Skip to main content
Announcements
Have questions about Qlik Connect? Join us live on April 10th, at 11 AM ET: SIGN UP NOW
cancel
Showing results for 
Search instead for 
Did you mean: 
Anonymous
Not applicable

Qlik Sense Desktop without admin rights and Group Policy control on running .exes

We tried to install Qlik Sense Desktop on a couple of machines at work without success. The program seems to be quite unconventional as regards where it puts files and runs them from.

Our environment is a typical Windows corporate system: roaming profiles; users don't have local admin rights; group policy will block an exe from running unless it's located in an authorised folder (ie, a folder where the user has no write control - eg C:\Program Files).

In order to install the software it was necessary to temporarily give the user local admin rights and to temporarily change the personal folder registry setting in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Personal from a network to a local drive.

Having managed to install it, we couldn't run it because the main executable is in the user's AppData directory, under Local\Programs\Qlik\Sense, so Group Policy blocks it.

Moving the Qlik directory to a whitelisted directory such as C:\Program Files means that the exe runs but doesn't work: the browser window never opens and while the server component seems to run - at least it listens on port 4848 - it never replies. The Event Log fills up with event id 300s. A "Start_Engine" log file is produced but only gets as far as Initiating server license.

It appears that there are whole bunch of other directories that are created when the application runs (on first run or every time?), for example:

  1. %USERPROFILE%\AppData\Local\Programs
    • Common
    • Common Files
  2. %USERPROFILE%\AppData\Local\Temp
    • DataPrepService2.2.50501.0409.10  
    • MigrationService2.2.50501.0409.10 
    • QlikSenseBrowser2.2.50501.0409.10 
    • SensePrinting2.2.50501.0409.10

Running exe files from these directories is not an option is our environment.


Are these locations configurable? In particular, is there way to allow the app the necessary write access (log files, caches, etc) while keeping the exe files somewhere read-only?

12 Replies
Boba-Fat
Partner - Contributor
Partner - Contributor

Qlik really need to sort this out.  Security best practices insist on the concept of "least privilege" for users and this flies in the face of that, forcing us to give users local admin rights which is a great way for malware to get a foothold on a network.

ivan_will
Partner - Creator II
Partner - Creator II

This issue can be resolved by making sure the account is actually a Service Account.  Even Administrative accounts are NOT service accounts unless specified.

Depending on the Windows OS version you can do the following:

1. Open Administrative Tools (older versions, Control Panel, new versions, click on Start)

2. Select Local Security Policy, expand Local Policies, click on User Rights Assignment

3. Select Act as part of the operating system. If your user is already listed, skip to Step 5

4. Click on Add User or Group and add the desired user account.  Click on Check Names and make note of the entire name, example:  MYHOST\myservice

5. Return to the listing for User Rights Assignment and select Log on as a service, following the same directions as above

6. Close Administrative Tools and return to the Sense installation

6. Using the same exact name that appeared with Check Names, enter the service account name in the User dialog, with the correct password.

ivan_will
Partner - Creator II
Partner - Creator II

Second possible resolution might be: 

The issue with the installation may come from using the wrong computer/maschine name! 
Somehow it accepts the user and credentials but then fails, the easiest way is to use the exact name of machine name/user name taken from the properties of a file, security tab and then use the account full name from there.

Hope the above helps.
Stay safe