Can anyone shed some light on what my programmers want me to do?


N

Noob

They want me to: "Please research an AD setting that would allow us
to have .net programs on a network drive but not have to run the
caspol or gack commands, as we have done before"

They run: "CALL "%systemroot%\microsoft.net\framework
\v1.1.4322\caspol.exe" -pp off -machine -ag LocalIntranet_Zone -url
file:k:/* FullTrust -name AgilitydotNet"


Where do I even begin to look at making this change in the AD and or
Policies?


~Noob~
 
Ad

Advertisements

D

Darren Mar-Elia

Essentially what they are asking you to do is deploy .Net security policies
on your machines such that someone could run a .Net app from a network
drive. By default, that is not allowed an results in a .Net security
exception. When you install the .Net framework on a machine, it installs an
MMC snap-in called Microsoft .Net Framework Configuration--you should see it
under Administrative Tools. Within that snap-in you would select the option
to "Configure Code Access Security Policy". From there you can adjust
Framework security settings to allow any apps run from the Local Intranet
Zone to have Full Trust (or whatever is appropriate). From within that
dialog, there is an option to create a Deployment Package. Essentially what
that does is create an .MSI file that contains these security policy
settings. You would then take that resulting .MSI file and use GP Software
Installation policy to deploy it to your client machines. Once installed, it
will modify their .Net framework security settings on those machines.

Darren

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy

Script Group Policy Settings with the GPExpert Scripting Toolkit for
PowerShell!
Find out more at http://www.sdmsoftware.com/products2.php

Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
 
N

Noob

Thank you very much.

Would I be able to have the CALL command in a script/bat that will do
the same thing? or would a msi file be the way to go
 
D

Darren Mar-Elia

You could certainly use GP to run a computer startup script that calls that
command. I am assuming that that command persists--that is, that once you
set full trust using caspol.exe, that it will remain in place. I think
either approach is do-able. The MSI is obviously more complex but perhaps
more clean since it would only run once, as opposed to a computer startup
script that runs everytime you reboot the machine.

--
Darren Mar-Elia
MS-MVP-Windows Server--Group Policy

Script Group Policy Settings with the GPExpert Scripting Toolkit for
PowerShell!
Find out more at http://www.sdmsoftware.com/products2.php

Visit the GPOGUY: http://www.gpoguy.com -- The Windows Group Policy
Information Hub:
FAQs, Training Videos, Whitepapers and Utilities for all things Group
Policy-related
 
Ad

Advertisements

N

Noob

Thank you for the help.
I will have to figure out what would be better. Maybe doing the
script for now to get them happy and then do the msi later to make it
stick
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top