Question regarding CRM (v3 - I believe) on Terminal Server (WIN2003)

[Cary W. Shultz]

Good morning!

I have posted this question to both the CRM and to the Terminal Server
newgroups.

Have a client who runs Windows 2003 Enterprise Terminal Server and has the
CRM Client installed. Something like 45 users use this config.

Someone (not me!!!!!!!) made the Domain Users group a member of the local
Administrators group on the TS box. So, yes, anyone can technically shut
down this TS box! Not good. I found this out yesterday while dealing with
a printer issue.

Anyway, I can not make any changes to this as - it is suspected - the reason
for doing this (Domain Users - local Administrators group) was to be able to
manage the CRM client (repair is what I was told).

My question - is it possible to do with CRM what is so often done with other
applications? Meaning, give the users "more access" to something like
C:\Program Files\Microsoft\CRM (or whatever the install path is) and to
C:\TMP and to the registry (probably something like
HKLM\Software\Microsoft\CRM) so that they are "administrators" with respect
to this application but not with respect to the machine?

Apparently this is something that the on-site Administrator wants to
maintain (read: repair CRM when there are issues)....thus, removing Domain
Users is not an option at the moment! He is more than willing to discuss
this...so there is no brick wall there. His concern is being able to repair
CRM when there are issues (never touched CRM so I do not really know what
this means....assuming Add/Remove Programs.....).

I know that this may not be the best idea....anyone have another idea?

I have not looked at the TS box yet. I am pretty sure that there is no GPO
locking down the TS (would not really matter anyway, right?) or anything
else in place that I normally put in place. Very hesitant to implement any
of the "normal things" that we do to a TS box as it is already in production
with several applications installed. So, a bit limited there.

Thanks,

Cary

 

[Wayne Walton]

Re: Question regarding CRM (v3 - I believe) on Terminal Server(WIN2003)

Re: Question regarding CRM (v3 - I believe) on Terminal Server(WIN2003)

On Sep 24, 10:03 am, "Cary W. Shultz"
<cshu...@n0spam.outsourceitcorp.com> wrote:
> Good morning!
>
> I have posted this question to both the CRM and to the Terminal Server
> newgroups.
>
> Have a client who runs Windows 2003 Enterprise Terminal Server and has the
> CRM Client installed.  Something like 45 users use this config.
>
> Someone (not me!!!!!!!) made the Domain Users group a member of the local
> Administrators group on the TS box.  So, yes, anyone can technically shut
> down this TS box!  Not good.  I found this out yesterday while dealing with
> a printer issue.
>
> Anyway, I can not make any changes to this as - it is suspected - the reason
> for doing this (Domain Users - local Administrators group) was to be able to
> manage the CRM client (repair is what I was told).
>
> My question - is it possible to do with CRM what is so often done with other
> applications?  Meaning, give the users "more access" to something like
> C:\Program Files\Microsoft\CRM (or whatever the install path is) and to
> C:\TMP and to the registry (probably something like
> HKLM\Software\Microsoft\CRM) so that they are "administrators" with respect
> to this application but not with respect to the machine?
>
> Apparently this is something that the on-site Administrator wants to
> maintain (read: repair CRM when there are issues)....thus, removing Domain
> Users is not an option at the moment!  He is more than willing to discuss
> this...so there is no brick wall there.  His concern is being able to repair
> CRM when there are issues (never touched CRM so I do not really know what
> this means....assuming Add/Remove Programs.....).
>
> I know that this may not be the best idea....anyone have another idea?
>
> I have not looked at the TS box yet.  I am pretty sure that there is no GPO
> locking down the TS (would not really matter anyway, right?) or anything
> else in place that I normally put in place.  Very hesitant to implement any
> of the "normal things" that we do to a TS box as it is already in production
> with several applications installed.  So, a bit limited there.
>
> Thanks,
>
> Cary

I would find out what exactly he means by "repair", for one. Also,
anything of that kind of system-level tasks (whatever it may end up
being) should never be done by users. If there are a few trusted
users to manage CRM, put them in a CRM Admins group and then make that
group part of the Domain admin, if need be.

-Wayne

 

[bayareacrm]

Re: Question regarding CRM (v3 - I believe) on Terminal Server (WI

Re: Question regarding CRM (v3 - I believe) on Terminal Server (WI

Hi Wayne,

I would strongly question granting those users access to registry/machine if
all they need is CRM administrative capabilities. The CRM security model is
defined by what security role they possess from within the CRM application.
In 3.0 users running workflow need to log into the server (unless the
administrator has placed workflow tools in a client) but other than that,
there is little need that I can see to grant elevated access to anything
depending on what they need to do.

Can you be more specific on what those users need to do as admin?

Michael Mayo

"Wayne Walton" wrote:

> On Sep 24, 10:03 am, "Cary W. Shultz"
> <cshu...@n0spam.outsourceitcorp.com> wrote:
> > Good morning!
> >
> > I have posted this question to both the CRM and to the Terminal Server
> > newgroups.
> >
> > Have a client who runs Windows 2003 Enterprise Terminal Server and has the
> > CRM Client installed. Something like 45 users use this config.
> >
> > Someone (not me!!!!!!!) made the Domain Users group a member of the local
> > Administrators group on the TS box. So, yes, anyone can technically shut
> > down this TS box! Not good. I found this out yesterday while dealing with
> > a printer issue.
> >
> > Anyway, I can not make any changes to this as - it is suspected - the reason
> > for doing this (Domain Users - local Administrators group) was to be able to
> > manage the CRM client (repair is what I was told).
> >
> > My question - is it possible to do with CRM what is so often done with other
> > applications? Meaning, give the users "more access" to something like
> > C:\Program Files\Microsoft\CRM (or whatever the install path is) and to
> > C:\TMP and to the registry (probably something like
> > HKLM\Software\Microsoft\CRM) so that they are "administrators" with respect
> > to this application but not with respect to the machine?
> >
> > Apparently this is something that the on-site Administrator wants to
> > maintain (read: repair CRM when there are issues)....thus, removing Domain
> > Users is not an option at the moment! He is more than willing to discuss
> > this...so there is no brick wall there. His concern is being able to repair
> > CRM when there are issues (never touched CRM so I do not really know what
> > this means....assuming Add/Remove Programs.....).
> >
> > I know that this may not be the best idea....anyone have another idea?
> >
> > I have not looked at the TS box yet. I am pretty sure that there is no GPO
> > locking down the TS (would not really matter anyway, right?) or anything
> > else in place that I normally put in place. Very hesitant to implement any
> > of the "normal things" that we do to a TS box as it is already in production
> > with several applications installed. So, a bit limited there.
> >
> > Thanks,
> >
> > Cary
>
> I would find out what exactly he means by "repair", for one. Also,
> anything of that kind of system-level tasks (whatever it may end up
> being) should never be done by users. If there are a few trusted
> users to manage CRM, put them in a CRM Admins group and then make that
> group part of the Domain admin, if need be.
>
> -Wayne
>