As mentioned earlier, User and Group objects and their passwords are not stored in your database. They are stored in a Microsoft Jet database known as the workgroup information file, which is also referred to as the system database. The default name of this database is System.mdw, and it’s a standard database in that Microsoft Jet can open it. While it’s structurally no different from the databases you create, it does contain several system tables that the engine uses to store security information. You can’t make changes to the contents of those tables by opening a workgroup information file directly; the information stored in them is encrypted and protected. To define user accounts and security groups, you must use the User and Group objects in DAO code, or use the Microsoft Access security user interface.
The workgroup information file stores information about each user and group in a workgroup. This information includes which users belong to which groups, encrypted passwords, and the SID for each user and group. When you use Microsoft Jet commands that affect user or group objects or their passwords, the engine reads and writes to the workgroup information file.
Figure 10.3 The workgroup information file
You can use the same workgroup information file for more than database. As long as the user, group, and password information remains the same across databases, you can point Microsoft Jet to the same workgroup information file. When a user logs on to Microsoft Jet, the engine looks in the workgroup information file for the user’s name and password to authenticate the user. From then on, Microsoft Jet uses only the SID that it found for that user.
Keep in mind that when you specify (“join”) a workgroup information file, the user and group accounts it contains remain in effect until you specify another workgroup information file. If you perform operations on other databases while that workgroup information file is current, you may see unexpected results. For this reason, you may want to create a separate workgroup information file for each database you secure.
See Also For more information, see Appendix C, “Registry Settings .”
In Microsoft Jet versions prior to 3.0, the initialization file, usually MSAccess.ini or MSAcc20.ini, was used to store the path and name of the workgroup information file. In versions 3.0 and 3.5, the path and name of the workgroup information file are stored in the Windows Registry. In all versions, the keyword or registry value used to specify the path to the workgroup information file is SystemDB. You can set or return the path for the current location of the workgroup information file in Visual Basic by using the SystemDB property of the DBEngine object.
You can start Microsoft Access with the following command-line options, which configure the security environment:
These startup command-line options are particularly useful when creating a Windows shortcut to open a secured database. For example, instead of using the Workgroup Administrator to specify a workgroup information file before opening a secured database, you can create a shortcut that uses the /wrkgrp option to specify the file when the database is opened.
Note that you must include the full path to the Microsoft Access executable file, as well as to the database. For example, the following command line starts Microsoft Access and opens the Northwind sample database using the MySystem.mdw workgroup information file:
“C:\Program Files\Microsoft Office\Office\MSAccess.exe” “C:\Program Files\Microsoft Office\Office\Samples\Northwind.mdb” /wrkgrp “C:\Windows\System\MySystem.mdw”