Home > Articles > Microsoft

  • Print
  • + Share This
This chapter is from the book

Configuring Applications for Users

As a technical specialist in the consumer world, you might be faced with having to make adjustments to a computer for applications to work. Applications can fail for several different reasons, so you must be familiar with a few different angles on providing solutions.

Administrative tasks generally deal with configuring the operating system and hardware to function properly. This section covers troubleshooting third-party applications that the end users need to run—programs such as accounting software, image-editing applications, and customer relations–management software.

To address this type of issue, Microsoft has produced several new features and tools.

The Program Compatibility Assistant

The Program Compatibility Assistant is an automatically installed feature of Windows Vista that runs when it detects an older program that is having a compatibility problem. The Program Compatibility Assistant initializes and runs in the background. The user cannot initiate or configure it. The Program Compatibility Assistant tries to automatically adjust the operating system to accommodate the application's needs, as long as it doesn't violate the system's integrity or security.

The Program Compatibility Wizard

The Program Compatibility Wizard is a tool you can run manually on a program if you notice compatibility issues. You access the Program Compatibility Wizard through Control Panel, Programs, Use an Older Program with This Version of Windows.

This launches the wizard, as shown in Figure 2.24.

Figure 2.24

Figure 2.24 The Program Compatibility Wizard.

The Program Compatibility Wizard walks you through selecting the legacy application of interest. You then select the version of Windows that it was written for so Vista can spoof or impersonate that version of the operating system, configure the required display settings, select the Run with Administrator Privilege setting (if required), and then test the application with the selected settings. If all is good, you can save those settings so Windows Vista will always use them to launch the legacy application.

The Compatibility Tab

Another angle on legacy application compatibility is the Compatibility tab on the properties of the older application. Notice in Figure 2.25 that the configuration settings are those of the Program Compatibility Wizard.

Figure 2.25

Figure 2.25 The Compatibility tab on a legacy executable.

The Compatibility Mode setting enables you to select the legacy version of Windows that the legacy application is written for.

The Settings section enables you to configure display parameters that might be more suitable for the legacy application.

The Privilege Level setting enables you to run the legacy application with an elevated privilege level, that of the administrator.

The Application Compatibility Toolkit v5

The next target of interest regarding application compatibility is the Application Compatibility Toolkit v5. This is a free download from the Microsoft website. With it, you can do the following:

  • Analyze your portfolio of applications, websites, and computers
  • Evaluate operating system deployments, the impact of operating system updates, and your compatibility with websites
  • Centrally manage compatibility evaluators and configuration settings
  • Rationalize and organize applications, websites, and computers
  • Prioritize application compatibility efforts with filtered reporting
  • Add and manage issues and solutions for your enterprise-computing environment
  • Deploy automated mitigations to known compatibility issues
  • Send and receive compatibility information from the Microsoft Compatibility Exchange

The Application Compatibility Toolkit uses compatibility evaluators to analyze information about the application in question. It includes a Setup Analysis Tool, an Internet Explorer Test Tool, and a Standard User Analyzer Tool to analyze how the program behaves when being installed and run by users.

Privilege Level

Remember that standard users cannot install most applications, so an administrator likely will need to perform the installation. After installation, typically a standard user will be running the application. Some applications, especially legacy applications, were written before there was much concern for security, and the operating system files were wide open with permissions and available for anyone to access. The programmers writing the applications understood and relied on that free access when they wrote their programs. Now that we have evolved into a more security-minded society, our operating system files are locked down with tightly configured permissions, especially in Windows Vista. This is the cause of many application failures in Windows Vista.

One of the first types of problems you will encounter is the application that requires more access to more files and locations. The user can right-click the application's executable file, or its shortcut, and select the Run as Administrator option (see Figure 2.26).

Figure 2.26

Figure 2.26 Use the Run as Administrator option to elevate privilege.

Selecting this option triggers User Account Control (UAC) to prompt the user to provide administrator credentials if the user is logged on as a standard user, or it prompts the user for confirmation if the user is logged on as an administrator.

Bad Installation

Occasionally, even fully compatible and well-written applications don't install properly on the first attempt. If an application is compatible with Windows Vista and your computer meets all hardware specifications for the application, yet it fails to run properly, you might simply need to uninstall and reinstall the application. This knowledge is from real-world experience, and it may be test worthy.

64-Bit and 32-Bit CPUs

For the last two decades, the vast majority of all CPUs were 32-bit CPUs. The 64-bit CPUs are the next generation of computing and are now more common than ever. These 64-bit CPUs provide increased performance, reliability, and security.

Microsoft has produced a 32-bit version and a 64-bit version of Windows Vista. This is another potential wrinkle in getting applications to operate properly on Windows Vista.

Permissions Settings

Permissions have always been a target for the Microsoft Certification exams. Let's run through a quick review of how permissions work.

You basically have six functional permissions:

  • R—Read, the capability to read the contents of a file
  • W—Write, the capability to write the contents of a file
  • X—Execute, the capability to run programs
  • D—Delete, the capability to delete a file
  • P—Permissions, the capability to change permissions on a file or folder
  • O—Ownership, the capability to take or assign ownership of a file or folder

These permissions are combined into practical combinations and can be assigned in two possible places:

  • On the NTFS partition at the resource—Managed by the NTFS file system
  • At the share point—Managed by the Server service (file and printer sharing)

See Figure 2.27 and Table 2.1 for NTFS permissions that can be granted at the folder and file levels.

Figure 2.27

Figure 2.27 NTFS permissions are located on the Security tab of the folder or file's properties.

Table 2.1. NTFS Permissions Overview

NTFS Permissions

Functional Equivalent

Full Control

RWXDPO

Modify

RWXD

Read & Execute

R X

List folder contents *

R X

Read

R

Write

W

Special Permissions

Any custom combination of permissions

Also notice in Figure 2.27 that there are Allow permissions and Deny permissions. Deny permissions are all powerful and dominate 100 percent of Allow permissions that may be granted directly to the user or through group memberships.

Only folders can be shared. You cannot share a discrete file. Share permissions are located on the Sharing tab of the shared folder's properties. Then click the Advanced Sharing button, enable the Share This Folder option, and select Permissions. Figure 2.28 shows the permissions that can be granted on a shared folder and are described further in Table 2.2.

Figure 2.28

Figure 2.28 Share permissions.

Table 2.2. Share Permissions Overview

Share Permissions

Functional Equivalent

Full Control

RWXDPO

Change

RWXD

Read

R X

To calculate effective permissions, you must understand whether the user is a member of the Interactive Users group, where only NTFS permissions apply, or a member of the Network users group, where both Share and NTFS permissions apply.

Determining Effective Permissions for the Interactive User

If you sit down at the computer where the files and folder are, you are subject to only the NTFS permissions as you try to access the files on the NTFS partition. In this case, you are a member of the Interactive group.

As a member of the Interactive group, your user account and all the groups that you are a member of (including the Interactive group) get compared to the Access Control List (ACL) on the file or folder you are accessing, where you might be granted different combinations of Allow permissions and Deny permissions. Remember that the Deny permissions overrule any Allow permissions.

First you add up all the Allow permissions. Then you subtract any Deny permissions. The permissions that remain are your effective NTFS permissions; they define your access level when you are a member of the Interactive group.

Look at the following example of determining the effective permissions for an Interactive user. User1 is a member of the Managers group, the Production group, and the Bad Boys group. Because he is an interactive user, only NTFS permissions apply to his access.

File1.txt (NTFS)

Functional Equivalent

User 1

No permissions set

=

Managers

Allow Modify

=

R

W

X

D

Production

Allow Read

=

R

X

Bad Boys

Deny W, D

=

–W

–D.

Allow

=

R

W

X

D

Deny

=

–W

–D.

Effective

=

R

X

Determining Effective Permissions for the Network User

If you access files and folders over the network, on a remote computer, your access requests must first pass through the share point, being subject to the permissions that are managed by the Server service. Then you must still access the files and folders on the NTFS partition. So you are subject to both share permissions and NTFS permissions combined. In this case you are a member of the Network group.

Look at the following example of determining the effective permissions for a Network user. User1 is a member of the Managers group, the Production group, and the Bad Boys group. Because he is a Network user, both share and NTFS permissions apply to his access.

Share Permissions

Functional Equivalent

User 1

Full Control

= R W X D P O

Managers

Modify

= R W X D

Production

No permissions set

=

Bad Boys

Deny nothing

= __________.

Allow

= R W X D P O

Deny

= __________.

Effective Share

= R W X D P O

File1.txt (NTFS)

Functional Equivalent

User 1

No permissions set

=

Managers

Change

=

R

W

X

D

Production

Read

=

R

X

Bad Boys

Deny W, D

=

–W

–D

Allow

=

R

W

X

D

Deny

=

–W

–D

Effective NTFS

=

R

X

User1's effective permissions as a network user are what the two lists, Share permissions and NTFS permissions, have in common. User1 is allowed to Read folder content and Read and Execute files. That's it. All other Allow permissions have been stripped away.

In this example, the NTFS permissions do not have the W, D, P, and O permissions. The only permissions that the two lists have in common are R and X.

Permissions Required to Run Applications

In most cases, applications get installed into the C:\Program Files\folder. The default permissions, as shown in Figure 2.29, are typically sufficient for the standard user to execute and use the application.

Figure 2.29

Figure 2.29 Default permissions on the Program Files folder.

As Figure 2.29 shows, the Users group is granted Allow—Read and Execute, Allow—List Folder Contents, and Allow—Read. Every standard user account on the computer is a member of the Users group. These permissions are inherited down to all folders and files within the Program Files folder hierarchy. Most applications require the permissions Allow—Read and Execute.

  • + Share This
  • 🔖 Save To Your Account