Change CAS permissions for all machines on a domain

[Guest]

Hello !

My question is simple:

How can I change ALL THE PCS ON A DOMAIN to have CAS full trust to a network
share ?

Notes:

When you deploy an application to a network share, as all the pcs have
restricted permissions for intranet zone on their machine level, not each
feature of the applications works, for example, database / registry access.

So, till now, we have to MANUALLY configure EACH PC to have full trust to
each network share where we have our .NET developed applications, this way:

caspol -m -ag 1.2 -url file:\\servername\appshareddir\* FullTrust

This is not very enriching nor amusing as you can imagine, for our technical
stuff...

Is there any way to automate this by configuring, for example, the CAS
policy from the server or something similar ? (I am speculating...)


(Of course, the domain users already have network permissions... but I'm not
talking about network permissions here...)


Thanks in advance,

 

[Marc Gravell]

Well, you can package the "caspol" exec into an msi, and push that msi
around the clients via a login script; I used this approach with 1.1
apps.

With 2.0, perhaps a signed ClickOnce deployment is a better option?

Marc

 

[Guest]

Hi,

Thanks for your answer... but I have a few more questions about this:

Well, you can package the "caspol" exec into an msi, and push that msi
around the clients via a login script;

This would be the same as making a "cmd" with the caspol sentence... not a
very big improvement ...

With 2.0, perhaps a signed ClickOnce deployment is a better option?

But It would not avoid the fact that I still have to manually configure CAS
permissions for LOCAL machine level, isn't it ?

The fact is that I was looking a way to assign CAS permissions for all the
pcs from a domain controller or a central place, as with the Active Directory
for the whole domain does for certain features...

Thanks,

Roger

 

[Marc Gravell]

Well in your original e-mail you said you were MANUALLY appllying the
change (the caps are from you) - so a login script (with cmd or msi)
seems a pretty huge improvement to me. But no, it doens't hook cleanly
into group policy etc.

You might want to make your changes at the enterprise level, but note
that this is still (AFAIK) configured at the machine. Truly ironic,
unless I missed the same thing you did ;-p

Marc

 

[Marc Gravell]

But It would not avoid the fact that I still have to manually

configure CAS
permissions for LOCAL machine level, isn't it ?

Actually, yes it would. ClickOnce allows you to ascribe permissions
via the manifest. If the user accepts the app (i.e. they click, er,
once) then the app gets the permissions it asked for - which can be
full trust or partial trust.

Marc

 

[Guest]

Thanks, I'll test it as soon as possible

Bye,