Question regarding CRM (v3 - I believe) on Terminal Server (WIN2003)

[Guest Cary W. Shultz]

Good morning!

 

I have posted this question to both the CRM and to the Terminal Server

newgroups.

 

Have a client who runs Windows 2003 Enterprise Terminal Server and has the

CRM Client installed. Something like 45 users use this config.

 

Someone (not me!!!!!!!) made the Domain Users group a member of the local

Administrators group on the TS box. So, yes, anyone can technically shut

down this TS box! Not good. I found this out yesterday while dealing with

a printer issue.

 

Anyway, I can not make any changes to this as - it is suspected - the reason

for doing this (Domain Users - local Administrators group) was to be able to

manage the CRM client (repair is what I was told).

 

My question - is it possible to do with CRM what is so often done with other

applications? Meaning, give the users "more access" to something like

C:\Program Files\Microsoft\CRM (or whatever the install path is) and to

C:\TMP and to the registry (probably something like

HKLM\Software\Microsoft\CRM) so that they are "administrators" with respect

to this application but not with respect to the machine?

 

Apparently this is something that the on-site Administrator wants to

maintain (read: repair CRM when there are issues)....thus, removing Domain

Users is not an option at the moment! He is more than willing to discuss

this...so there is no brick wall there. His concern is being able to repair

CRM when there are issues (never touched CRM so I do not really know what

this means....assuming Add/Remove Programs.....).

 

I know that this may not be the best idea....anyone have another idea?

 

I have not looked at the TS box yet. I am pretty sure that there is no GPO

locking down the TS (would not really matter anyway, right?) or anything

else in place that I normally put in place. Very hesitant to implement any

of the "normal things" that we do to a TS box as it is already in production

with several applications installed. So, a bit limited there.

 

Thanks,

 

Cary

[Guest Wayne Walton]

Re: Question regarding CRM (v3 - I believe) on Terminal Server(WIN2003)

 

Re: Question regarding CRM (v3 - I believe) on Terminal Server(WIN2003)

 

On Sep 24, 10:03 am, "Cary W. Shultz"

<cshu...@n0spam.outsourceitcorp.com> wrote:

> Good morning!

>

> I have posted this question to both the CRM and to the Terminal Server

> newgroups.

>

> Have a client who runs Windows 2003 Enterprise Terminal Server and has the

> CRM Client installed.  Something like 45 users use this config.

>

> Someone (not me!!!!!!!) made the Domain Users group a member of the local

> Administrators group on the TS box.  So, yes, anyone can technically shut

> down this TS box!  Not good.  I found this out yesterday while dealing with

> a printer issue.

>

> Anyway, I can not make any changes to this as - it is suspected - the reason

> for doing this (Domain Users - local Administrators group) was to be able to

> manage the CRM client (repair is what I was told).

>

> My question - is it possible to do with CRM what is so often done with other

> applications?  Meaning, give the users "more access" to something like

> C:\Program Files\Microsoft\CRM (or whatever the install path is) and to

> C:\TMP and to the registry (probably something like

> HKLM\Software\Microsoft\CRM) so that they are "administrators" with respect

> to this application but not with respect to the machine?

>

> Apparently this is something that the on-site Administrator wants to

> maintain (read: repair CRM when there are issues)....thus, removing Domain

> Users is not an option at the moment!  He is more than willing to discuss

> this...so there is no brick wall there.  His concern is being able to repair

> CRM when there are issues (never touched CRM so I do not really know what

> this means....assuming Add/Remove Programs.....).

>

> I know that this may not be the best idea....anyone have another idea?

>

> I have not looked at the TS box yet.  I am pretty sure that there is no GPO

> locking down the TS (would not really matter anyway, right?) or anything

> else in place that I normally put in place.  Very hesitant to implement any

> of the "normal things" that we do to a TS box as it is already in production

> with several applications installed.  So, a bit limited there.

>

> Thanks,

>

> Cary

 

I would find out what exactly he means by "repair", for one. Also,

anything of that kind of system-level tasks (whatever it may end up

being) should never be done by users. If there are a few trusted

users to manage CRM, put them in a CRM Admins group and then make that

group part of the Domain admin, if need be.

 

-Wayne

[Guest bayareacrm]

Re: Question regarding CRM (v3 - I believe) on Terminal Server (WI

 

Re: Question regarding CRM (v3 - I believe) on Terminal Server (WI

 

Hi Wayne,

 

I would strongly question granting those users access to registry/machine if

all they need is CRM administrative capabilities. The CRM security model is

defined by what security role they possess from within the CRM application.

In 3.0 users running workflow need to log into the server (unless the

administrator has placed workflow tools in a client) but other than that,

there is little need that I can see to grant elevated access to anything

depending on what they need to do.

 

Can you be more specific on what those users need to do as admin?

 

Michael Mayo

 

"Wayne Walton" wrote:

> On Sep 24, 10:03 am, "Cary W. Shultz"

> <cshu...@n0spam.outsourceitcorp.com> wrote:

> > Good morning!

> >

> > I have posted this question to both the CRM and to the Terminal Server

> > newgroups.

> >

> > Have a client who runs Windows 2003 Enterprise Terminal Server and has the

> > CRM Client installed. Something like 45 users use this config.

> >

> > Someone (not me!!!!!!!) made the Domain Users group a member of the local

> > Administrators group on the TS box. So, yes, anyone can technically shut

> > down this TS box! Not good. I found this out yesterday while dealing with

> > a printer issue.

> >

> > Anyway, I can not make any changes to this as - it is suspected - the reason

> > for doing this (Domain Users - local Administrators group) was to be able to

> > manage the CRM client (repair is what I was told).

> >

> > My question - is it possible to do with CRM what is so often done with other

> > applications? Meaning, give the users "more access" to something like

> > C:\Program Files\Microsoft\CRM (or whatever the install path is) and to

> > C:\TMP and to the registry (probably something like

> > HKLM\Software\Microsoft\CRM) so that they are "administrators" with respect

> > to this application but not with respect to the machine?

> >

> > Apparently this is something that the on-site Administrator wants to

> > maintain (read: repair CRM when there are issues)....thus, removing Domain

> > Users is not an option at the moment! He is more than willing to discuss

> > this...so there is no brick wall there. His concern is being able to repair

> > CRM when there are issues (never touched CRM so I do not really know what

> > this means....assuming Add/Remove Programs.....).

> >

> > I know that this may not be the best idea....anyone have another idea?

> >

> > I have not looked at the TS box yet. I am pretty sure that there is no GPO

> > locking down the TS (would not really matter anyway, right?) or anything

> > else in place that I normally put in place. Very hesitant to implement any

> > of the "normal things" that we do to a TS box as it is already in production

> > with several applications installed. So, a bit limited there.

> >

> > Thanks,

> >

> > Cary

>

> I would find out what exactly he means by "repair", for one. Also,

> anything of that kind of system-level tasks (whatever it may end up

> being) should never be done by users. If there are a few trusted

> users to manage CRM, put them in a CRM Admins group and then make that

> group part of the Domain admin, if need be.

>

> -Wayne

>