Avoid Security Warning
Cron
a network server by many users at the same time. Every time the
database is opened on a new computer I get the "Certain content in
this database has been disabled" warning at the top. How do I avoid
this please? My users would not know to click the bar and enable the
content.
I've tried digital signing but it I can only seem to do it by
packaging the database which brings up an extraction screen every time
it's loaded. Is there any way to bypass this annoying security
warning?
Thanks a lot,
Ciarán
Rick Brandt
On each user's PC the folder where the file is stored needs to be set as a
"trusted folder". This is in the Access options.
--
Rick Brandt, Microsoft Access MVP
Email (as appropriate) to...
RBrandt at Hunter dot com
Cron
run from a network server by many inexperienced users at the same
time. Every time the database is opened, the "content in this database
has been disabled" warning appears at the top and my users would not
think to click options and enable the content.
I have tried digitally signing to avoid the problem but I can only
seem to do it by packaging the database - forcing each user to go
through an extraction process each time the databse is loaded. Is
there any way around this annoying problem please?
Thanks,
Ciarán
Cron
> On each user's PC the folder where the file is stored needs to be set as a
> "trusted folder". This is in the Access options.
Surely there's a better way to do it than this?? The network is in a
busy college with hundreds of workstations. It's not practical to set
it on every machine. Is there no way to digitally sign a database
without having to package it?
Cheers,
Ciarán
Rick Brandt
It can be done programmatically as it is just a registry entry. Sorry, I am
not familiar with the specifics of digital certificates.
Cron
> It can be done programmatically as it is just a registry entry. Sorry, I am
> not familiar with the specifics of digital certificates.
>
Yes I've actually tried writing a .reg file for it but reg edits are
blocked on the college workstations! It's dead ends in all directions!
Ciarán
paii, Ron
"Cron" <cron...@hotmail.com> wrote in message
news:ce8368b0-cf15-45e6...@d31g2000hsg.googlegroups.com...
>Cheers,
>Ciarán
How are you going to get a copy of the front-end onto those workstations?
Can the same script be used to set the destination folder as trusted?
Cron
> How are you going to get a copy of the front-end onto those workstations?
> Can the same script be used to set the destination folder as trusted?
Hi, thanks for the reply... The databse is installed on a shared
network drive and can be accessed by all workstations simultaneously.
Is there any VBA code that can add trusted locations as executing
a .reg file manually is forbidden on the college workstations?
Cheers,
Ciarán
paii, Ron
> How are you going to get a copy of the front-end onto those workstations?
> Can the same script be used to set the destination folder as trusted?
>Hi, thanks for the reply... The databse is installed on a shared
>network drive and can be accessed by all workstations simultaneously.
Access should not be run this way. Each user should have a copy of the
front-end linked to a shared copy of the back-end otherwise you will have
corruption of the MDB. The Jet Back-end may need to be changed to SQL server
if you have100's of simultaneous users.
>Is there any VBA code that can add trusted locations as executing
>a .reg file manually is forbidden on the college workstations?
Are the workstations connected to the server with Active Directory? If so,
can your system administrator add the keys though a group policy?
>Cheers,
>Ciarán
Cron
> "Cron" <cronok...@hotmail.com> wrote in message
>
> news:2ff5114f-0802-4466...@u65g2000hsc.googlegroups.com...
>
> > How are you going to get a copy of the front-end onto those workstations?
> > Can the same script be used to set the destination folder as trusted?
> >Hi, thanks for the reply... The databse is installed on a shared
> >network drive and can be accessed by all workstations simultaneously.
>
> Access should not be run this way. Each user should have a copy of the
> front-end linked to a shared copy of the back-end otherwise you will have
> corruption of the MDB. The Jet Back-end may need to be changed to SQL server
> if you have100's of simultaneous users.
There'll be 30 users max at any one time. I've never had corruption
problems in the past with similar setups, why would this be an issue?
>
> >Is there any VBA code that can add trusted locations as executing
> >a .reg file manually is forbidden on the college workstations?
>
> Are the workstations connected to the server with Active Directory? If so,
> can your system administrator add the keys though a group policy?
I have no idea how the server is set up. As far as I can tell it's
simply a windows mapped network drive. I'd prefer an access only
solution as the admins are very busy and could take weeks or months to
add the keys.
Cheers,
Ciarán
Salad
> On Oct 7, 1:31 pm, "paii, Ron" <n...@no.com> wrote:
>
>>"Cron" <cronok...@hotmail.com> wrote in message
>>
>>news:2ff5114f-0802-4466...@u65g2000hsc.googlegroups.com...
>>
>>
>>>How are you going to get a copy of the front-end onto those workstations?
>>>Can the same script be used to set the destination folder as trusted?
>>>Hi, thanks for the reply... The databse is installed on a shared
>>>network drive and can be accessed by all workstations simultaneously.
>>
>>Access should not be run this way. Each user should have a copy of the
>>front-end linked to a shared copy of the back-end otherwise you will have
>>corruption of the MDB. The Jet Back-end may need to be changed to SQL server
>>if you have100's of simultaneous users.
>
>
> There'll be 30 users max at any one time. I've never had corruption
> problems in the past with similar setups, why would this be an issue?
Good luck!
Consider a runtime version of A2007. It's free.
Chris O'C via AccessMonster.com
identified this as the top reason for corruption in their tech support
incidents.
If you haven't had the problem yet, you will so take good advice when you get
it and split the db file.
Chris
Microsoft MVP
Cron wrote:
>There'll be 30 users max at any one time. I've never had corruption
>problems in the past with similar setups, why would this be an issue?
--
Message posted via AccessMonster.com
http://www.accessmonster.com/Uwe/Forums.aspx/databases-ms-access/200810/1
Cron
wrote:
> This has been an issue for more than 15 years. The Microsoft Access team
> identified this as the top reason for corruption in their tech support
> incidents.
>
> If you haven't had the problem yet, you will so take good advice when you get
> it and split the db file.
hmm... ok point taken. Is it OK to have a shared copy of the front end
linked to a seperate shared copy of the backend?
Chris O'C via AccessMonster.com
into a back end (contains tables and relationships) and a front end (contains
all other objects and links to the tables). The back end is put on the
network share and a copy of the front end is put on each user's desktop. The
users are linked to the back end tables but they aren't sharing the file
(like they've opened it in Access at the same time). They have a connection
thru the Jet or ACE db driver, but none of those connections are shared with
anybody else's db connection. So if one of those connections gets
disconnected (like a network cable is pulled), it doesn't affect the other
users' sessions.
Chris
Microsoft MVP
Cron wrote:
>Is it OK to have a shared copy of the front end
>linked to a seperate shared copy of the backend?
--
Cron
wrote:
> Nobody shares, really. Only one user per front end. The db file is split
> into a back end (contains tables and relationships) and a front end (contains
> all other objects and links to the tables). The back end is put on the
> network share and a copy of the front end is put on each user's desktop. The
> users are linked to the back end tables but they aren't sharing the file
> (like they've opened it in Access at the same time). They have a connection
> thru the Jet or ACE db driver, but none of those connections are shared with
> anybody else's db connection. So if one of those connections gets
> disconnected (like a network cable is pulled), it doesn't affect the other
> users' sessions.
>
> Chris
> Microsoft MVP
>
OK I'll do it like that so. Now back to the matter at hand... does
anyone know a way to add a trusted location to the registry using VBA?
or is there a way to digitally sign a database without packaging it?
Cheers for the help on this guys,
Ciarán
Chris O'C via AccessMonster.com
at those hundreds of workstations don't have the smarts to enable the content
by pressing a bar that pretty much says "contents disabled unless you press
here". You don't want to go to those hundreds of workstations yourself to do
it while each user is logged in. (The trusted locations are per user, not
per workstation, so unless the network is set up with roaming profiles - kind
of doubtful - you have a lot more work than you thought if students are
allowed to use more than 1 pc when using your app during the semester.) The
user who's executing the vba code needs to have enough permissions to write
to the registry. Most college networks are locked down so student users
don't usually have those permissions.
What kind of digital signature are you using that needs to be packaged to be
installed on each pc? You can't sign the files on one pc with your digital
certificate and copy the front end to each user's desktop and copy the back
end to the network server?
Chris
Microsoft MVP
Cron wrote:
>does
>anyone know a way to add a trusted location to the registry using VBA?
>or is there a way to digitally sign a database without packaging it?
--
Cron
wrote:
> Several flaws in your logic. The vba won't run because the college students
> at those hundreds of workstations don't have the smarts to enable the content
> by pressing a bar that pretty much says "contents disabled unless you press
> here". You don't want to go to those hundreds of workstations yourself to do
> it while each user is logged in. (The trusted locations are per user, not
> per workstation, so unless the network is set up with roaming profiles - kind
> of doubtful - you have a lot more work than you thought if students are
> allowed to use more than 1 pc when using your app during the semester.) The
> user who's executing the vba code needs to have enough permissions to write
> to the registry. Most college networks are locked down so student users
> don't usually have those permissions.
True, but if it was just a once off, I could tell the students to
click the enable content button. It just can't appear every time the
database is opened. You might be right about the registry edits being
disabled altho the settings do allow the change through access so I've
a feeling the security won't be smart enough to distinguish VBA from
access.
>
> What kind of digital signature are you using that needs to be packaged to be
> installed on each pc? You can't sign the files on one pc with your digital
> certificate and copy the front end to each user's desktop and copy the back
> end to the network server?
I'm not sure if that was a question but I tried this quickly on my
home network and it didnt work but I might have missed something. Is
the following possible...
Create a digital signiture using office.
Sign and package the database with it in access.
Unpack the signed package to a new computer and run as digitally
signed without problems??
Cheers,
Ciarán
Chris O'C via AccessMonster.com
that's the problem, so....
Chris
Microsoft MVP
Cron wrote:
>On Oct 8, 1:20 am, "Chris O'C via AccessMonster.com" <u29189@uwe>
>wrote:
>You might be right about the registry edits being
>disabled altho the settings do allow the change through access so I've
>a feeling the security won't be smart enough to distinguish VBA from
>access.
--
Cron
wrote:
> That's good news, it should work if you use vba. It's just enabling the vba
> that's the problem, so....
I also don't have a clue how to code it or if it's even possible
through VBA! ... hopefully someone in the neighbourhood will know ...?
Chris O'C via AccessMonster.com
network of pcs using Access 2003 but that takes a consultant who's a security
expert. (I've never seen it tried in Access 2007, so it might not be
possible on your network.) A normal developer won't be able to do it. A
normal developer needs a Thawte digital certificate or another commercial
certificate provider to distribute digital signatures at the organizational
level.
Chris
Microsoft MVP
Cron wrote:
>On Oct 8, 1:20 am, "Chris O'C via AccessMonster.com" <u29189@uwe>
>wrote:
>I tried this quickly on my
>home network and it didnt work but I might have missed something. Is
>the following possible...
>
>Create a digital signiture using office.
>Sign and package the database with it in access.
>Unpack the signed package to a new computer and run as digitally
>signed without problems??
--
Message posted via http://www.accessmonster.com
Cron
wrote:
> Are you using a self cert digital certificate? I've seen it work on a
> network of pcs using Access 2003 but that takes a consultant who's a security
> expert. (I've never seen it tried in Access 2007, so it might not be
> possible on your network.) A normal developer won't be able to do it. A
> normal developer needs a Thawte digital certificate or another commercial
> certificate provider to distribute digital signatures at the organizational
> level.
Yeah that must have been the problem I was having then. Microsoft are
a real pain in the ass with this crap sometimes. Right, I'll have a
look around tomorrow and see if can find some VBA to allow trusted
locations. It seems to be my best bet.
Thanks a lot for the help Chris!
Ciarán
Salad
> Several flaws in your logic. The vba won't run because the college students
> at those hundreds of workstations don't have the smarts to enable the content
> by pressing a bar that pretty much says "contents disabled unless you press
> here". You don't want to go to those hundreds of workstations yourself to do
> it while each user is logged in. (The trusted locations are per user, not
> per workstation, so unless the network is set up with roaming profiles - kind
> of doubtful - you have a lot more work than you thought if students are
> allowed to use more than 1 pc when using your app during the semester.) The
> user who's executing the vba code needs to have enough permissions to write
> to the registry. Most college networks are locked down so student users
> don't usually have those permissions.
I haven't migrated to 2007 yet so I don't understand the trusted
location concept you just stated. If I set "C:\A2007\Apps" as a trusted
folder wouldn't it be a trusted folder for all students?
Wouldn't Tony Toews AutoFe be a useful tool for distributing the
application to the students?
Lou O
I overcame this problem
I use IStool (free download) to install my app
It has a script for writing to the windows registry.
With it I set the trusted location of my app when I run the setup.exe
Let me know if you want more info
![Tony Toews [MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjVFNFhAO8kxGtutFBSPYzx5Lbrrty7WRKPHNhjuWtTEHvsoQdk=s40-c)
Tony Toews [MVP]
>Create a digital signiture using office.
>Sign and package the database with it in access.
>Unpack the signed package to a new computer and run as digitally
>signed without problems??
You should be able to digitally sign the MDB/MDE all by itself.
Tony
--
Tony Toews, Microsoft Access MVP
Please respond only in the newsgroups so that others can
read the entire thread of messages.
Microsoft Access Links, Hints, Tips & Accounting Systems at
http://www.granite.ab.ca/accsmstr.htm
Tony's Microsoft Access Blog - http://msmvps.com/blogs/access/
Tony Toews [MVP]
>Right, I'll have a
>look around tomorrow and see if can find some VBA to allow trusted
>locations.
All trusted locations are stored in the registry under:
HKCU\Software\Microsoft\Office\12.0\Access\Security\Trusted
Locations\LocationN
(where N is an integer)
To see what the entries should look like, just add a trusted location through the
Trust Center, then go to the registry to look at the key and see what it did. Note:
you cannot trust a specific file, but only at the folder level, so you'll want to
make sure that you're installing your app to a folder that contains only your
application and not other stuff.
You can add any key name you want unde Trusted Locations\ instead of using LocationN.
Such as Trusted Locations\My App or Trusted Locations\<generated GUID>
So what you could do is have a startup form with a big text comment telling the user
to click on Security prompt at the top of the Access window. Now the first thing
your VBA does is set the above Trusted Locations registry key, if not already there
and close the form and continue. If the VBA code is working because the Trusted
Locations key is set then this form is visible for a flicker.
You will need to use an API call to set the registry location. See vbnet.mvps.org.