[There's a reason that Yoda is the unofficial mascot of SBS. Size indeed matters not.] How to run Quickbooks under user mode - THE OFFICIAL BLOG OF THE SBS "DIVA"
Sat, Apr 23 2005 22:33 bradley

How to run Quickbooks under user mode

I finally got around to documenting the needed changes to get Quickbooks running under usermode.

Quickbooks in usermode for Stand alone machines

Quickbooks in usermode using Group policy

http://www.threatcode.com gives you the exact official supported info but keep in mind that QUICKBOOKS 2007 now supports non admin rights.

The process is basically that you use tools like Filemon, Regmon and Inctrl5 to identify those 'sticking' places in the file permissions and registry.  Now you have to open them up.

Unfortunately you have to open up ClassesRoot unless you want to spend the rest of your life wacking the heck out of that thing since Intuit uses guid keys in that section.  (I have included the new and improved instructions that only opens up exactly what is needed) If you want to see the printout of regmon's report on Quickbooks [this is the Enterprise version being attempted to be run in user mode] you can see this spreadsheet here.

Steve Friedl helped to distill that down to basically two file permissions and two reg keys:

  • HKEY_LOCAL_MACHINE\Software\Intuit

  • HKEY_CLASSES_ROOT

  • C:\Program Files\Intuit

  • C:\Program Files\Common Files\Intuit

I personally think it shouldn't be as hard as this to run in user mode around Quickbooks.  A consultant emailed me that they had installed QB Enterprise version and their customer didn't want to run with the Salesmen with local Admininstrator rights on their computers [bravo for a company wanting to ensure their desktops are part of the security fabric of their network] and when the Consultant contacted Intuit, Intuit's support said the “fix” to not run with local adminstrator rights was to:

 

 “connect a member server to the SBS system. Then put QB's data there, with no Active Directory running on the member server. “

 

Yup, you heard that right... they suggested a member server with 'no AD' as the fix for running without administrator rights. 

 

First off, why in the world would you not want a server or a workstation stuck firmly in active directory, to ensure you have control of that server, and secondly, how in the world do they think that installing this on a member server is going to solve the desktop issue of permissions and user rights?

 

I love this KB article where it says the issue of user mode is a top support issue and don't you worry your little head because you are only making them 'standard users' [aka power users... you know...that category of users that the security folks call “admin lite”].  You remember that lovely KB article that I love to point out that says: A member of the Power Users group may be able to gain additional rights and permissions on your computer, and may be able to gain complete administrative credentials. A member of the Power Users group may also be able to expose your computer to other security risks, such as running a virus or running a Trojan horse program.

 

Remember what it says at the bottom? 

  • Do not use the Power User group.
  • Deploy certified Microsoft Windows 2000 or Microsoft Windows Server 2003 programs in your enterprise.  Programs that are certified for Windows 2000 or Windows Server 2003 are written to avoid requiring unnecessary access or administrator-level credentials.     

That's right class, that Quickbooks Enterprise 2005 program is not certified to run on Windows 2000 in the year 2005.  Maybe it's going to take legislation over Personal Identity Information before vendors 'get security', because honestly, it's accounting applications that seemingly are the worst.

 

One more note... due to how QB is 'all over' the ClassesRoot tree, if you want to have a QB that will allow auto updates you either have to open up ClassesRoot or spend the rest of your life editing that registry.  Bottom line folks, Quickbooks, in my opinion, is written in an insecure manner.  But until WE the marketplace start demanding that they change it, it will continue to be done in this manner.

 

 

 

Oh and I have to fess up on two blonde things I did.  In order to do the screen shots for the standalone PC I wanted to do it on a 'virgin laptop' so I took my tablet PC and flipped my normal operating account into user mode.  Then I proceeded to somehow forget the 'real' Administrator's password.  Oh yeah.. cute, huh!  Not to fear though, I just downloaded the reset cdrom burned in the iso image to make a bootable cdrom, booted from the cdrom and reset the password.  Now for the other blonde thing I did.  Notice this how-to isn't on the www.threatcode.com web site?  Yeah... while I have the domain parked, I forgot to renew the site with webhost4life.  Oh well, it will be back online probably Monday when their accounting department opens back up.  

Filed under:

# re: How to run Quickbooks under user mode

Monday, April 25, 2005 9:27 AM by bradley

I'll again be obnoxious and point out that Quickbooks always runs in user mode....that's where most apps run (except the ones that call themselves apps but have a kernel mode driver :)). Rather, you want them to run in least privelage user mode.
You know me, always a stickler for the details of user/kernel, as a debugging guy. :)

# re: How to run Quickbooks under user mode

Monday, May 02, 2005 7:55 AM by bradley

I really wish Intuit "got it".

# re: How to run Quickbooks under user mode

Monday, May 09, 2005 9:51 AM by bradley

I would like to buy you a beer for posting this.

Thanks,
Tom

# re: How to run Quickbooks under user mode

Sunday, May 15, 2005 4:43 PM by bradley

Too much for my brain to handle. I can't believe Intuit does it this way. Oh, and as I was researching this, the 24/7 Quickbooks support is for 5am to 5pm pacific time, M-F. Thanks A-holes, glad I could talk my customer into buying your product, so I could install it over the weekend, only to learn that it does not work properly, as noted above.

Thanks for posting this, now I have to explain my mistake for believing what I read. Intuit liar's!!!

# re: How to run Quickbooks under user mode

Tuesday, May 31, 2005 10:54 PM by bradley

Is MS new accounting package better than quickbooks or has anyone tested it?

# re: How to run Quickbooks under user mode

Saturday, June 11, 2005 9:19 AM by bradley

I have mild to moderate hopes for the new MS Accounting for small biz but am still doubtfull and full of generalized anxiety because I think they'll find a way to botch the job on an otherwise perfectly useable piece of software. For starters, it's going to run on msde desktop version of SQL and not on SQL 2000.

Sigh... Why did I buy Small Business Server Premium 2003 complete with SQL 7.0, Sharepoint, Exchange, if I can't actually use it in my small business without dropping 20k (starter fee) for Great Plains? We still use Quickbooks pro 5-user via terminal services because it's cheap and easy and does the job but it's also quite useless when it comes to centralizing multiple company files and sharing report data live via web/sharepoint. So,... it's print, sign, dial and fax, print, sign, dial and fax all day long instead of here's your username and password, get your own (insert explicative) report data.
Since day one of office 98'-2003' a user has not been able to so much as sell a cup of lemonaide efficiently with it and that has been a sore point. I ask only a few simple things of this suite and I will gladly convert to it.

1) More than 2 custom fields in the sales and invoice reciept. Small Business Manager 8.0 (Great Plains Lite?) has only 2 and is thus rendered useless for any professional small business, which needs to sort data in a meaningful way relevent to thier own line of work. Quickbooks-Pro has 10 user defineable fields for customizing entries which provides a small business owner tremendous flexability for generating reports.
2) Simple live data connection to web/sharepoint if only for read access one-way so custom reports can be filtered and viewed via web and I can retire my laser printers and faxes forever. Mwahahaha
3) 5-user limit is fine as long as I can have multiple company files, QB's allows this in a terminal services envoronment...
4) Multiple company file connectivity with sharepoint lists, contacts etc so we can actually use Sharepoint as a single point entry for maintaining contacts and updating billing addresses etc.. Instead of maintaining those lists on 6 or 7 seperate quickbooks company files.

Bottom line is, for companies which have multiple low/med revenue (250k and under) offices/stores spread out regionally and only a couple of users at each location there has been no decent application which allows them to maintain their own seperate GL and also collaborate and share thier sales and report data meaningfully at a single point like Sharepoint.
The opportunity to leverage a small server farm with terminal services and Server 2003 standard and Small Business Server 2003 exists but there's really nothing other than Quickbooks to put on it for us small guys.
Just bake me the cake and I'll make my own frosting, I don't give a hoot about all the forcasting and built-in inventory tracking and all that gobbledygook, it's never accurate to begin with and anyway, that's what excel is for. Just let me connect my sales and report data and as for security, it should simply mirror what is already in place on the Active Directory server level.
Regards,

Steven
what's so hard about that?

# re: How to run Quickbooks under user mode

Wednesday, June 22, 2005 12:14 PM by bradley

Okay, not sure what I did wrong, but it is still giving me the error to add the useer to power users or admin group. I followed the instructions a listed above, and I did a gpresult to make sure the policy was applied. Any help would be greatly appreciated.

# Quickbooks' sloppy security holes

Thursday, August 18, 2005 11:26 AM by TrackBack

# re: How to run Quickbooks under user mode

Wednesday, September 07, 2005 9:22 PM by bradley

thank you for this. you've saved me hours of work. and now i look at least slightly heroic to my client. rock on.

# re: How to run Quickbooks under user mode

Monday, September 26, 2005 9:44 AM by bradley

Thanks a lot for posting this. The solution is so easy when you really think about it but it's amazing what doesn't occur to us (me in particular) in moments of EXTREME frustration. IMHO this whole situation is just a lawsuit waiting to happen for Intuit. Just the fact that I have to give my accountant full control of an entire root tree scares the hell outta me - but I suppose it's better than full administrative rights.
As a note, another alternative to this (for someone not comfortable editing permissions or working in the registry) is to create a seperate user account with administrative permissions on the computer then assign the working account (the one the client will actually be using) as a limited account. Then use the "run as" command to run Quickbooks as the administrative user under the limited user (working) account. Of course, the client could go into the administrative account any time they want but most people with a limited knowledge of computers (like our accountant) don't even think about it. Besides, to the every day user there really is no difference between an administrative account and a user account. Therefor most users don't even feel a need to access the administrative account; and if they do it's usually for malicious purposes or at least to being something they probably know they shouldn't be doing in the first place.

Just a thought

Sterling

# re: How to run Quickbooks under user mode

Monday, October 24, 2005 6:11 AM by bradley

Well after spending several hours I now have a security template that only changes the required HKCR keys...I'm not sure if an auto update will work since I had fully updated before going through the registry. The link will be broken for now until I upload it later.