Quickbooks 2010 & LUA+SRP

Hello everyone,

I was wondering if anybody here is a Quickbooks user and has managed to successfully make it work in a Limited User Account with SRP. I have been searching around the internet and haven't been able to find anything related to this on newer versions of Quickbooks. I can only find workarounds for upto version 2006.

Is it possible to use Quickbooks 2010 (or 2009) in an LUA or does it require an Admin account? If it is possible, what additional rules must be made and what ACL changes are needed? Thanks.

 

Quickbooks is one that I've seen mentioned a lot when people have problems with apps that won't work in a LUA. Consider SuRun, it's quite useful and makes life with LUA much more comfortable. There's a (very long) thread about it here and Mrkvonic's very handy tutorial here.

With this you can run problem apps from within your LUA as admin. In contrast to using "run as" it runs in your LUA's user environment rather than in that of the admin account. It also has some security advantages compared to "run as". I've been using this for quite a while now and it's a godsend.

 

Is it possible to setup SuRun to automatically elevate just Quickbooks everytime your run it without entering a password? Could SuRun otherwise be completely disabled so that it is not allowed to elevate anything else?

 

I use Quickbooks 2010 with LUA and SRP just fine here. Never have had a problem. Things can get quirky if the auto update feature prompts user to install an update, and the user tries and it fails then they go and do crazy things because they think Quickbooks is broken or something...

 

Could you please elaborate on how you have it setup? Do you use SuRun or UAC to give Quickbooks elevated rights, while you are running it within LUA? Was Quickbooks 2010 installed from the Administrator Account and then used regularly from the LUA? Did you add any additional rules to the SRP or make any changes to the ACL's to make it function properly? Were any changes made to the registry? What do you do when you want to run auto update? Do you log out of the LUA, log in to the Administrator Account, run QB, update it, then log back in to LUA? Oh and also, what OS are you using?

Sorry if I am asking you way too many useless questions. I just want to make sure I have all the info that I need. I hope everyone here know that you answers are very helpful to me! I am sure many other QB users will find this thread helpful, because I have not been able to find answers to these questions online for the last three QB versions.

 

I installed QB 2010 with the administrator account, and use it without any modifications at all to privileges for users.

As far a SRP policies, I have default deny all. When you use the default restricted, Microsoft automatically enters 3 or so registry rules for the file paths of the program files directory and windows directories so you do not lock yourself out. So you do not have to enter any other rules actually after you make default to restricted unless your running programs from places other than your root: program files and windows system directories. For the file extensions of SRP I delete the *.lnk so that shortcuts work.

haven't worked on the auto-update issue yet, now I just login as administrator or runas admin and install the update. In the future I may look into running the update.exe with elevated privileges.

Running mainly XP SP3, and Vista SP2.

If you are having problems, "Sysinternals process monitor" is a great tool to find permissions issues and "BeyondTrust® Privilege Manager" is awesome. Privelege Manager is free for the local policy (not group policy) and can be used to run individual *.exe's with elevated rights and a bunch of other cool tricks to help with running in LUA with fussy applications. All this being said, I have not had to use either of these tools with Quickbooks 2010 though. As far as, my experience Quickbooks 2010 does not have any major issues running in LUA environment with SRP default deny.

You mention that you have had problems with other versions of QB. I have used other versions of QB from 2006 to 2010 and not had issues with this setup. So maybe, running process monitor may uncover what the issue is. Sounds like maybe it's not a default installation, or you have some addin's or point of sale modules that may be conflicting. Again, process monitor will shed some light on this.

If nothing else, use BeyondTrust® Privilege Manager and create a path rule for the main Quickbooks executable and give it full administrator privileges, and extend those privileges to processes started from that main Quickbooks executable. This will clear up any privilege issues if you cannot figure it out otherwise.

hope this helps...

 

I have my SRP's setup the same way as you do, with default deny and the windows/program files directories unrestricted. On top of that I have some additional rules to prevent execution of cmd, regedit, etc, which I picked up from the Vista LUA/SRP thread.

I have never actually tried using Quickbooks in a LUA before. After doing research on the subject, all I could find were registry tweaks to make QB 2005, 2006, & 2007 work in LUA. I found something from Intuit that mentioned QB isn't compatible with LUA and must be installed in an admin account. There was no info at all to be found for the last three versions running in LUA.

Thanks for those tools you mentioned. I will definitely be adding those to my arsenal. When I have my SRP and a few other security apps configured how I want them, I will install QB 2010 on my machine. I'll then use Sysinternals Process Monitor to see where update.exe attempts to install the downloaded updates. Maybe the location needs to/could be reconfigured to be in the users folder or Program Data. Ill then use BeyondTrust or SuRun if needed, depending on what update.exe needs.

Thanks you for that detailed post. That was really helpful and you gave me all the answers I was looking for.