FAQ: Giving non-administrative users of Windows 2000 and XP access to ATM Deluxe

Report · Mar 17, 2004

In order for a restricted user to launch the ATM control panel and add or remove fonts, they will need to have access to the following registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Adobe\Adobe Type Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Type 1 Installer\Type 1 Fonts

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Fonts

Adapted from material originally posted by Lance K

Report · Mar 23, 2004

I have a regular user in win2k that has been given permission to all three keys. Upon exiting ATM4.1 deluxe, i get the following errors:
ATM Database File Error:
Unable to write ATM registry database. Disk may be write protected, out fo free space or the file may be in use by another application.....

Thanks in advance!

Report · Mar 24, 2004

Hi Jose,

Please keep in mind that ATM is not designed or intended for users with restricted access. Users must have Standard or Power User rights in order to use ATM as designed.

Out of curiousity, what specifically is your user trying to do in the ATM Deluxe control panel? Despite receiving the error message, are they successful in doing whatever it is they were trying to do? (e.g., if they were trying to enable a font, did the font then show up in applications as expected?)

Lance

Report · Apr 14, 2004

I've given the rights to these keys, but saving or exiting the program is a problem. Somehow, ATM still needs to write the settings somewhere.

In Response To _Jose_Deleon_ · Apr 19, 2004

Jose is correct. There has to be some other place that needs to write the changes to (and we need to give write permission).

The program will open allow you to add the fonts, but when you try to exit, it says "Retry", "Don't exit", "Don't save".

Any suggestions?

Report · Jul 22, 2004

I used a program called FILEMON (http://www.sysinternals.com/ntw2k/source/filemon.shtml) to see what files ATM is accessing:

C:\WINNT\ATMREG.ATM
C:\WINNT\ATMREG.NEW

The first file appears to be the ATM registry. The second file is created, written to, and deleted. It looks like the .NEW file is a temp file used to generate a new .ATM file.

If we can specify a new location for these two files then those of us with legitimate security needs should be able to use ATM instead of constantly having to log off the designer, log in as admin, watch them make the font changes, log off admin, and let the designer log back in...

Any ideas?

Report · Jul 28, 2004

The most worst thing in ATM is that it want to have write acces into the windows dir but u can fix it (change locatine for ATMREG.ATM file Ive changed the locatino to %systemroot%\atm and made shure that Standard user have the rights to write and delite files there).

Report · Aug 03, 2004

The question for me is, how did you tell ATM the new location of the ATMREG.DB file??? I am digging through the HKLM\SOFTWARE branch of the registry as I type this... but I am at a loss for where to make this change.
Thanks in advance
--Joe

Report · Nov 09, 2004

Hi,

how did you change the location of the atmreg.atm file? adobe support was not able to tell me this...

Thanks

Manuel

In Response To _ManuelWesser_ · Nov 09, 2004

Manuel,
Unfortunately, I wasn't able to do this... I had to use advanced permissions on the %SYSTEMROOT% folder so that the specific group of users I have are the only ones allowed to write to it. It uses a temp file, and writes it to c:\winnt while it is working with it (which is only when ATM is writing changes to the atmreg.atm file at application close time)... so your user(s) will have to have only the "Create Files/Write Data" permissions to the whole of the winnt folder (and modify permissions on the atmreg.atm file) to use atm. I had to use a utility that traces thread, file & Registry access to determine how to make this work. This is the ONLY way, ATM is hard-coded to use atmreg.atm in the system root folder (as well as to use the temp file in the system root folder), and it needs create files/write data permissions on the system root folder to use the temp file. I hope this makes sense to you... if not, e-mail me jlatuscha@sunjournal.com and I will send you my document for fixing the problem.
Good Luck
--Joe

Report · Nov 09, 2004

Thanks,

Power Users...

only a few users are using ATM and so it is possible to give them "Power User" rights and all problems are fixed, without some special rights in %SYSTEMROOT%

your answer is the same as Adobe Support gives to me. we have a reason to use the "Power User" solution and all problems are fixed...

not the best way, but it works...

In Response To _ManuelWesser_ · Nov 09, 2004

I try not to use the 'Power User' solution. It opens the machine up for Spyware Infestations (since the user has elevated system privelages, they can write data almost anywhere as a power user). Leave your users as basic users, and explicitly give them write files/change data to only the systemroot folder. This keeps them from editing the registry and other tasks that they really shouldn't be allowed to do (for system security reasons). If you are not that concerned for the saftey of your systems, network, servers and more, make them power users, but I would do so with great caution if these machines are in any way connected to the internet (yes, even the greatest firewall in the world can't stop spyware, since most of it is installed through IE's ActiveX RPC's).

Report · Nov 09, 2004

Yes! No question!

But our customer prefers easy solutions without special rights throug GPOs for a special application...

Report · Jul 05, 2005

I am also having the same problems as Jose and Chris... please help.
Michael

Report · Jul 20, 2005

Give the users the full control access to the aforementioned registry keys. Then, give the specific user (or group) permissions to write/delete to the WINNT (Windows 2000) or WINDOWS (Windows XP) folder (I use the advance permissions on the folder as opposed to the generic 'Modify' permission in the security tab of the folder properties, as it allows me to only give the one or two permissions needed to the job), but DO NOT PROPIGATE THE PERMISSIONS TO CHILD FOLDERS, as this would be a massive security breach above and beyond giving them write access to the system root folder. The reasoning for the permission granting is that ATM needs to create and then delete a temporary database in the %systemroot% folder when the application is closed, so these permissions are mandatory in order to give a standard user (why Adobe never made this more seamless and used a more public area on the hard disk is baffling to me).

Adobe Community

FAQ: Giving non-administrative users of Windows 2000 and XP access to ATM Deluxe