Is there a way to override GPO preventing User Trusted Locations?

[mdlueck]

Greetings,

I suspect a GPO is preventing me from adding directly to the registry Access 2016 User Trusted Location.

In the Access UI Trust Center, all buttons are greyed out, and nothing shows up as User Trusted Locations.

I successfully added my own directly to the registry. When I restarted Access, still no User Trusted Locations appear in the list.

Is there a way to override the probable GPO preventing me from adding a User Trusted Location?

I am thankful,

 

[The_Doc_Man]

A Group Policy Object won't exist except under a couple of conditions.

1. Your site security officer and/or domain administrator have conspired to make your life a living Hell by locking you down with every conceivable, fiendish, diabolical annoyance policy that exists within Windows. (Which is a LOT.)

2. You did this to yourself.

3. It ain't a GPO.

Since your name appears in the corporation title of your signature, there is a chance for #2 - but you would have known you did it, since it is not something one does idly or accidentally. There is a bit of a complex setup involved.

If #1 is the case, talk to the "powers that be" and find out what is going on.

If #2, what you did you can undo - if you can find it.

If you determine that neither #1 nor #2 applies, then we have other research to do.


Which of these applies?

 

[mdlueck]

Greetings The_Doc_Man,

Yes the machine I am using Office 2016 on is a corporate managed computer at a client site. My machine here went through an Office 2010 to Office 2016 upgrade a while back, and that is where adding the trusted location via direct registry edit stopped working.

I recall working at another corporate client, they had added a GPO to block AutoLogin registry values. However, Google turned up a way to block that GPO enforcement coming down to the client machine, so we were successful in once again having a fully automated machine on their network which no one ever sits at... has a Cron scheduler, and is fully automated running various jobs at schedule times, including a daily IPL to keep memory leaks from disrupting automation.

I am seeking similar at this client... to be able to add my own personal Trusted Location... directory tree on my local drive.

Access appears to add a HKCU trusted file each time I approve running VBA for a specific database file in my local drive. So I guess "once per file" is not tooooo painful. Seeking to prevent even that much pain point.

I am thankful,

 

[The_Doc_Man]

OK, this is going to require cooperation of your corporate domain admin, who is usually the creator of all GPO items.

Let me say this: You probably COULD find a hack that would let you do this, but from a contractual or employment viewpoint, doing so would probably violate something. Which is why you need to get the person who needs this done to "sign off" that you need it and then get that to the domain admin. Then let your supervisor and the domain admin duke it out. EITHER the supervisor will win and the domain admin will help you, or the domain admin will win and your supervisor's expectations will be adjusted.

In either case, going your own way in a corporate environment is NEVER the right way.

In case you were wondering, I learned that through a career of 28 1/2 years with the U.S. Navy Reserve and later U.S. Navy as a systems administrator in a Dept. of Defense network comprised of 1200+ servers that were Sensitive but Unclassified (SBU) and I also worked with over 500 systems that were classified as Secret. (Can't tell you what the Secret machines were all about without killing you first and saying the words over your grave after all the other mourners have left.)

 

[Pat Hartman]

Since you need to establish a trusted location to run an Access app, perhaps you can convince the client's control freaks to distribute the necessary registry keys to all your users via group policy. You will have to give them the keys, they simply add them to the normal login proc for the specified users.

 

[mdlueck]

Greetings The_Doc_Man,

Then there will be no automatic workaround at this client. I was hoping for a similar work-around as we found for the GPO AutoLogin restoration solution.

I spent all year (Jan prod go-live to Dec) to get approved DR/LRU interfaces for a production application.

The likelihood of getting approval to not have to click-enable VBA code where my position here does not make mention of requiring use of VBA... nadda!!!

I am thankful,

 

[mdlueck]

Greetings Pat,

This is for my own developer use... the VBA code.

Such as, to complete the production implementation of an upcoming component, I automated with VBA connecting to the application's Oracle DB, issue some SQL, generate XML content to be able to bulk de-provision data from the application.

I am not actually developing Access VBA for production consumption at this site.

I am thankful,

 

[Pat Hartman]

Then put your app in one of the folders that Access trusts by default.

 

[mdlueck]

Greetings Pat,

Only the MS Access default to the application wizard which is located under C:\Program Files\ which my ID does not have write permissions to. Blocked there as well.

I am thankful,

 

[Pat Hartman]

They've got you then

 

[isladogs]

Have you tried opening Access using the Run as Administrator switch

 

[The_Doc_Man]

Colin, if he can't get to the Program Files folder, you can bet dollars to doughnuts that he won't be able to do a RunAs of ANY kind, much less as Admin.

 

[isladogs]

Probably you're right but it's worth a quick check to see if it's available from the context menu.

For anyone who isn't aware, hold down the shift key then right click on Access shortcut and select Run As Administrator