Converting a database from one workgroup to another

[E Harris]

I'm a relative newbie to Access Security. We're using Access 2002.

Everything works fine while working within our workgroup. I
understand permissions, users, etc. We can create and alter databases
as our workgroup permissions specify.

The new problem we have is in opening Access databases created by
people outside of our workgroup. Since I am having trouble opening
these other databases, I assume that their creators must have been
members of their own workgroup (as opposed to them having created
these databases under the default Access workgroup).

The only way to open these databases, seemingly, is for a user to join
the default Access workgroup (system.mdw) and then open it. When
done, they must of course rejoin our workgroup.

This is not too bad a hassle, I suppose. And I know that I can create
a shortcut with the "/wrkgrp" flag that can sign me in to any
workgroup with one click.

My question is-- how can I avoid even having to do that? In other
words, how can I make an identical copy of a database created under
some other workgroup, as a member of our workgroup, so that it behaves
as if the database had been created under our workgroup?

While I'm at it-- in looking into this problem, I kept coming across
the "Microsoft Access Security FAQ". As I'm sure you know, it states
that the FAQ applies to Microsoft Access version "2.0 to 2000". So
where is the one for later versions of Access?

Thanks for any help from any experts on this.

 

[Joan Wild]

The new problem we have is in opening Access databases created by
people outside of our workgroup. Since I am having trouble opening
these other databases, I assume that their creators must have been
members of their own workgroup (as opposed to them having created
these databases under the default Access workgroup).

Sounds like it, yes. These other mdb's were secured using a different
workgroup file. It also sounds as though they weren't secured properly, or
you wouldn't be able to even open them.

The only way to open these databases, seemingly, is for a user to join
the default Access workgroup (system.mdw) and then open it.

If they are opening them with the default system.mdw, then they are not
secured. If that is the case, then there should be no need to join the
system.mdw to open them. You should be able to open them even with your own
secure.mdw. This is because all the users in your mdw are members of the
Users Group. If these other mdb files are not secured, then the Users Group
would have full permissions and therefore you should have no difficulty
opening them. So this doesn't make sense. Are the other mdb files secure,
or not? Perhaps the system.mdw file you refer to is one provided with these
databases, as opposed to the true default system.mdw workgroup.

When
done, they must of course rejoin our workgroup.

This is not too bad a hassle, I suppose. And I know that I can create
a shortcut with the "/wrkgrp" flag that can sign me in to any
workgroup with one click.

My question is-- how can I avoid even having to do that? In other
words, how can I make an identical copy of a database created under
some other workgroup, as a member of our workgroup, so that it behaves
as if the database had been created under our workgroup?

You can have both databases use the same workgroup by adding the exact same
Groups/PIDs to your workgroup as are in the other workgroup.

While I'm at it-- in looking into this problem, I kept coming across
the "Microsoft Access Security FAQ". As I'm sure you know, it states
that the FAQ applies to Microsoft Access version "2.0 to 2000". So
where is the one for later versions of Access?

There really have been no changes to security. The wizard in 2002/2003 is
better than 2000, but the principles are the same.

 

[E Harris]

Joan,

Thanks so much for taking the time to answer my question. See
below.....

Sounds like it, yes. These other mdb's were secured using a different
workgroup file. It also sounds as though they weren't secured properly, or
you wouldn't be able to even open them.


If they are opening them with the default system.mdw, then they are not
secured. If that is the case, then there should be no need to join the
system.mdw to open them. You should be able to open them even with your own
secure.mdw. This is because all the users in your mdw are members of the
Users Group. If these other mdb files are not secured, then the Users Group
would have full permissions and therefore you should have no difficulty
opening them. So this doesn't make sense. Are the other mdb files secure,
or not? Perhaps the system.mdw file you refer to is one provided with these
databases, as opposed to the true default system.mdw workgroup.

Here's my experience:

We are a environmental science research facility. We create and
maintain several databases, all working out of our workgroup.

But we are also sent databases from other researchers in other states.
When we are currently signed into our workgroup, and try to open the
databases they've sent us, we get the message "The current user
doesn't have permission to convert or enable this database", followed
by a list of possible reasons. The first one being "You must join the
workgroup that defines the user accounts used to access the database."

Again, I'm pretty new to Access security, so my first thought was,
"Ok, this makes sense-- our fellow researchers, miles away, obviously
have their own workgroup..... and they were signed into that workgroup
when they created this database. Since I obviously don't have their
workgroup file, and can't recreate it, let me see if I can open the
database after joining the default workgroup."

And so then, yes-- after joining the default workgroup (for me, it is
C:\WINDOWS\system32\system.mdw), I was able to open the database.

So can you help me understand what's going on here? Furthermore, what
we want is for the databases they send us to "behave" as if that had
been created under our own workgroup, so that we don't have to go back
and forth between our workgroup (to work with our databases) and the
default one (to work with theirs).

Sorry I didn't explain it better the first time.

I hope my situation is clearer now.

Thanks again for your help, Joan. I'll name my first-born after you.

--e harris

 

[Joan Wild]

"Joan Wild" <[email protected]> wrote in message


Here's my experience:

We are a environmental science research facility. We create and
maintain several databases, all working out of our workgroup.

I'm assuming here that you mean you have secured all your databases using
Access's user security - i.e. workgroup means under your specifically
created workgroup file (as opposed to a workgroup in a networking sense).

But we are also sent databases from other researchers in other states.
When we are currently signed into our workgroup, and try to open the
databases they've sent us, we get the message "The current user
doesn't have permission to convert or enable this database", followed
by a list of possible reasons. The first one being "You must join the
workgroup that defines the user accounts used to access the database."

Again, I'm pretty new to Access security, so my first thought was,
"Ok, this makes sense-- our fellow researchers, miles away, obviously
have their own workgroup..... and they were signed into that workgroup
when they created this database. Since I obviously don't have their
workgroup file, and can't recreate it, let me see if I can open the
database after joining the default workgroup."

And so then, yes-- after joining the default workgroup (for me, it is
C:\WINDOWS\system32\system.mdw), I was able to open the database.

That indicates that it wasn't secure at all. I find this odd. Have you, in
fact secured any of your databases? Every system.mdw in the world is the
same i.e. their workgroup file isn't any different than your's (unless you
have secured your databases).

So can you help me understand what's going on here? Furthermore, what
we want is for the databases they send us to "behave" as if that had
been created under our own workgroup, so that we don't have to go back
and forth between our workgroup (to work with our databases) and the
default one (to work with theirs).

It still doesn't make sense to me. Their databases are not secured
(actually are you able to do more than open them using the default
system.mdw?).

I can't explain it based on what you are saying. You should be able to open
their database using your workgroup. But since you can't, the only thing I
can suggest, is that you use shortcuts to start Access with the correct mdw
(you don't necessarily have to open a database in the shortcut).
Alternatively, your only other option is to unsecure your databases, so that
they use the default system.mdw

....still doesn't make sense though...

Thanks again for your help, Joan. I'll name my first-born after you.

Cool!

 

[E Harris]

I'm assuming here that you mean you have secured all your databases using
Access's user security - i.e. workgroup means under your specifically
created workgroup file (as opposed to a workgroup in a networking sense).

This is correct. We created our own .mdw file.

That indicates that it wasn't secure at all. I find this odd. Have you, in
fact secured any of your databases? Every system.mdw in the world is the
same i.e. their workgroup file isn't any different than your's (unless you
have secured your databases).

Right. When I speak of how their workgroup file is different than
ours, I mean that their users and permissions obviously don't match
ours. Ours are secure, yes. The default blank password for the Admin
user has been changed, and Admin is a member of the Admins group.

It still doesn't make sense to me. Their databases are not secured
(actually are you able to do more than open them using the default
system.mdw?).

I was not clear. Yes, after joining the default workgroup,
system.mdw, we are only able to open them. But that is all we need to
do-- to view the data from these other researchers. I wanted to see
if, since their workgroup file (again, I mean the file as designed by
them, with their userIDs and permissions) is not here, that meant that
the table owners were set as the notorious "<Unknown>", but of course
in this state, I can't even get to Tools-Security->User and Group
Permissions. It's grayed-out.

I can't explain it based on what you are saying. You should be able to open
their database using your workgroup. But since you can't, the only thing I
can suggest, is that you use shortcuts to start Access with the correct mdw
(you don't necessarily have to open a database in the shortcut).
Alternatively, your only other option is to unsecure your databases, so that
they use the default system.mdw

...still doesn't make sense though...

Yes, that is all I wanted-- to be able to open their databases using
our workgroup-- even just to view the data only. Right now, when
signed into our workgroup, trying to open their database gives us the
"Current User doesn't have permission to enable this database" error.
After joining system.mdw, we don't get this error. We can open the
tables (but not edit).

About invoking wrkgadm.exe from the command line-- when I try this, I
get the error, "This application uses CTL3D32.DLL, which has not been
correctly installed. CTL3D32.DLL must be installed in the Windows
system directory."

I had seen this before, but had read here from some other post that
the Workgroup administrator is now incorporated into Access 2002, so
that one doesn't have to get there by running wrkgadm.exe anymore, as
you used to in earlier versions of Access. And sure enough, we always
get to the Workgroup Administrator by going to
Tools->Security->Workgroup Administrator from Access itself. Works
fine.

Should I be able to run the stand-alone wrkgadm.exe without the error?
It's only an issue now that I may want to create a shortcut to it
with the command-line flags that will join the user to the appropriate
workgroup.

At least the error tells me what to do to correct the situation. But
I'm just confused as to why I can get to the Workgroup Administrator
from Tools menu, but not run it on its own. Two different types of
Workgroup Administrators, maybe?

Cool!

If you have any other input, Joan, I do appreciate it. But the
urgency from my higher-ups has dimished somewhat. The official
solution they got from me was that, manually joining the default
workgroup to view our fellow researchers' databases, and rejoining our
workgroup to view ours, is "just what you have to do."

I wanted to give them a more elegant solution.

Oh well.

Thanks again.

 

[Joan Wild]

Right. When I speak of how their workgroup file is different than
ours, I mean that their users and permissions obviously don't match
ours. Ours are secure, yes. The default blank password for the Admin
user has been changed, and Admin is a member of the Admins group.

OK, but Admin should _not_ be a member of the Admins group.

I was not clear. Yes, after joining the default workgroup,
system.mdw, we are only able to open them. But that is all we need to
do-- to view the data from these other researchers. I wanted to see
if, since their workgroup file (again, I mean the file as designed by
them, with their userIDs and permissions) is not here, that meant that
the table owners were set as the notorious "<Unknown>", but of course
in this state, I can't even get to Tools-Security->User and Group
Permissions. It's grayed-out.

OK, that confirms that their database is secure. They have granted the
Users Group permission to open the database, and read permission on the
tables. But that is all (you say further down that you can't edit).

snipped stuff about running the wrkgadm.exe from the command line<

You misunderstand about the shortcuts. You don't want/need to run
wrkgadm.exe. Instead, you can desktop shortcuts that launch Access using
the correct workgroup file. Assuming you are joined by default to the
standard system.mdw, the shortcut target for your databases would look like:

"path to msaccess.exe" "path to mdb" /wrkgrp "path to mdw"

To open their database (or any other mdb that isn't secure), your shortcut
target would look like:
"path to mdb"

At least the error tells me what to do to correct the situation. But
I'm just confused as to why I can get to the Workgroup Administrator
from Tools menu, but not run it on its own. Two different types of
Workgroup Administrators, maybe?

Yes, it changed in 2002. Prior to that wrkgadm.exe was separate, now it
isn't, but you don't need to run it.

If you have any other input, Joan, I do appreciate it. But the
urgency from my higher-ups has dimished somewhat. The official
solution they got from me was that, manually joining the default
workgroup to view our fellow researchers' databases, and rejoining our
workgroup to view ours, is "just what you have to do."

Well the desktop shortcuts should be better than doing that.