Does this site look plain?

This site uses advanced css techniques

Steve Friedl's Evolution Tech Tips

Installing and Configuring Evolution for a Limited User

• Home
• Contact
• About
• TechTips
• Tools&Source
• Evo Payroll
• CmdLetters
• Research
• AT&T 3B2
• Advisories
• News/Pubs
• Literacy
• Calif.Voting
• Personal
• Tech Blog
• Evo Blog

Evolution™ payroll software contains an end-user client program that runs on a user's workstation, either at the service bureau or at a payroll customer, and it "phones home" to the systems at the Payroll Service for the bulk of data processing.

However, this program was not designed to operate properly when run by one who is not an Administrator or Power user, and this confounds many who are attempting to use this security best practice on their networks. When run by a limited user, the failure manifests itself by returning to the login screen over and over after appearing to check the password and/or copy files. Evolution is attempting to download program updates from the server, but because an ordinary user doesn't have the rights to modify those program files, it fails.

What makes this more difficult to diagnose is that it only happens when a new version is actually available on the servers: if the software is already current, the user can login and use Evolution normally.

This Evo Tip describes how to install and configure Evolution to work properly in a non-administrative environment.

Install Evolution as the Administrator

The first step must be performed by an Administrator running the appropriate Evolution installer: EvoLocal.exe, EvoRMT.exe or EvoOLR.exe. Download the file to a suitable place, and launch it with a double-click. The installer prompts for a target location, and it's easiest to just accept the default:

If a different install location is desired, it can be used as long as it's noted for the later step.

NOTE: newer versions install at C:\ISystems instead of C:\Program Files\Evolution\.

Open Up The Permissions

Once Evolution has been installed, it's ready to run for the Administrator user, but not as a "regular" user. To fix this, use Windows Explorer and navigate to the C:\Program Files folder, clicking past the warning pages that suggest you probably don't want to be in these system areas - you really do.

On the Evolution folder, right-click and select Properties, then click on the Security tab at the top. This should bring up a dialog box similar to this:

Note - if there is no Security option on the context menu, see the Caveats below.

This shows the restrictions on the Evolution folder, listing who can do what, and the default permissions grant ordinary users read, but not write ability. The inability to update the software components stored here is why Evolution fails when a new version is available We wish to open the directory to allow anybody to update it: when the server presents updates, they'll be accepted.

To do this, click the Add... button and it will prompt for the name of a user or group:

Note if the Add button is greyed out, you're not an administrator on the system and do not have permissions to do this.

We normally prefer Everyone because it depends the least on the specifics of the local network and should work properly for all users. Enter this, then click Check Names to verify that it's been entered properly, then click OK to make it so:

This adds the entry to the list of users and groups, but we must next grant it those extra rights required. Insure that the name Everyone is hilighted, then click the Full Control checkbox in the Allow column - this makes green checkboxes appear in the rest of the column.

Click OK to close this dialog box.

Log out of this administrative account and back in as the regular user: Evolution is now ready for use by anyone.

Deploying with Group Policy

Though one can certainly edit individual settings by hand, as the number of machines rises, it's increasingly helpful to centralize this process. Fortunately, the Windows server systems allow deployment of these permissions changes via Group Policy. Our intention here is not to give a tutorial on Group Policy, but to show the objects whose permissions must be deployed with it.

The first step is creating a security group to assign the rights to, and we typically use ACL Evolution: we add Domain Users as a member of this group, so our new security group is merely an alias for all valid users.

The next step is to create a new Group Policy object, and we typically call it Apply Evolution ACLs: it's going to contain settings for the registry and to the filesystem. In each case, the Permissions tab will add a new ACE which grants full control to ACL Evolution.

First we set the registry entries. The Firebird Project entry applies to all versions of Evolution, while the rest are used by Irasburg's report writer facilities.

MACHINE\SOFTWARE\Firebird Project
CLASSES_ROOT\CLSID\{45B44DA8-C40C-4261-A797-A142F4310F49}
CLASSES_ROOT\CLSID\{63619EC2-1ECC-4BAD-903B-AFC9D7F6BD0E}
CLASSES_ROOT\CLSID\{63798A9A-90F7-4648-904F-5D9C4C22B9B8}
CLASSES_ROOT\CLSID\{ACF0C235-EC9E-4235-BF72-C5D463B5C0DE}
CLASSES_ROOT\isRWDesigner.RWDesignerApp
CLASSES_ROOT\isRWEngine.RWEngineApp
CLASSES_ROOT\isRWPreview.RWPreviewApp
CLASSES_ROOT\isRWPreview.RWReportResultGroup

For the filesystem, we like to apply permissions to a smattering of potential installation directories: Program Files\Evolution is used on all systems, and the rest can be used by test install, offline remote, and others. Firebird also gets this treatment.

%ProgramFiles%\Evolution
%ProgramFiles%\EvoOLR
%ProgramFiles%\EvoTest
%ProgramFiles%\Firebird
C:\ISystems

Once this Group Policy object has been saved and linked into the current set, it's deployed to all participating machines in the domain. But a requested change to an object which does not exist is ignored, so these objects must be created ahead of time.

For the Irasburg-related entries, the best approach is to run Evolution as an administrative user to create the objects, and then allow Group Policy to fix the permissions.

The easist way to run as an administrator is by right-clicking the Evolution icon on the desktop and selecting Run As from the context menu. From here it's possible to enter Admin credentials to launch the program. Once Evo is running, be sure to click Reports » Run Reports to create all the objects.

After they're created, run gpupdate /force to make Group Policy take effect immediately rather than wait for the next routine update.

One final note: these three TypeLib entries are created once by the the components, but don't require any special permissions thereafter:

HKEY_CLASSES_ROOT\TypeLib\{18A56561-161E-46A4-A1A3-EFD629A30019}
HKEY_CLASSES_ROOT\TypeLib\{DFD13FAD-9EEE-4BE7-8FD1-5EEDBC84BA57}
HKEY_CLASSES_ROOT\TypeLib\{2927053C-386D-47AD-8482-BBD65674EFBB}

Caveats

• This approach does not strictly require that the builtin group "Everyone" be granted these rights: it's possible to narrow it down to limit those who can do this (perhaps restricted to Domain Users), but we believe this to be a minor distinction and prefer the approach here that we can describe easily. Those with knowledge of their own networks should feel free to use whatever their local security policy permits.
• These instructions only apply to Windows 2000, XP/Pro, or Server 2003: the Windows 95/98/ME family do not support user security in any way, and XP/Home has a much more restrictive security model that we have not yet researched.
• XP/Pro does not have the Security tab either in "simple file sharing" mode, but full security is enabled if the computer is part of a domain.

This information is not produced or endorsed by iSystems, LLC.

Evolution™ licensees are granted permission to reproduce this information in any form on their own customer-support websites.

First published: 2005/03/03