cancel
Showing results for 
Search instead for 
Did you mean: 

Preventing users from using SAPGUI command to log-in to system

Former Member
0 Kudos

Dear Experts,

We have 6 instances for our production system and we have configured log-on group for 5 instances. Problem here is with users using SAPGUI command to log-in to the system. Even though we have configured log-on group some users who are aware of SAPGUI command are loggging-in to specific instance directly and we are facing issues with load balancing. We want to restrict users from using this command and make use of logon pad only. Could any one suggest us solution for this.

Thanks & Regards,

Manoj S

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
0 Kudos

Exactly, i had the similar problem of our HA environemnt with load balancing server.

We have 3 instances to logon to PRD server and we maintain the log-on group for 3 instances. The user create/change the setting to logon to different instances instead to use the log-on group which automatically determined the best logon server.

Our servers are behind the DMZ so that, we maintain the network policy on firewall that directly 3 instances are not exposed on user lan so that, they cannot logon directly to that instances.

Regards

Anwer Waseem

SAP Netweaver TTL

Answers (3)

Answers (3)

Sriram2009
Active Contributor
0 Kudos

Hi Manoj

In the SAPGUI you can create the selection package. Uninstall the exiting one and reinstall the new package by using the below batch file before that create the package by using the SAPGUI guide below the link page number 36 Installing Packages Configured by the Administrator http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/80f043df-b655-2d10-e9a4-bba6967de...

Batch file informationu2019s

1. Uninstall the exiting SAPGUI by using the command " nwsapsetup /uninstall /all /nodlg"

2. Move Frontend old_FrontEnd

3. Install the new package by using the command NwSapSetup.exe /Nodlg /Package="SAPGUI720"

Same way we did more the 1000 user pc by using the Windows ADS & SCCM

Regards

Sriram

Former Member
0 Kudos

Hi,

I believe you want to disable the launch of SAPGUI from Start > Run > SAPGUI command

You might do the following:

1. Check with local IT team to see if launching sapgui command from Start > Run can be disabled.

2. Else, try maintaining the message server router string in the SAPlogon Pad for all users.

If users are able to access SAP systems through SAPGUI command, most likely the ports 32<XX> and 33<XX> would be open to the SAP servers from the user's local machine.

By maintaing router string in the logon pad, you can disable direct access by blocking these ports to the SAP servers, thus ensuring access is only possible from SAPLogon Pad through the router string.

I hope I understood your question correctly and this information is helpful.

Regards,

Varun

Former Member
0 Kudos

Dear All,

Thank you for your valuable suggestions. All the solutions proposed here are to be done on all users systems. But this is lengthy process. I was searching for a solution that could be implemented centrally. I am trying to do this using an user exit that will log-off users who have not logged-in through log-on pad. I'll let you know once this is done. Mean while if you have any other solution ,which can be implemented centrally, please suggest me.

Thank & Regards,

Manoj

Former Member
0 Kudos

Hi Manoj,

Try this way. Select the SAP Logon pad which is on your desktop then goto right click---> properties. Now select Find Target tab. In new window (C:\Program Files\SAP\SapSetup\setup\SAL), you can find 2 icons (saplgpad & SapLogon).

Here select another one which is not highlighted and send it to desktop and delete other one with change access.

Once it is done you check whicther editable mode is coming or not.

This above process needs to be done only after updating Load balancing file in user system.

this process you please double check once in one PC and let us see what others says in this forum.

Rgds,

Durga.

Former Member
0 Kudos

Hello Majoj

As Durga described here, you can achive your needs but need to maintain the Cenralized configuration.

As we had notice that any user who are not integrated with AD Policies are able to delete and modify the sapmsg.ini file.

We have keep the centralized configuration and self executring script to copy needs file to user profile.so that, they can access SAP system while they are out of office through the SAPRouter.

Regards

Anwer Waseem