Article ID: 305541 - View products that this article applies to.
This article was previously published under Q305541
Moderate: Requires basic macro, coding, and interoperability skills.
This article applies only to a Microsoft Access database (.mdb).
For a Microsoft Access 2002 and Access 2003 version of this article, see 305542
For a Microsoft Access 97 version of this article, see 303941
This article explains the role and relationship of the workgroup information file (MDW) in Microsoft Access security.
When you install Microsoft Access for the first time, a new file is created in the Program Files\Common Files\System folder. This is the default workgroup information file. The default workgroup information file is named System.mdw.
The workgroup information file is a required component when you use a Microsoft Access database (MDB). This file is required for both a run-time installation and a full installation of Microsoft Access. This file is an important component of Microsoft Access security.
If you develop database applications, it is important that you have a good understanding of the workgroup information file. It is a good idea to reserve the last phase of the development process for applying security in Access. Until then, you can develop the database application in an unsecured database.
IMPORTANT: If you establish Access security in a database, Microsoft recommends that you have a backup or copy of the workgroup information file in a safe location. If the file is lost, damaged, or otherwise becomes impossible to use, the only way to recover the file quickly is to have a backup copy of the file. Otherwise, the database administrator would have to try to re-create the User Accounts exactly as they were initially. This is a risky situation. If the workgroup information file is not created exactly as the original, the file will not work with the database. This will prevent the successful use of the database for its designed purpose. In most cases, a current backup of the database file is the only sure way to recover the file.
Access uses the workgroup information file even when the database has not been secured. The file uses the default Admin user account. The Admin user account does not have a password at that point, and therefore it does not trigger a logon prompt.
For additional information about securing a Microsoft Access database, click the article number below to view the article in the Microsoft Knowledge Base:
254372For additional information about the security Manager Add-In, click the article number below to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/254372/EN-US/ )ACC2000: Overview of How to Secure a Microsoft Access Database
235961Access security is based on a hierarchy of Groups, Users, and Database objects (forms, reports, queries, and so on).
(https://support.microsoft.com/kb/235961/EN-US/ )ACC2000: Access security Manager Add-In Available
Groups and UsersGroups are collections of users who typically, but not always, have the same "role" and reason for working in the database. Some users may be given more latitude while other users will have less latitude within the database. To administer users of varying scope, Microsoft recommends that they be placed into separate groups based on their needs.
Users are individuals who will actually use either all or part of the database. A User can belong to more than one group. In Access security, one key concept to remember is this. If any user is a member of two or more Groups in the database and security has been established on the groups, that user will have the least restrictive permissions between or among all the groups the user is a member of.
Database ObjectsThe Database Objects have an Owner and have a series of permissions on each object that must be determined at the Group level or the individual User level.
The workgroup information file is used to store the User and Group information. Each user account is created with a user logon, a password, and a Personal ID. Each Group is created with a group name and Workgroup ID. All of this information is stored in the workgroup information file.
If the database administrator creates groups to cluster users who work in the same capacity, it is far easier to assign permissions at the group level than to try to administer individual user accounts that have the exact same set of permissions over the whole company. If the permissions are assigned to the group, they will extend to each member of that group. Therefore, the database administrator can easily set up a new user account, assign them to the proper group, and that user is ready to proceed immediately. The group permissions will govern their activities automatically.
PermissionsWith permissions, the user can open objects and modify objects or the data retained by the objects. With the correct set of permissions, any user belonging to a group can perform tasks without hindrance and without compromising the security of the application or the underlying data. NOTE: It is not a good idea to allow users to make design changes in a production database. Microsoft recommends that design changes are made only to the developer's copy of the database.
Permissions and the Ownership of the database objects are stored in the actual database itself. Because the permissions are stored in the database file, and the Users and Groups are stored in the Workgroup file, this requires that both files be used together in order for Access security to be properly implemented. Therefore, when you use Access to open the secured database, Access must also be able to find the path and location where the specific workgroup information file is stored.
It is also possible to use multiple workgroup information files. In fact, this often occurs when you are working with more than one Access database from the same computer. One database may be secured while others are not. Or each database may have its own, separate security scheme. After the Access application has been secured, the workgroup information file that was used while setting up security is the only workgroup information file that should be used with the secured database. In a multiuser environment, the workgroup file can be copied to each workstation or be shared from the network server.
Workgroup File AdministrationThe developer or application administrator can create additional workgroup information files using Wrkgadm.exe. This file can be found at the following location:
C:\Program Files\Microsoft Office\Office\1033The Workgroup Administrator is designed to create new workgroup information files or to join to existing workgroup information files. After you join a specific workgroup information file, Microsoft Access will use that specific file each time that a database is opened, unless another method is used to point Access to a different MDW file. Otherwise, Access will always use the last workgroup file that you joined whenever you start Access by one of the following means:
"C:\Program Files\Microsoft Office\Office\Msaccess.Exe" "C:\MyAppFolder\MyApp.mdb" /wrkgrp "C:\MyAppFolder\System.mdw"For additional information about Command-Line options in Microsoft Access, click the article number below to view the article in the Microsoft Knowledge Base:
(https://support.microsoft.com/kb/209207/EN-US/ )ACC2000: How to Use Command-Line Switches in Microsoft Access
Workgroup Information File NameYou can also give the workgroup information file a different name than the default name of System.mdw. Often, the workgroup information file is given the same name as the database it is securing. This helps identify it quickly from other MDW files, and associates it with the correct database file.
Another method for managing multiple workgroup information files is to place a copy of the correct workgroup information file in the same folder as the database it is associated with.
Additional or new copies of the System.mdw file can be created to use with your specific databases. If you accidentally "secure" the default copy of System.mdw, you can create a new System.mdw file in the default path. To create a new workgroup information file, follow these steps:
Run-Time Access DatabasesIf you are using Microsoft Office 2000 Developer, you must include the specific secured workgroup information file for any secured database that you are distributing.
You can download this white paper from the Microsoft Download Center at the following Microsoft Web site:
For more information about command-line options, click Microsoft Access Help on the Help menu, type startup command-line options in the Office Assistant or the Answer Wizard, and then click Search to view the topics returned.
Collapse this imageExpand this image
Article ID: 305541 - Last Review: August 6, 2012 - Revision: 4.0