Re: HOWTO Run CASPOL for full trust on UserControl.

Exactly the same way as automating enterprise-level CAS policy
modifications (e.g.: network login script).

The problem with logon scripts is that they run in the user context.

I've done policy deployment successfully by writing a .MSI file with install/uninstall actions and code that directly interfaces with SecurityManager -

the nice thing is that you can deploy the .MSI using standard software deployment mechanism, like SMS or AD GPO -

..MSI files deployed via GPOs run with SYSTEM context on the client.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

"ATS" <ATS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4C5AB90F-59DC-4495-A144-17DF040EE881@xxxxxxxxxxxxxxxx

How would most organizations apply CASPOL at machine level?


That is, without
physically going to each machine (or term serving to each machine one
at a
time) and running "CASPOL -machine ~~~~", how would they do it?
Then, how would administrators be able to "verify" that ALL machines
in
their enterprise had the CASPOL set? That is, without going to each
machine,
or term serving to each machine, one at a time, how would they be
able to
confirm that a "CASPOL -machine ~~~~" setting was still set?
Why are you worried about changes to machine-level CAS policy but not
to enterprise-level policy? Both policy files are covered by the same
DACLs, and any changes a user might choose to make to the
machine-level policy could just as easily be made to the
enterprise-level policy. In either case, if you really want to
monitor the policy on any given machine, it would be possible for a
network admin to either run caspol via a script or simply grab the
policy XML files.




.

Relevant Pages

  • Deploying a .msi
    ... I have created a group policy that assigns a .msi file to domain computers. ... because I can access the installation file just fine once I'm logged ... Event Source: Application Management ...
    (microsoft.public.windows.server.sbs)
  • Re: deploying a group policy to grant signed assemblies FULLTRUST
    ... CAS policy, generating the MSI file, or deploying the MSI file? ... the deployment portion, to whom do you wish to deploy it (e.g.: ...
    (microsoft.public.dotnet.security)
  • Re: installing apps through active directory and group policy editor
    ... I divided OU based on the policy level. ... I went to software installation and browsed to "shared folder" that ... contained the msi file. ... and I don't see the app. ...
    (microsoft.public.win2000.active_directory)
  • Re: Deploy via URL
    ... Simply generate a code group using the Security policy ... trust assemblies with the specified certificate. ... The client then must simply install this MSI file (i.e. ... the specified certificate will be trusted from then out. ...
    (microsoft.public.dotnet.security)
  • Office 2003 Deployment issues
    ... I deployed Office 2k3 via Group Policy incorrectly the first time... ... deployment skipped that, we use Access 97). ... So, I create the admin installation point, and created a transform to go ...
    (microsoft.public.office.setup)