XP Permissions Required to Install arview2.cab

Posted by: mpreble on 4 August 2017, 2:54 pm EST

  • Posted 4 August 2017, 2:54 pm EST

    Our users are having trouble using a web application that generates reports via the ActiveReports Viewer2 ActiveX Control. It seems that normal users do not have the required permissions to install the contol. Computer administrators and power users can install the control and view reports just fine. In all cases, we have set the website/application in the list of trusted sites and set the security to low so that the browser will allow the installation. Because our security policy does not allow normal users to have power user or administrator rights, we need to know how an administrator can properly install the control or exact file/registry permissions the user needs for proper installation and use.



    Thanks,

    Michael
  • Replied 4 August 2017, 2:54 pm EST

    Brandon,

    Thanks for taking the time to look at this properly but I am unsure where we have left off.  In your test environments, giving permissions to the HKLM does not seem to have resolved the the issue. Are you (or someone on your team) still working on the file or printer permissions issue?

    Furthermore, giving these permissions is exactly what the answer portion of the MSDN article says *not* to do ("Don't hack your user privileges to allow them to install ActiveX
    controls"). Even if we do have to 'hack permissions', giving Full Control to HKLM gives users permissions to way too much of the registry. I assume that if we install the ActiveX under and Administrator account, we should be able to give the users Full Control to specific keys.

    Thanks again for your assistance.

    Michael
  • Replied 4 August 2017, 2:54 pm EST

    Since each network is setup differently it's hard to say the exact permissions. I do know that your 'normal' user will need installation access to the registry. This typically includes the HKLM and HKCU hives. The user also must have permissions to the c:\windows\Downloaded Program Files directory. That's the extent of the permissions I've found that control the ActiveX installation. There may be more or less depending on your network configuration, we're really not equipped to troubleshoot network permissions issues.
  • Replied 4 August 2017, 2:54 pm EST

    Thanks for your response.  Is there a way to package installation of the control in such a way that an administrator could install the control so that a normal user could "use" the control without full control to those registry hives and directory? I have tried registering the .ocx file as using an administrator account but the normal user account still could not "use" the conrol. Here is what I have tried... Using an administrator account, I unpackaged the .cab file and user "regsvr32 arview2.ocx". Regsvr32 pops up that the registration was successful but the a normal user still cannot use the control.

    Thanks,
    Michael
  • Replied 4 August 2017, 2:54 pm EST

    I'm not sure what additional permissions are required to use an ActiveX control on your systems. You may want to run this past your network admin to see if there's additional policies on your local machines that are needed.
  • Replied 4 August 2017, 2:54 pm EST

    Thanks again for your response.  I understand your reluctance to help troubleshoot a security issue that we may have brought on ourselves via security policy but we have tested the web app on a PC that is has brand new, fresh out of the box, XP installation and we are having the same issue.  A local Administrator or Power User can access the ActiveX control but a normal User can't. We set a local policy on XP client to set the website as a Trusted Site with Low security settings and this did not work.  We also gave the local user Full Control to the HKLM and HKCR hives which did not work.  When we use regmon and filemon to monitor activity on the computer, we don't see any denial of access to registry keys or files so we can't troubleshoot user permissions any further without the support of the Data Dynamics.  If nothing else, can you confirm that you have tested this control using a normal user account on an XP machine?  If your company has gotten this to work, can you forward any information about how?

    Thanks,
    Michael
  • Replied 4 August 2017, 2:54 pm EST

    I found a couple of good articles on ActiveX security and access by using google and MSDN.

    From MSDN Magazine:
    ---
    Q I have an application that downloads ActiveX®
    controls in an HTML page. On certain machines the download fails, but
    if I give the user local admin rights, the download succeeds. What are
    the specific privileges that need to be granted to a user for them to
    be able to download ActiveX controls via HTML pages?

    A
    Don't hack your user privileges to allow them to install ActiveX
    controls, as this would allow users to install any arbitrary code and
    trash the machine. You should deploy the ActiveX controls to the users
    in a Microsoft® Installer (MSI) package through Active Directory® so that you don't have to loosen user restrictions. You can also use Systems Management Server (SMS) or your tool of choice.

    ---


    I also sat down with our development team to see if there was anything they could tell me. We setup a test blank XP SP2 machine and replicated your environment. The admin user had no problem, but there is an issue with the built-in 'User' security group. Once we gave it permissions to HKLM, the ActiveX viewer control could load but it failed to parse the printers on the machine. I believe it needs more access to the file system permissions and to the printers installed on the machine.
  • Replied 4 August 2017, 2:54 pm EST

    Sorry, I should have been more specific. It was recommended to check your printer permissions to make sure they have admin access to the printer. This admin access will allow them to lookup the papersizes and clipping information.
  • Replied 4 August 2017, 2:54 pm EST

    Our test PC that hasn't been added to the domain does not have any printers installed.  If you know of a specific permission that your developers have been able to identify, I would be very interested in that.

    Thanks,
    Michael
  • Replied 4 August 2017, 2:54 pm EST

    Are you using the ActiveX viewer to only view the report? If so, I would recommend switching to PDF instead. PDF is more universal and can run without power user permissions. If you are printing from the ActiveX viewer, please install a printer on your test machine to make sure that's not the problem.
  • Replied 4 August 2017, 2:54 pm EST

    Brandon,

    Sorry it has been so long since the last post.  We temporarily added users to the Power Users group just to get this going...  In any case, we will be printing the reports but the test computer does not have any printers installed so it can't be permissions on a specific printer.

    Thanks,
    Michael
Need extra support?

Upgrade your support plan and get personal unlimited phone support with our customer engagement team

Learn More

Forum Channels