Local Admin Access

How do you do it? We are down the path of becoming SOX compliant and one of the controls they are throwing at us is local admin access for security. We opened a call with GSC and they told us that local admin access was the only option. I find that hard to believe with other companies that are either SOX or ISO9000 compliant. Does anybody have any suggestions on how to remove the access and still have EnterpriseOne function?

Regards,

Robby

You are talking of FAT client access right..? If your workstations are on 2000, it should'nt be too bad but if you use XP heres a list of files and reg keys you need to give full permission to the users. If they have this access, then the user need not be an administrator on the local machine to use E1.



All users who will use E810 need to have full permissions to the following files. This applies for 8.10 but i guess 8.9 should be more or less the same

C:\WINDOWS\JDE.INI
<install drive>:\E810 (B9 if on 8.9)
C:\jdeappuni.ddp
C:\jdeappuni.xdp
C:\jdeauthuni.dda
C:\jdeauthuni.xda
C:\jdemoduni.ddm
C:\jdemoduni.xdm
C:\jdesecuni.dds
C:\jdesecuni.xds
C:\jresetup.iss
C:\jresetup.log
c:\jdeinst.log
c:\brokerDbg.log
C:\LocalWeb_JDE.log
C:\LocalWeb_JDEDebug.log

c:\jde.log (created only after you log into OneWorld atleast once)
c:\jdedebug.log (created only after you log into OneWorld atleast once)

The log files are created fresh everytime you log in. So I would suggest that you change the default location of the log file in your client jde.ini from c:\jde.log to say c:\b9\jde.log. That way since you have given full permission on the B9 directory E1 will be able to create the log files


Need to give - Full Control/ permissions to the following Registry Keys:


HKLM\Software\JDEdwards
HKCU\Software\JDEdwards
HKCR (HKey Classes root)

Hope this helps

Ice_cube210<

Thanks for the fix. It works flawlessly. I have one more question. With the fix in place and local admin access removed from the user now when i send an update package the user gets an error that they are trying to install a package and they don't have administrative access. Do you have a fix/work around for this as well?

Regards,

Robby

Hi Robby,

I understand your pain. But sorry no solution..work arround..may be..

I carcked my head over this..and this is all I could come up with..

1. If you have a software like SMS..you could use it to push out a dos script to all users which does the E1 install..SMS has the capability to log on first as an admin and then execute the script.

And the sms script itself can be temporarily added to the user logon script when you want to push out the packge. All this assuming that you have a domain setup.

2. Have your IT staff logon as admins and install packages on all workstations..during off hours. Use dos scripts so it requires less intervention..I know this is not a solution but you might eventually end up doing this


Bottom line - managing and updating FAT clients on 8.9 or higher on XP is a mess. Move to Citrix or Web(Thatz another story in itself, but its gotten better now)

ice_cube210,

Thanks for the info. We are considering the upgrade to 8.11 just don't know when. We do have SMS installed so I guess that is the path I will take. I will have to do some research on how to make it happen.

Thanks again,

Robby