The information supplied within this support note is supplied for your reference and has been tested in a standard Workgroup environment running Windows Server 2003 Standard Edition, with an NTFS file system and Microsoft Office 2003 pre-installed. They may differ to actual settings or screens encountered during setup in alternate configurations.

As per the installation documentation supplied with the application, it is recommended to have Microsoft Office installed prior to the MYOB Enterprise installation to enable the drivers for the Officelink process to be installed and registered correctly.

During installation the user logon to Windows must be the Administrator. This is a different and distinct thing from a user account that is a member of the Administrator group. It is then a simple matter to copy the shortcuts from the Administrator s desktop to the C:\Documents and Settings\All Users\Desktop folder if giving access to the desktop to all terminal server users and make Premier available to terminal services users. It is also possible to have terminal services clients run a specific application on connection and prevent access to the desktop or start menu giving added security. Further information regarding this can be obtained from the help files of Windows 2003 Server.

If you are unaware of the Administrator password for your server, please contact the technician who installed your server operating system to obtain the password entered during installation.

It is recommended to setup each user as a local user on the Terminal Server. It is by adding the users to the Remote Desktop User group that a terminal server logon by the user account is achieved.

Directory and file permissions can then be set on the remote desktop user group giving a uniform level of access to all terminal services logons. 

To create a new user account

1. Click Start, All Programs, Administrative tools and select Computer Management.
2. Click Local Users and Groups.
3. Right-click the Users folder and add New User.
4. To add users to groups double-click the group from the groups folder and then select add.
   

Setting the correct file and folder permissions for your Terminal Server users allows you to give full functionality to your MYOB users, whilst protecting the server s critical system files from un-authorised access to maintain the security of your server system. 

Permission Example

To access the permission settings of files and folders, right-click the file or folder, select Properties and click the Security tab.

Listed below are the individual folder and file permission settings that must be checked and allocated after installation of AccountRight Enterprise to the User and/or User Group the clients are logging into the server with.

The installation folder shown below (C:\Enterprise19) refers to AccountRight Enterprise v19 and may differ depending on your version of Enterprise.

The most common access permission issues are due to a difference in the permission settings that apply to a user from different locations. In addition to the directory and file permissions allocated to a user account, the user will also inherit permission settings from any groups it is a member of, and the Network logon itself. You can check the directory and file permission settings by using the “Effective Permissions” function of Windows to test and report on settings rather then trusting what is displayed in the properties window.

To access the effective permissions function, click the Advanced button that appears in the Security properties window. You then simply select the User or Group and the settings will display. Further information on this function can be found by clicking the link at the bottom of the Effective permissions window.

The factors this utility uses to determine the effective permissions are:

• Global group membership
• Local group membership
• Local permissions
• Local privileges

The Terminal Server User group or permissions inherited from a Network or Domain logon are not taken into account in the effective permissions tool. Share permissions are also excluded. When a user account is subject to a mixed permission environment, i.e. full control to the user account but read and list within a set of share permissions to the users group, for security purposes Windows will use the most restrictive set of permissions or privileges (read and list).  This can result in what appears to be correct settings in the security properties dialog or when tested using effective permissions but still an inability to write to a file or even view a folders contents.

In this instance it can be easier and a lot faster in a complicated network with many different groups, shares and possibly domains or workgroups to recreate the user account and set the permissions from scratch. This is also an option in standard or less complicated configurations.

Please note if using a Workgroup configuration, after a user account is first created you must logon to the server locally at least once so you may assign a password to the user account.

User accounts without a password will not gain connectivity to the server via the network.

If running in a Domain, ensure the Allow Logon to Terminal Services option is enabled in the user accounts properties and that the user has been added to the Remote Desktop User group.

Warning: You should ensure you transfer any user files on the server in the C:\Documents and Settings\%UserName% folder to a temporary folder prior to deleting the user account where %Username% is the user account name. Then after the user account has been recreated, you can transfer the files back to there original locations.

If a user logs out of the remote server but doesn't log out of Enterprise, the user will be prevented from logging back into Enterprise (a message will be displayed advising they are already logged in). This can be resolved by restarting the server.