Thanks for the suggestions, but our access permissions (for everything) are already all "grouped up" already, so we are all set there.
I also already rejigger the permissions for the Addons directory (which is safer than for the entire ILLiad folder) at the end of the ILLIad install using:
C:\Windows\System32\icacls.exe "C:\Program Files (x86)\ILLiad\Addons" /grant "<SecurityGroupName>":(OI)(CI)M
Erich
On Thursday, December 14, 2023 at 13:17, Augusto Consing eloquently inscribed:
> Erich,
>
> If your ILLiad implementation is hosted by your university, you could
> implement Kaleb's suggestion by making the Windows shortcut point to a
> location on the ILLiad server itself. Your generic ILL Windows login has
> permissions to access file locations on your ILLiad server (this is
> necessary for the ILLiad client and server applications to work), so to
> duplicate this you could assign your ILL workers' Windows accounts to
> the same Windows user group as your generic account. In this scenario
> you would need to make sure that your ILL workers' Windows accounts have
> full control (administrative rights) on the C:\Program Files
> (x86)\ILLiad folder on their workstations, so that your ILLiad addons
> will work.
>
> Best,
>
> Gus
>
> On Thu, Dec 14, 2023 at 11:21 AM Sove67 <[log in to unmask]> wrote:
>
>> Hi Elrich,
>>
>> Can't say I have any wisdom on securing shared workstations, but that
>> might not be the path of least resistance here?
>>
>> If the ONLY issue with seperate accounts is saving in a specified location,
>> there are a two ways I can think of to automate that.
>>
>> The easy: Create a shortcut to the correct saving location inside the
>> default saving location. Users will need to double click each time the save
>> system kicks them back to the default (which sounds like once-per-session)
>>
>> The advanced: Create a symlink (
>>
>> https://www.howtogeek.com/16226/complete-guide-to-symbolic-links-
>> symlinks-on-windows-or-linux/ ) for each user, between the default
>> prompted save location, and the desired save location. This way, any
>> files placed in either place should show up in both places. Think of it
>> like knocking down a wall between two storage rooms.
>>
>> Of course, if there are other reasons your library needs this generic
>> login, this won't address them.
>>
>> Best of luck with your setup!
>> - Kaleb A (Langara LIT Student)
>>
>> On Thu., Dec. 14, 2023, 6:36 a.m. Hammer, Erich F, <[log in to unmask]>
>> wrote:
>>
>>> All,
>>>
>>> First, I apologize because this is much more of an IT question than a
>>> coding question, but I come from an IT/desktop support background with
>>> a particular interest in security.
>>>
>>> How are larger, academic libraries securing your employee-used, shared
>>> workstations -- specifically, the circulation desk machines and the
>>> back-end, ILL scanning stations? I have been trying mightily for a
>>> few years to eliminate the shared-password generic accounts because
>>> they present a real security/privacy concern. I am running into some
>>> real road-blocks though, and I'm wondering if anyone here has found
>>> solutions that work.
>>>
>>> Having viewed the chaotic state of the circulation desk with the
>>> constant churn of employees using the stations, I have conceded that
>>> it is better to use a generic login than to have folks log in/out
>>> constantly.
>>>
>>> The ILL employees who do a lot of scanning don't have the rapid-fire
>>> turnover at their workstations, but they (or their manager) is
>>> insisting on a generic login because the scans need to be saved in a
>>> specific, network location and Acrobat has no mechanism to set the
>>> default save location for all users. (I hate Adobe!) When we have
>>> tried using personal logins, folks forget, don't notice, or don't know
>>> about watching that the PDFs are saved in the proper location, and
>>> those scans have to be redone by someone else or are inaccessible
>>> within the particular employee's private user profile until they
>>> return to work (which could be days-weeks with student employees).
>>>
>>> In both cases, users still need to sign into services as themselves
>>> (the LSP -- Alma --, scheduling, wiki documentation, ILLiad, etc.), so
>>> I'm not really sure what the security advantages are with the generic
>>> account (especially for ILL scanning). I've had to push settings to
>>> prevent the browsers (Edge, Chrome and FireFox) from saving passwords.
>>> I also have automated scripts running to regularly blow away the MS
>>> Teams configuration to prevent users from using it as someone else.
>>> (Teams "helpfully" remembers credentials for one-click login even
>>> after logging out of it and rebooting.) I have not been able to find
>>> a way to do the same with MS Office, so I have been forced to
>>> uninstall it completely. Otherwise, everyone who uses it while logged
>>> onto the computer with the generic account is signed into/owns all the
>>> M365 documents as the user who first used it (and had to sign into
>>> M365).
>>>
>>> The lack of Microsoft Office is the particular issue that I'm being
>>> pressed on to prompt me to post this. I should add that I can't use
>>> device licenses for M365 (where login/registration isn't required)
>>> because they only work with Azure Active Directory which we do not
>>> have. What are you all doing? I've been considering trying to set
>>> circ desk systems up as mulit-app, auto-login kiosks so at least we
>>> don't need to share the generic password, but the other problems still
>>> remain.
>>>
>>> Any feedback is appreciated.
>>>
>>> Thanks,
>>> Erich
>>>
>>>
>>>
>>> --
>>> Erich Hammer Head of Library Systems
>>> [log in to unmask] University Libraries
>>> 518-442-3891 University @ Albany
>>>
>>> "Faith is the unflagging determination to remain ignorant
>>> in the face of any and all evidence that you're ignorant."
>>> -- Shaun Mason
>>
|