Local install of Analyst and CAC without Local Admin Rights?

[jeffowentn]

I have a client that will not allow us to give end users local admin rights and creating Citrix Connections is no longer an option.  We can get temp local admin rights to perform the install.  However, the end user is not granted local admin rights to their machine for the purpose of using Cognos Planning. 

Cognos Support suggested to add full access to the following two keys:

HKEY_LOCAL_MACHINE\Software\Cognos
HKEY_CURRENT_USER\Software\Cognos

We still have users who cannot run admin links under this scenario.  Does anyone know of other keys that need to be granted full access or an alternative solution?

[mrobby]

Can you run the admin links in a macro that has a user with access rights?

[jeffowentn]

Great suggestion.  The problem is that this is a very decentralized environment where the use of Planning has grown organically.  In order to do the macro solution, the user would have to make a request to the support team since none of the business users have local admin rights to their machines.

[mrobby]

So are you saying that you want end users to be able to create admin links in the CAC and also be able to run them?

[jeffowentn]

No.  These are application admins, if you will.  A number of business units have analyst who have created their own applications for their units to use for budgeting and forecasting.  They are the admins for their applications.  They have local installs of Analyst and CAC.  We manage security centrally (as of about 2 months ago).  Their end-users only have access to the web.

[jeffowentn]

Is there any way to further grant full access to registry items that will allow the user to do what they need to do without compromising the rest of the security/configuration of their local machine?

[adityashah27]

which planning version?
82 onwards you can create events to execute macros. this event can be accessed from cognos portal and dont need CAC.

[mrobby]

Im still a bit confused.  The application admin can create and run admin links but the end user is unable to because they dont have CAC?

If this is the case, can you have the application admins create system links for the applications and then enable the Get Data extension for end users to run them? 

[jeffowentn]

RE:
which planning version?
82 onwards you can create events to execute macros. this event can be accessed from cognos portal and dont need CAC.


We are using version 7.3.  We do have a small portion of our users on 8.1, but almost all users are still on 7.3, right now.

[jeffowentn]

RE:
Im still a bit confused.  The application admin can create and run admin links but the end user is unable to because they dont have CAC?

If this is the case, can you have the application admins create system links for the applications and then enable the Get Data extension for end users to run them?



The issue is that we have application admin's who need to be able to create and run admin links without having admin rights on the server and without having admin rights to their local machine (where Analyst and CAC will be installed).  System links would not work well, in this case, since these links are primarily to consolidate data, etc.

I don't want to get too far off track, though, and distract you all from the issue.  We need to be able to give our application admins local installs of the planning software (analyst, CAC, etc. - version 7.3 SP 3) without granting them full local admin rights to their machine.  One place where this presents a problem is the ability to execute admin links (requires local admin rights).  I just need to know how to install the software (what registry items to grant full access to, or some other work-around) such that it will work without full local admin rights to the machine.

Thank you all for your help, so far.

[mrobby]

Is there an error given when users without local admin rights attempt to run an admin link?  Did Cognos give any reason as to why local admin rights are necessary to run admin links?

[marekvich]

Full access should be to the following 4 keys (and maybe other keys):
HKEY_LOCAL_MACHINE\SOFTWARE\Cognos
HKEY_CURRENT_USER\Software\Cognos
HKEY_CLASSES_ROOT\epClientLoader_83.ClientLoaderConfig\CLISD
HKEY_CLASSES_ROOT\epClientLoader_83.ClientLoaderInterApp\CLISD

From Cognos support:
"The official line is that you need administration privileges in order to run the CAC."
"Unfortunately we don't provide a list of keys that a user requires write access to,
the main reason being is that it changes between each version."
:) ;D :)

If you don't have rights for these keys, you can have problem with translation creation, system link creation and maybe othe issues.
e.g. If you click to translations in CAC without rights to these keys, you will corrupt CAC application and have to recover it from previous backup.

[jeffowentn]

It appears the issue stems from previous installs were performed by an "admin" and not logged in as the end-user.  If the install is performed by someone logged in as the end-user, then the install will go and "open" all the appropriate registry items such that you can remove the end-user from the local admin group on the machine.  This is what my testing has confirmed up to this point.

Thank you all for your input.

[jan.herout]

Can you please elaborate? Because I have a hunch the install would fail, if you run it without local admin rights.
Thanks for your insight!

[jeffowentn]

The install issues have been addressed by simply granting the end user local admin rights, temporarily, while the software is installed.  Then, the local admin rights are removed, and the user can use the software without issues.  I still have to look into the macro issues, but I am waiting until we upgrade to 8.4...

[jeffowentn]

Thought I would update this, since I got this feedback from Cognos a couple months ago.  These are the registry changes that need to be made in order all everything to work without having local admin rights:

1.            Modify security settings to allow full control to the following registry keys:

                                HKLM\Software\Cognos\cer4\Contributor\Settings
                                HKLM\Software\Microsoft\Cryptography\RNG
                                HKLM\Software\Microsoft\Windows\CurrentVersion\Installer\UserData
                                HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                HKCR\ep*.*

2.            Assign Modify Access privileges to the Domain Group for these files and folders:

                                Windows\system32\Config\Software.log

The software still needs to be installed under the user's profile with local admin rights, but then make these changes before removing the local admin rights.