Trusted locations (1 Viewer)

BeeJayEff

Registered User.
Local time
Today, 05:44
Joined
Sep 10, 2013
Messages
198
I'm in the process of changing the way I distribute the FE of a database to many users. Rather than having them download it every time it's updated, I have created a command script to copy the latest version every time they run it. They only need to copy a shortcut to that script onto their desktop.

However, to avoid the security warnings, the FE needs to be in a trusted location. Can I avoid having to visit every client machine to set up such a location (the only one already set up on each client is ACCWIZ, to which I do not have write access) ?
 

Cronk

Registered User.
Local time
Today, 23:44
Joined
Jul 4, 2013
Messages
2,770
It sort of defeats the purpose of having a trusted location if code from a distributed source can make a location on a local drive "trusted".
 

The_Doc_Man

Immoderate Moderator
Staff member
Local time
Today, 07:44
Joined
Feb 28, 2001
Messages
26,996
Excellent point, Cronk.

BeeJayEff, the issue is, only a trusted (privileged) account can make a trusted location without some gyrations behind the scenes. If all your users were privileged, they could do this themselves without assistance. If they can't do this, then the app that they are running (which is running under their own credentials) can't do it either. And I'll bet they don't have the Run As permission that would let them run as SYSTEM.

Good call, Cronk!
 

Pat Hartman

Super Moderator
Staff member
Local time
Today, 08:44
Joined
Feb 19, 2002
Messages
42,970
I standardize the local folder name so my batch file that downloads the FE always downloads to:
C:\myaccessapps\app1

That way, I can enlist the aid of the desktop support folks to distribute the necessary registry entries to each user.
 

Galaxiom

Super Moderator
Staff member
Local time
Today, 23:44
Joined
Jan 20, 2009
Messages
12,849
I standardize the local folder name so my batch file that downloads the FE always downloads to:
C:\myaccessapps\app1

I put my frontends in a Database subfolder inside the user's AppData Roaming folder. It is accessible using an Environment variable
Code:
%Appdata%

No need to enlist anyone's help to distribute it. The user automatically has the required permissions while other users don't, plus it is hidden by default.
 

isladogs

MVP / VIP
Local time
Today, 12:44
Joined
Jan 14, 2017
Messages
18,186
Like Pat & Galaxiom, I also install my front ends to a set location. In my case, I use a subfolder of C:\Programs\MendipDataSystems.

All my apps are packaged as EXE files using installer software and downloaded by clients from my website.
The installer includes script to set trusted locations in the registry (together with other application info) similar to this:

Code:
//trusted locations
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Access\Security\Trusted Locations\Location14 :: Path="C:\Programs\MendipDataSystems\"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Access\Security\Trusted Locations\Location14 :: AllowSubFolders=1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Access\Security\Trusted Locations\Location14 :: Description="Mendip Data Systems"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Access\Security\Trusted Locations\Location14 :: Date="08/12/2015 19:51"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Access\Security\Trusted Locations\Location12 :: Path="C:\Programs\MendipDataSystems\"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Access\Security\Trusted Locations\Location12 :: AllowSubFolders=1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Access\Security\Trusted Locations\Location12 :: Description="Mendip Data Systems"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Access\Security\Trusted Locations\Location12 :: Date="27/04/2014 19:51"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Access\Security\Trusted Locations\Location15 :: Path="C:\Programs\MendipDataSystems\"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Access\Security\Trusted Locations\Location15 :: AllowSubFolders=1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Access\Security\Trusted Locations\Location15 :: Description="Mendip Data Systems"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Access\Security\Trusted Locations\Location15 :: Date="27/04/2014 19:51"

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Access\Security\Trusted Locations\Location16 :: Path="C:\Programs\MendipDataSystems\"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Access\Security\Trusted Locations\Location16 :: AllowSubFolders=1
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Access\Security\Trusted Locations\Location16 :: Description="Mendip Data Systems"
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Access\Security\Trusted Locations\Location16 :: Date="08/12/2015 19:51"

The program admin then copies the front end folder & files to an update folder on the network

After this, the network staff are involved just once.
Their role is to run a script to install the front end folder/files, desktop shortcut & run the registry script on the workstation of each authorised user.
This happens automatically at next Windows login

The latest update for each app is placed in a designated network folder.
When users click the desktop shortcut it runs a small starter utility (splash form) which checks for a newer version on the network.
If their version is up to date, the utility opens the app then closes automatically. Otherwise, the newer files are first downloaded.
If newer files exist, the download process typically only takes a second or two as API calls are used.
The starter utility can even update itself if a newer version exists.
 

Pat Hartman

Super Moderator
Staff member
Local time
Today, 08:44
Joined
Feb 19, 2002
Messages
42,970
Galaxiom,
The appdata folder still needs to be trusted.

The registry entries need to get distributed only once. The .bat file distributes the FE each time the shortcut is activated.
 

Galaxiom

Super Moderator
Staff member
Local time
Today, 23:44
Joined
Jan 20, 2009
Messages
12,849
Galaxiom,
The appdata folder still needs to be trusted.

The registry entries need to get distributed only once. The .bat file distributes the FE each time the shortcut is activated.

I distribute digitally signed mde front ends so the security is embedded in the file and can actually be run from anywhere without adjusting settings.

Domain Group Policy controls which users are allowed to run Office documents with signed or unsigned code. It exactly works the same as signing the code in other Office documents.

Of course Group Policy can also distribute the Trust settings for accde. Being on a domain makes management a lot easier.
 

Users who are viewing this thread

Top Bottom