Re: HOWTO Run CASPOL for full trust on UserControl.

Sorry, I was using "login script" in the general sense of a script pushed
from the network, not the Windows-specific sense, but that was probably a
wee bit too much verbal shortcutting... On a Windows domain (assuming
Win2K+ clients), one could use a startup script, which runs under the system
account and can modify CAS policy. However, in most Windows domain
scenarios, I suspect that deployment of an GPOed MSI would probably be
preferred, particularly since this doesn't require messing about with icky
caspol command lines. ;)



"Dominick Baier [DevelopMentor]" <dbaier@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
wrote in message news:4580be631964ec8c7faa4ad87dea8@xxxxxxxxxxxxxxxxxxxxx
Exactly the same way as automating enterprise-level CAS policy
modifications (e.g.: network login script).

The problem with logon scripts is that they run in the user context.

I've done policy deployment successfully by writing a .MSI file with
install/uninstall actions and code that directly interfaces with
SecurityManager -

the nice thing is that you can deploy the .MSI using standard software
deployment mechanism, like SMS or AD GPO -

.MSI files deployed via GPOs run with SYSTEM context on the client.

---------------------------------------
Dominick Baier - DevelopMentor
http://www.leastprivilege.com

"ATS" <ATS@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4C5AB90F-59DC-4495-A144-17DF040EE881@xxxxxxxxxxxxxxxx

How would most organizations apply CASPOL at machine level?


That is, without
physically going to each machine (or term serving to each machine one
at a
time) and running "CASPOL -machine ~~~~", how would they do it?
Then, how would administrators be able to "verify" that ALL machines
in
their enterprise had the CASPOL set? That is, without going to each
machine,
or term serving to each machine, one at a time, how would they be
able to
confirm that a "CASPOL -machine ~~~~" setting was still set?
Why are you worried about changes to machine-level CAS policy but not
to enterprise-level policy? Both policy files are covered by the same
DACLs, and any changes a user might choose to make to the
machine-level policy could just as easily be made to the
enterprise-level policy. In either case, if you really want to
monitor the policy on any given machine, it would be possible for a
network admin to either run caspol via a script or simply grab the
policy XML files.






.

Relevant Pages

  • Re: scripted logon
    ... Why can't you launch all the scripts from a Group Policy based Logon script. ... Here's the policy settings (I sure hope word wrap doesn't mess it up too ... Windows Components/Windows Installer ...
    (microsoft.public.windows.terminal_services)
  • Re: Logon script in Group Policy not working.
    ... Seems like your script doesn't run at all, ... Maybe your policy isn't applied at all. ... permissions to add network printers and a correct path. ... MCSA Windows 2003 server ...
    (microsoft.public.windows.terminal_services)
  • RE: Login script
    ... I am running the login script using dos batch file or vbs script. ... scripts are implemented via Group Policy. ... How to use the Group Policy Migration utility to migrate Windows NT System ... Regarding Wins server migration, you can refer to following article: ...
    (microsoft.public.windows.server.migration)
  • RE: Local Administrator username & password change
    ... We have Windows 2003 Domain and windows XP and Windows 2000 as client ... Proffesional clients using group policy. ... The below vbs script can be used as a Group Policy Startup Script, ... 2- Replace the word "NewAdmin" with the desired new local administrator name. ...
    (microsoft.public.windows.group_policy)
  • Re: Microsoft Warns of New Windows Flaw (March 19, 2003 )
    ... In WINDOWS SETUP in ADD/REMOVE PROGRAMS of Control Panel ... Uninstall Outlook Express, ... Java, Javascript, ActiveX and all the other script runner toys Billy ... Install WebWasher the spammers are terrified of free from ...
    (comp.security.misc)