Description of the role of workgroup information files in Access 2000 security

This article explains the role and relationship of the workgroup information file (MDW) in Microsoft Access security.

When you install Microsoft Access for the first time, a new file is created in the Program Files\Common Files\System folder. This is the default workgroup information file. The default workgroup information file is named System.mdw.

The workgroup information file is a required component when you use a Microsoft Access database (MDB). This file is required for both a run-time installation and a full installation of Microsoft Access. This file is an important component of Microsoft Access security.

If you develop database applications, it is important that you have a good understanding of the workgroup information file. It is a good idea to reserve the last phase of the development process for applying security in Access. Until then, you can develop the database application in an unsecured database.

IMPORTANT: If you establish Access security in a database, Microsoft recommends that you have a backup or copy of the workgroup information file in a safe location. If the file is lost, damaged, or otherwise becomes impossible to use, the only way to recover the file quickly is to have a backup copy of the file. Otherwise, the database administrator would have to try to re-create the User Accounts exactly as they were initially. This is a risky situation. If the workgroup information file is not created exactly as the original, the file will not work with the database. This will prevent the successful use of the database for its designed purpose. In most cases, a current backup of the database file is the only sure way to recover the file.

Access uses the workgroup information file even when the database has not been secured. The file uses the default Admin user account. The Admin user account does not have a password at that point, and therefore it does not trigger a logon prompt.

For additional information about securing a Microsoft Access database, click the article number below to view the article in the Microsoft Knowledge Base: For additional information about the security Manager Add-In, click the article number below to view the article in the Microsoft Knowledge Base: Access security is based on a hierarchy of Groups, Users, and Database objects (forms, reports, queries, and so on).

Groups and Users

Groups are collections of users who typically, but not always, have the same "role" and reason for working in the database. Some users may be given more latitude while other users will have less latitude within the database. To administer users of varying scope, Microsoft recommends that they be placed into separate groups based on their needs.

Users are individuals who will actually use either all or part of the database. A User can belong to more than one group. In Access security, one key concept to remember is this. If any user is a member of two or more Groups in the database and security has been established on the groups, that user will have the least restrictive permissions between or among all the groups the user is a member of.

Database Objects

The Database Objects have an Owner and have a series of permissions on each object that must be determined at the Group level or the individual User level.

The workgroup information file is used to store the User and Group information. Each user account is created with a user logon, a password, and a Personal ID. Each Group is created with a group name and Workgroup ID. All of this information is stored in the workgroup information file.

If the database administrator creates groups to cluster users who work in the same capacity, it is far easier to assign permissions at the group level than to try to administer individual user accounts that have the exact same set of permissions over the whole company. If the permissions are assigned to the group, they will extend to each member of that group. Therefore, the database administrator can easily set up a new user account, assign them to the proper group, and that user is ready to proceed immediately. The group permissions will govern their activities automatically.

Permissions

With permissions, the user can open objects and modify objects or the data retained by the objects. With the correct set of permissions, any user belonging to a group can perform tasks without hindrance and without compromising the security of the application or the underlying data. NOTE: It is not a good idea to allow users to make design changes in a production database. Microsoft recommends that design changes are made only to the developer's copy of the database.

Permissions and the Ownership of the database objects are stored in the actual database itself. Because the permissions are stored in the database file, and the Users and Groups are stored in the Workgroup file, this requires that both files be used together in order for Access security to be properly implemented. Therefore, when you use Access to open the secured database, Access must also be able to find the path and location where the specific workgroup information file is stored.

It is also possible to use multiple workgroup information files. In fact, this often occurs when you are working with more than one Access database from the same computer. One database may be secured while others are not. Or each database may have its own, separate security scheme. After the Access application has been secured, the workgroup information file that was used while setting up security is the only workgroup information file that should be used with the secured database. In a multiuser environment, the workgroup file can be copied to each workstation or be shared from the network server.

Workgroup File Administration

The developer or application administrator can create additional workgroup information files using Wrkgadm.exe. This file can be found at the following location: The Workgroup Administrator is designed to create new workgroup information files or to join to existing workgroup information files. After you join a specific workgroup information file, Microsoft Access will use that specific file each time that a database is opened, unless another method is used to point Access to a different MDW file. Otherwise, Access will always use the last workgroup file that you joined whenever you start Access by one of the following means:

• From the Programs menu in Microsoft Windows.
• From a Desktop shortcut to the database file only.
• When you double-click a database file in Windows Explorer.

Microsoft Access can be instructed to use a specific workgroup file at the time in which a database is opened. To accomplish this, it is necessary to create a shortcut. The shortcut must have a command-line option that will start a specific database and a specific workgroup information file. To start an Access database named MyApp.mdb in a folder named MyAppFolder and to use a secured workgroup file named System.mdw, the command line syntax must have the /WrkGrp command-line switch, for example: For additional information about Command-Line options in Microsoft Access, click the article number below to view the article in the Microsoft Knowledge Base:

Workgroup Information File Name

You can also give the workgroup information file a different name than the default name of System.mdw. Often, the workgroup information file is given the same name as the database it is securing. This helps identify it quickly from other MDW files, and associates it with the correct database file.

Another method for managing multiple workgroup information files is to place a copy of the correct workgroup information file in the same folder as the database it is associated with.

Additional or new copies of the System.mdw file can be created to use with your specific databases. If you accidentally "secure" the default copy of System.mdw, you can create a new System.mdw file in the default path. To create a new workgroup information file, follow these steps:

1. Close any open databases, and then quit Microsoft Access.
2. Search your computer for the file Wrkgadm.exe, and then double-click the file.
3. Click Create in the dialog box that appears.
4. To create a new workgroup information file, enter your User Name, the Organization Name, and a Workgroup ID. The Workgroup ID can be any string of alphanumeric characters. It must be between 8 and 20 characters long. Click OK.
5. Take note of the path and file name that is the default for the new workgroup information file. If you want it to be in another path, edit the path, or click Browse to locate the path that you want. If you also want the file name to be different, you can change the name also. If there is another Workgroup file with the same name, Access will prompt you to overwrite it or not. Click OK to proceed.
6. The next window is a confirmation window that displays all the information that you have entered. Review and click either OK to proceed, or Change if you find something that is not correct.
7. When the Workgroup file has been successfully created, a window will appear confirming this to you. Click OK in this message.
8. You can now exit the Workgroup Administrator or join another workgroup file to make it the default file.

Run-Time Access Databases

If you are using Microsoft Office 2000 Developer, you must include the specific secured workgroup information file for any secured database that you are distributing.

For additional information about Microsoft Access security, see the "Frequently Asked Questions About Microsoft Access Security for Microsoft Access versions 2.0 Through 2000" white paper at the following Microsoft Web site: You can also download this white paper from the Microsoft Download Center at the following Microsoft Web site: For more information about command-line options, click Microsoft Access Help on the Help menu, type startup command-line options in the Office Assistant or the Answer Wizard, and then click Search to view the topics returned.