Office 2003 Setup

[popeye]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello everyone

I have XP Pro SP2 and have several accounts set up on my computer. There is
a mixture of Admin and Limited rights in additional to the pre-determined
Administrator and Guest accounts. How do I set it up to determine exactly
which users can have access to specific applications within Office?
For instance, I might want:

User1 (Admin) to have access to Outlook and Word
User2 (Limited) to have access to Word and Excel
User3 (Limited) to have access to Excel and Outlook and
Guest (pre-determined Guest) to have access to Outlook

I've tried installing as Administrator but can't use *anything* if logged on
as Guest or a user who doesn't have Admin rights. It stalls and says that
there's a problem with the Office Source Engine and to reinstall or repair.
I've done this but still can't access anything which does not have Admin
rights.

Thanks in anticipation of a simple solution!

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Please visit the Office experts in an appropriate Office newsgroup:
news://msnews.microsoft.com/microsoft.public.office.setup

--
Carey Frisch
Microsoft MVP
Windows XP - Shell/User

Be Smart! Protect Your PC!
http://www.microsoft.com/athome/security/protect/default.aspx

----------------------------------------------------------------------------

"Popeye" wrote:

| Hello everyone
|
| I have XP Pro SP2 and have several accounts set up on my computer. There is
| a mixture of Admin and Limited rights in additional to the pre-determined
| Administrator and Guest accounts. How do I set it up to determine exactly
| which users can have access to specific applications within Office?
| For instance, I might want:
|
| User1 (Admin) to have access to Outlook and Word
| User2 (Limited) to have access to Word and Excel
| User3 (Limited) to have access to Excel and Outlook and
| Guest (pre-determined Guest) to have access to Outlook
|
| I've tried installing as Administrator but can't use *anything* if logged on
| as Guest or a user who doesn't have Admin rights. It stalls and says that
| there's a problem with the Office Source Engine and to reinstall or repair.
| I've done this but still can't access anything which does not have Admin
| rights.
|
| Thanks in anticipation of a simple solution!

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <e1LHOKZ$EHA.2444@TK2MSFTNGP10.phx.gbl>,
cnfrisch@nospamgmail.com says...
> Please visit the Office experts in an appropriate Office newsgroup:
> news://msnews.microsoft.com/microsoft.public.office.setup

Actually, his question relates to file and permission type security
which would be on-topic here.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <537B515B-6C02-483E-AE4C-103837F0713D@microsoft.com>,
Popeye@discussions.microsoft.com says...
> Hello everyone
>
> I have XP Pro SP2 and have several accounts set up on my computer. There is
> a mixture of Admin and Limited rights in additional to the pre-determined
> Administrator and Guest accounts. How do I set it up to determine exactly
> which users can have access to specific applications within Office?
> For instance, I might want:
>
> User1 (Admin) to have access to Outlook and Word
> User2 (Limited) to have access to Word and Excel
> User3 (Limited) to have access to Excel and Outlook and
> Guest (pre-determined Guest) to have access to Outlook
>
> I've tried installing as Administrator but can't use *anything* if logged on
> as Guest or a user who doesn't have Admin rights. It stalls and says that
> there's a problem with the Office Source Engine and to reinstall or repair.
> I've done this but still can't access anything which does not have Admin
> rights.
>
> Thanks in anticipation of a simple solution!

Ha!

If it were that simple it would be nice - With Office products that user
must be a local administrator in order to use them the first time,
sometimes after the initialization you can switch them to Users, but
it's more hassle than it's worth - almost all systems that provide MS
Office 2000/XP/2003 require that the users be Administrator level (like
QuickBooks does) and even PowerUser don't provide enough access to allow
everything to run.

With that aside - you need to create local groups (assuming you're not
in a domain) and then apply permission to the Executable files based on
group membership - this means that you create a group called
MS_Outlook_Users, MS_Word_Users.... Now, add in the people you want to
being those groups, now right click on Outlook.exe and select
Properties, then Security, then change the permissions so that EVERYONE
is removed, and add in the GROUP you want to have access to it - make
sure that you add in the Administrators group.... Do the same with the
others.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[popeye]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hi

Thank you for both responses. I wasn't sure where to post this question in
the first place! The suggestion that you've made is logical and I'll get on
to it. I'm sure that I could use it for other programs, such as WinZip, to
determine which users can use them.



"Leythos" wrote:

> In article <537B515B-6C02-483E-AE4C-103837F0713D@microsoft.com>,
> Popeye@discussions.microsoft.com says...
> > Hello everyone
> >
> > I have XP Pro SP2 and have several accounts set up on my computer. There is
> > a mixture of Admin and Limited rights in additional to the pre-determined
> > Administrator and Guest accounts. How do I set it up to determine exactly
> > which users can have access to specific applications within Office?
> > For instance, I might want:
> >
> > User1 (Admin) to have access to Outlook and Word
> > User2 (Limited) to have access to Word and Excel
> > User3 (Limited) to have access to Excel and Outlook and
> > Guest (pre-determined Guest) to have access to Outlook
> >
> > I've tried installing as Administrator but can't use *anything* if logged on
> > as Guest or a user who doesn't have Admin rights. It stalls and says that
> > there's a problem with the Office Source Engine and to reinstall or repair.
> > I've done this but still can't access anything which does not have Admin
> > rights.
> >
> > Thanks in anticipation of a simple solution!
>
> Ha!
>
> If it were that simple it would be nice - With Office products that user
> must be a local administrator in order to use them the first time,
> sometimes after the initialization you can switch them to Users, but
> it's more hassle than it's worth - almost all systems that provide MS
> Office 2000/XP/2003 require that the users be Administrator level (like
> QuickBooks does) and even PowerUser don't provide enough access to allow
> everything to run.
>
> With that aside - you need to create local groups (assuming you're not
> in a domain) and then apply permission to the Executable files based on
> group membership - this means that you create a group called
> MS_Outlook_Users, MS_Word_Users.... Now, add in the people you want to
> being those groups, now right click on Outlook.exe and select
> Properties, then Security, then change the permissions so that EVERYONE
> is removed, and add in the GROUP you want to have access to it - make
> sure that you add in the Administrators group.... Do the same with the
> others.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
>

 

[popeye]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Hello (again!)

I just tried what you suggested and it all went well until I looked at the
Security Properties of Outlook.exe. Those allowed now are:

Administrators
MS_OUTLOOK_USERS
Power Users
System
Users

I assume that the final group allows anyone (except the Guest Account) so I
tried to remove it. It warned me that it was inheriting permissions from
it's parent. It said to turn off the option for inheriting permissions and
then try again.

I hilighted <Users> and looked at Advanced features, in the hope that this
would show me what the parent was but it didn't! I don't know how to find
this out or how to turn the option off. More importantly, I need to know how
to get things back to as they are now, should I make a mistake!

Needless to say, the denial of access to Outlook didn't work. I added two
new user accounts, only one of which I included in the MS_OUTLOOK_USERS
group. I logged on as the one denied access and I was allowed access to
Outlook.

Can you give me some more guidance please?

Thank you

 

[popeye]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

SORTED!!!

I tried to set the Users group to <Deny> for everything (so I could allow
the MS_OUTLOOK_USERS group to be recognised) and I received the warning that,
if users were members of more than one group, deny took precedence over
allow. I simply added the names of those users whom I wished to deny access
to Outlook and then set the options to <Deny> for everything. It works now.
This is easier than setting up groups and I didn't realise that individuals
could be added in this way, until I tried!

Thanks for your support in this venture.

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <C24C7564-A3E0-41C8-976A-8F4252B7A923@microsoft.com>,
Popeye@discussions.microsoft.com says...
> Hello (again!)
>
> I just tried what you suggested and it all went well until I looked at the
> Security Properties of Outlook.exe. Those allowed now are:
>
> Administrators
> MS_OUTLOOK_USERS
> Power Users
> System
> Users
>
> I assume that the final group allows anyone (except the Guest Account) so I
> tried to remove it. It warned me that it was inheriting permissions from
> it's parent. It said to turn off the option for inheriting permissions and
> then try again.
>
> I hilighted <Users> and looked at Advanced features, in the hope that this
> would show me what the parent was but it didn't! I don't know how to find
> this out or how to turn the option off. More importantly, I need to know how
> to get things back to as they are now, should I make a mistake!
>
> Needless to say, the denial of access to Outlook didn't work. I added two
> new user accounts, only one of which I included in the MS_OUTLOOK_USERS
> group. I logged on as the one denied access and I was allowed access to
> Outlook.
>
> Can you give me some more guidance please?

In your next post you decided to use the DENY route for individual
users, which is a viable method, but it's not a good method. Permissions
at the file level should be assigned to GROUPS and not individuals - it
makes managing them easier. While Deny does override the allow, it's not
how most of us would have done it.

You needed to remove "Power Users" and "Users" from the security
settings - and yes, you have to disable inheritance and then COPY the
permissions, then go back and remove the ones you don't want. You should
have ended up with Administrators, MS_OUTLOOK_USERS, and SYSTEM as the
only two groups in the security tab.

You could have also done a DENY group - meaning that you could have
added the group DENY_MS_OUTLOOK_USERS to the security settings and
selected DENY and then added your users that you didn't want to have
access to it into the group.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)

 

[popeye]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Thank you for the feedback. I couldn't remove Users (and didn't know that I
should also remove Power Users) as the permissions were inherited. How do I
turn this off before deleting these groups (I've checked the Help facility in
XP and it's all gobbledegook!)? You said that I should COPY the permissions
(presumably manually by ticking the appropiate boxes?) and then remove the
ones I don't want.

The DENY_MS_OUTLOOK_USERS approach looks more simple as I wouldn't have to
do the deletions/disabling inheritance but I'm keen to know more about this
so I'm eager to "play" with this.

I take your advice about how it would normally be done by those more
experienced than I am.

Thank you once again for your valuable comments.

> In your next post you decided to use the DENY route for individual
> users, which is a viable method, but it's not a good method. Permissions
> at the file level should be assigned to GROUPS and not individuals - it
> makes managing them easier. While Deny does override the allow, it's not
> how most of us would have done it.
>
> You needed to remove "Power Users" and "Users" from the security
> settings - and yes, you have to disable inheritance and then COPY the
> permissions, then go back and remove the ones you don't want. You should
> have ended up with Administrators, MS_OUTLOOK_USERS, and SYSTEM as the
> only two groups in the security tab.
>
> You could have also done a DENY group - meaning that you could have
> added the group DENY_MS_OUTLOOK_USERS to the security settings and
> selected DENY and then added your users that you didn't want to have
> access to it into the group.
>
> --
> --
> spamfree999@rrohio.com
> (Remove 999 to reply to me)
>

 

[popeye]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

OK- I've been "playing" and scrolled up to see where the permissions were
being set by trying to delete Users from each folder in the hierarchy in
turn. I found that this was set at Program Files and was happy that I could
add the group back, having deleted it! I know you said that it's not needed
but I like to be able to undo whatever changes I make to my system. I just
need to find out now how to disable inheritance so I can delete Users from
outlook.exe.

Reason for this feedback: it might help someone else in the same situation
and feedback is part of the NG "done thing" isn't it?


"Popeye" wrote:

> Thank you for the feedback. I couldn't remove Users (and didn't know that I
> should also remove Power Users) as the permissions were inherited. How do I
> turn this off before deleting these groups (I've checked the Help facility in
> XP and it's all gobbledegook!)? You said that I should COPY the permissions
> (presumably manually by ticking the appropiate boxes?) and then remove the
> ones I don't want.
>
> The DENY_MS_OUTLOOK_USERS approach looks more simple as I wouldn't have to
> do the deletions/disabling inheritance but I'm keen to know more about this
> so I'm eager to "play" with this.
>
> I take your advice about how it would normally be done by those more
> experienced than I am.
>
> Thank you once again for your valuable comments.

 

[popeye]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

Got it! Advanced button then untick the box. This is a great way to learn.

"Popeye" wrote:

> OK- I've been "playing" and scrolled up to see where the permissions were
> being set by trying to delete Users from each folder in the hierarchy in
> turn. I found that this was set at Program Files and was happy that I could
> add the group back, having deleted it! I know you said that it's not needed
> but I like to be able to undo whatever changes I make to my system. I just
> need to find out now how to disable inheritance so I can delete Users from
> outlook.exe.
>
> Reason for this feedback: it might help someone else in the same situation
> and feedback is part of the NG "done thing" isn't it?

 

[Guest]

Archived from groups: microsoft.public.windowsxp.security_admin (More info?)

In article <D5E94D70-F3A6-47D8-A4C4-327D7A1ED589@microsoft.com>,
Popeye@discussions.microsoft.com says...
> I couldn't remove Users (and didn't know that I
> should also remove Power Users) as the permissions were inherited.

On the tab with all the users listed, at the bottom there is an ADVANCED
button, click it - Uncheck the "Inherit from parent..." box, and apply.
Once you get all the groups setup you can go back to the same Advanced
settings and click "Replace permissions on ..." and click Apply.



--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)