just
>>>> presses a button and a new user is created. One way I do this is
>>>> to create an account with the name Automation, then I can create
>>>> the workspace:
>>>>
>>>> Set wks = DBEngine.CreateWorkspace("Jet", "Automation",
>>>> "MyPassword", dbUseJet)
>>>>
>>>> and do whatever from there. If your application is an mde, the
>>>> code is compiled and you don't need to worry about hard-coding
>>>> the password as the code is unreadable. If it is an mdb, there
>>>> is the risk that someone could read and extract the password.
>>>> However, if someone knew enough to understand the code and
>>>> extract the password, they could break in anyway as Access
>>>> user-level security is broken (ie easily crackable) and unlikely
>>>> to be fixed.
>>>>
>>>
>>> Hi:
>>>
>>> Thanks for the quick reply. Let me get this straight:
>>>
>>> I need to create a user called "automation" in the admins group,
>>> give it a password ("mypass"), and then in the code for creating a
>>> user, instead of the Set wrkDefault = DBEngine.Workspaces(0) I
>>> would use Set wrkDefault
>>> =DBEngine.createWorkspaces("jet","automation","myp ass",dbusejet) and
>>> then that would allow the non-admin user to add new users?
>>>
>>> Please let me know if I've missed something.
>>>
>>> Also, how would they clear passwords? I haven't been able to
>>> figure out how to do that programmatically; the VBA way to do it
>>> seems to require one to know the old password in order to change it
>>> to blank; but if the user has forgotten their pass, you can't go
>>> that way. I had expected the "localAdmin" folks to just go through
>>> the tools/security/user & group accounts menus, but they can't do
>>> that unless they're in the admins group. Any thoughts?
>>>
>>> Jan[/color]
>>
>>
>>
>>
>> That's basically it. Clearing password simply means that you set the
>> password to a zero-length string. As to providing the original
>> password, that is the point of programatically creating a new
>> workspace as a member of the admins group. If you are in the admins
>> group, you don't need to know the old password to change it to a new
>> one. In the example below, I use a blank string for the old password:
>> usr.NewPassword "", strNewPwd
>>
>> but since the old password isn't even looked at, I could have written
>> either: usr.NewPassword strNewPwd, strNewPwd or usr.NewPassword
>> "AbsoluteNonsense", strNewPwd
>>
>> However, it doesn't really help readability.
>>
>>
>>
>>
>> Public Function ResetPassword(strUserName As String, _ strNewPwd As
>> String) As Boolean
>>
>> On Error GoTo Err_Handler
>>
>> Dim wks As DAO.Workspace Dim usr As DAO.User
>>
>> Set wks = DBEngine.CreateWorkspace("Jet", "Automation", _
>> "MyPassword", dbUseJet)
>>
>> Set usr = wks.Users(strUserName)
>>
>> usr.NewPassword "", strNewPwd
>>
>> ResetPassword = True
>>
>> Exit_Handler:
>>
>> If Not usr Is Nothing Then Set usr = Nothing End If
>>
>> If Not wks Is Nothing Then wks.Close Set wks = Nothing End If
>>
>> Exit Function
>>
>> Err_Handler:
>>
>> Select Case Err.Number
>>
>> Case 3029 ' Invalid account or password - error with our secret
>> account MsgBox "Unable to change password", _ vbExclamation,
>> "Password Error"
>>
>> Case 3033 ' Account has insufficient permissions - error with our
>> secret account MsgBox "Unable to change password", _ vbExclamation,
>> "Password Error"
>>
>> Case 3265 ' strUserName relates to a non-existant user MsgBox "Cannot
>> locate user: " & strUserName, _ vbExclamation, "Password Error"
>>
>> Case Else MsgBox Err.Description, vbExclamation, "Error No: " &
>> Err.Number
>>
>> End Select
>>
>> Resume Exit_Handler
>>
>> End Function
>>
>>[/color][/color]

re: who can add users and change passwords?

"Jan" <jan@stempelconsulting.com> wrote in message
news:124uvhglfcuc774@corp.supernews.com...[color=blue]
> It all worked beautifully. Thanks so much for the help.
>
> Jan[/color]


Cool.
Thanks for letting us know.