Oh, I can set the users up to trust a location; I'm just not allowed to do it through editing the registry. I have to send them through the Trust Center in Access.
Yep, with the Navy looking over my shoulder all of the time, I couldn't programmatically trust the time-of-day clock. (Slight exaggeration there for effect...)
Whoa! I made no claims that what I did was the correct solution - only that its how I deal with the issue of trusted locations and as such it works well.
When I was still employed in education, I was a teacher (latterly a Deputy Head) and also had no role in IT management or networking. Believe me, I know all about the wariness of IT teams to allow anyone or any application to 'tamper with' their systems. And to be fair they are right to do so.
Since retiring from teaching and focusing on being an Access developer, I have continued to experience many difficulties persuading some network staff to allow my Access apps to have read/write access to specified network folders containing files used by the app.
Too often they 'struggle to understand' that although the app needs access to the folders, the end users will have no access to the folders themselves.
In some cases, I have lost contracts because network teams won't budge.
Where I gain the contract, its because they've accepted what I'm doing is safe (or perhaps they haven't taken in the implications!!!)
As for trusted locations or trusted documents, however these are set, its important to understand that the information is written to the registry.
a) using a script during installation of the app means the user never sees the yellow security banner.
Part of my script adds lines like this to the registry:
Similarly for Access versions 12.0/15.0/16.0 to cover all bases
b) Using the trust centre to set the location as trusted
This creates EXACTLY the same types of entries in the same registry hive as shown above but for the folder you specify (& subfolders if that option was ticked). The registry entry will be saved somewhere like this (for A2010):
c) Clicking the Enable Content button in the yellow security bar adds a registry entry for that document (but not the whole folder).
In this case the registry entry (for A2010) is at:
My point is that if users are allowed to trust an individual file or a folder from Access, it is no different in practice to doing so via a script.
I'm sure you are both aware of this but others may not be....
Also once either folders or files are trusted, that remains trusted even when the database is updated
For info, my registry scripts also contain version & license information about each app as well as items such as the location of BE files & support files.
This is needed as each client will decide for themselves where these items will be saved to suit their own systems.
As I sell some of my apps to multiple clients e.g. schools, this registry information is vital when installing updates to ensure these are relinked successfully.
Oh, I wasn't slamming you. Yours is an awesome (and my preferred) approach...when I'm allowed to do it. In fact, I've done it before, but at my current employer (I don't know why I don't say the name, it's not THAT hard to figure out), direct programmatic modification of the registry is verboten unless you're actually in the IT department, and I'm not; I'm in Claims. And I'm fairly certain that most people asking for help here don't have that permission.
And I'm not slamming you either. I just was not ever IN an environment where I was allowed to do that programmatically. My point was "know your I.T. department - because sometimes what you don't know CAN hurt you."
No problems - I just wanted to set the record straight for the benefit of others ....
As already stated, I lost a few contracts when I stated it was a requirement that specified network folders had to have read/write access for the app to run. In more than one case, the fact that the registry needs to be modified so Access files can run code was enough for them to say a big NO to any use of Access.
However in the majority of cases, I got my way & it made both initial installation & updates a breeze to do with no more than occasional remote support
I'm lucky that I have access to our domain admin logins and that it is a small shop with just one other IT worker, the official network admin. Plus the manager is in an office where I can talk to him from my desk.
But I don't have to fool around with the Trusted Locations.
I still develop in mdb and distribute signed mde. Dumbest thing Microsoft did when introducing the accd* format was taking away the ability sign the file. We have our own CA and distribute the certificates through Group Policy. Users don't get any warnings.
In fact, I've done it before, but at my current employer (I don't know why I don't say the name, it's not THAT hard to figure out), direct programmatic modification of the registry is verboten unless you're actually in the IT department, and I'm not; I'm in Claims. And I'm fairly certain that most people asking for help here don't have that permission.
