Re: HOWTO Run CASPOL for full trust on UserControl.



"ATS" <ATS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:29C62383-69E1-4250-A7D4-B9586A1D96E8@xxxxxxxxxxxxxxxx
I found the solution, and it does override the machine level policy. I'm
disappointed that MS did not have the simple answer for this:

caspol -enterprise -addgroup 1 -site MyWebSite FullTrust -name
"ThisOVerridesMachine" -description "This code group will override
machine."
-levelfinal on

While overriding in this way is certainly possible, I wouldn't recommend it
as a first choice general solution since it can make CAS policy management
more complex for network administrators. Many/most organizations will grant
such additional permissions via changes to the machine policy, and it's
usually a good idea to stay within the "expected" policy modification set
for any given organization. That said, if your organization is already
performing overrides at the enterprise policy level, there's presumably no
reason to avoid this approach for your application.


I've already tested this, and it works. I've even tested it on a machine
that did not "Trust" the website I put in. The "levelfinal on" was the key
to
make this work. What made it possible to find this was to download the 2.0
SDK and get the GUI version of CASPOL, and play with it until I could find
an
answer, as the whole documentation for CASPOL is very confusing.

For what ever it is worth. I did have my .NET UserControl signed with a
strong name. I suspect that had nothing to do with the "levelfinal on"
working, but I thought I'd mention it anyways.

You're right, the strong name isn't relevant. LevelFinal is a property of
the code group and has nothing to do with properties of any assembly that
meets the membership criteria for the code group. If you would like more
information about LevelFinal, see
http://msdn2.microsoft.com/en-us/library/3wxtc9hf.aspx.


.



Relevant Pages

  • Re: HOWTO Use CASPOL for Full-Trust
    ... > HOWTO Use CASPOL for Full-Trust ... Assuming the machine policy level is still at its original default, ... > 2) Add a new code group that grants full trust to all trusted web sites ... you shouldn't need to touch either the enterprise ...
    (microsoft.public.dotnet.security)
  • Re: Remote Tab - My Computer Properties - Controls Disabled??
    ... To track down what policy or security template is overriding your remote tap ... nullifying your lower-level policy to allow the remote tab to be active. ...
    (microsoft.public.windows.server.general)
  • Re: GROUP Policy
    ... RSOP shows that the domain policy is overriding my policy at the ou. ... gather if I enforce my OU policy it should take care of that? ... They are public access machines. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Effective Security Policy
    ... That indicates that the local policy is being overridden by a higher priority policy ... the Domain Controller Security policy is overriding the local policy. ...
    (microsoft.public.win2000.security)
  • Re: Workstation is not taking group policy from DC
    ... It could be that the local security policy of the workstation is overriding ... In "Default Domain Policy Optioins" you should check "No ... policy" permissions to users that might be logging in to those workstations. ...
    (microsoft.public.win2000.security)