Access "A potential security concern has been identified" when opening DBs off intranet - GPO??

We have just recently begun using Access Runtime 2010 to open corporate databases stored on our DFS share - rather than Acces 2003 (proper).  Every time I open any DB, Access Runtime 2010 gives a warning as seen in the screenshot below.  I would expect this to appear if I was opening a DB from an email attachement, I want to stop it from doing so for the LAN's DFS share.  I would like a group policy solution, if possible.

I have looked in User Config -> Admin Templates -> MS Office 2010 -> Security Settings -> Trust Center, and have put the folder containing the DB into "Trusted Location #1"

But it is still happening.

By the way, the client machine is a Windiows Server 2008 R2.

One thing I have checked (don't know if it is connected) is to see if Windows Explorer sees the folder as Local Intranet when I browse to it - but Windows 7/2008 doesn't show this info like XP used to .  Annoying!
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

Scott McDaniel (Microsoft Access MVP - EE MVE )Connect With a Mentor Infotrakker SoftwareCommented:
You'd need to add the location where your databases are stored as a Trusted Location in Access. This would need to be done on each workstation. AFAIK you can't do this with the runtime, but you add it directly to the registry of each machine. You can build a .reg file to "merge" with the workstation's registry (which basically adds the items needed). It would look something like this:

"Path"="C:\\Path To Your Folder"

Build this as a standard TExt file, then save it with a .reg extension. Right click on it and select Merge, and this should add the item to your Trusted Locations. You'd need to do this as an Admin level user, of course, and I'd strongly encourage you to test this thoroughly before using it on your workstations (and backup your registry before you try this merge).

The only caveat is the name you use (the SomeName item above) must be unique for that machine.
meirionwylltAuthor Commented:
Oh no!  Is that true?  I won't be able to use thjis method, because our users have roaming profiles, and so the machine name will be different every time.

We use Citrix XenApp to publish a WS2008R2 desktop to a thin client device.  It's only the desktop being published, i.e. not a full VDI, and it's from this desktop that the user will be launching these shortcuts.

There are 50-odd XenApp servers for 2000-odd users.  So, the only way of getting your solution to work would be if I made a GPO with preferences, created 3 registry entries in it - for the first XenApp server, but do this 50 times, one for each server - so ending up with 150 regiistry entries filling up the users' profiles.

Is there no other way?  Anyway, can't this be a Machine setting rather than an user one?

Thanks for your input.
Scott McDaniel (Microsoft Access MVP - EE MVE )Connect With a Mentor Infotrakker SoftwareCommented:
Given your environment, you may be able to add the location to the Trusted Sites zone in Internet Explorer. I have no idea if you can do this via a GPO policy or not, but you can try it to see.
The new generation of project management tools

With’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

Other things about trusting.
The trust center has trusted locations...but there are also trusted publishers.
You may be able to digitally sign your db's so that they are trusted by the client.
Given the scope of your problem, that may be simpler.
johnb6767Connect With a Mentor Commented:
I think that configuring the Intranet Zone would be more appropriate as a whole for the IE Zone Config....

And regarding the first comment by LSMComputing in http:#36543907

Wouldnt that "Path" value be ""Path"="\\\\server\\share\\" (since we are talking about a network location, unless I am interpreting that reg mode differently)?

That way, it would follow your Roamers....
Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
I don't know that you can set a UNC as a Trusted Location, but if so I don't see any reason why you couldn't do that.
When I put a mapped drive in, it auto-magically changes it to a UNC.  In the GUI there is a checkbox for 'allow trusted locations on my network'. If you're reghacking, the appropriate setting for that needs to be worked out too
Just adding the FQDN to the Intranet Zone should be sufficient...

Only reason I suggest this, is that you can often run into Authentication issues on Intranet sites, and if you change settings like the Integrated Authentication methods to the Trusted Sites, you might break some websites.....

Least having them separated, you can manage settings individually.....
meirionwylltAuthor Commented:
Right, I've started from the beginning - adding the UNC path of the DB folder into group policy.

I've added it to User Config -> Admin Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Security Page -> Site to Zone Assignment List

First I added  \\DFS-share\DBfolder\* and given it a value of 1 (Local Intranet), but this makes no difference.  Then I tried to give it a value of 2 (Trusted Sites Zone), but then I get a prompt that didn't appear before - please see attachment for this.  I don't know why putting it in the Trusted Sites zone would cause this.

Any ideas?
Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
This is the publisher warning. You can set the Macros Security to Low for your workstations, but I'm not sure you can do that on a GP basis, and of course any security changes expose you to more risk.

You could always sign the databases with a commercial Digital Certificate. You may already have one, if you're working in a large corporate environment, or you can purchase one fairly cheaply these days. You could also use as self-certificate, but you must export and install several files on each machine in order to make this work.
meirionwylltAuthor Commented:
Right, macro security in Access 2003 can be very easily set with Group Policy, however, in Access 2010 I think they've changed how it deals with security from top to bottom, and as a result there is no Macro Security as such in Access 2010.

Do you know what the equivalent of Macro Security would be in Access Runtime 2010?

Scott McDaniel (Microsoft Access MVP - EE MVE )Infotrakker SoftwareCommented:
The concepts are the same as before, but the way you get to them has changed:

I'm not sure how you'd do this with the Runtime, however.

By far the easiest way is to start the database via a script file which
 sets the macro security level to low for that single invocation of
 Access. This does not require a certificate, or a registry change, and
 it does not affect any other database(s) - just the one being started
 by that script.
Eg. in VBScript:
dim o
 set o=createobject ("Access.Application")
 o.automationsecurity=1 ' set macro security LOW.
 o.opencurrentdatabase "full path to your database"
 set o=nothing
The HiTechCoach has a link off his site how to add Trust Center locations via VBA.
Kudos to THTC and Doug Steele
Public Function AddTrustedLocation()
On Error GoTo err_proc
'sets registry key for 'trusted location'

  Dim intLocns As Integer
  Dim i As Integer
  Dim intNotUsed As Integer
  Dim strLnKey As String
  Dim reg As Object
  Dim strPath As String
  Dim strTitle as string
  strTitle = "Add Trusted Location"
  Set reg = CreateObject("")
  strPath = CurrentProject.Path

  'Specify the registry trusted locations path for the version of Access used 
  strLnKey = "HKEY_CURRENT_USER\Software\Microsoft\Office\" & Format(Application.Version, "##,##0.0") & _
             "\Access\Security\Trusted Locations\Location"

On Error GoTo err_proc0
  'find top of range of trusted locations references in registry
  For i = 999 To 0 Step -1
      reg.RegRead strLnKey & i & "\Path"
      GoTo chckRegPths        'Reg.RegRead successful, location exists > check for path in all locations 0 - i.
  MsgBox "Unexpected Error - No Registry Locations found", vbExclamation
  GoTo exit_proc
'Check if Currentdb path already a trusted location
'reg.RegRead fails before intlocns = i then the registry location is unused and
'will be used for new trusted location if path not already in registy

On Error GoTo err_proc1:
  For intLocns = 1 To i
      reg.RegRead strLnKey & intLocns & "\Path"
      'If Path already in registry -> exit
      If InStr(1, reg.RegRead(strLnKey & intLocns & "\Path"), strPath) = 1 Then GoTo exit_proc
  If intLocns = 999 Then
      MsgBox "Location count exceeded - unable to write trusted location to registry", vbInformation, strTitle
      GoTo exit_proc
  End If
  'if no unused location found then set new location for path
  If intNotUsed = 0 Then intNotUsed = i + 1
'Write Trusted Location regstry key to unused location in registry 
On Error GoTo err_proc:
  strLnKey = strLnKey & intNotUsed & "\"
  reg.RegWrite strLnKey & "AllowSubfolders", 1, "REG_DWORD"
  reg.RegWrite strLnKey & "Date", Now(), "REG_SZ"
  reg.RegWrite strLnKey & "Description", Application.CurrentProject.Name, "REG_SZ"
  reg.RegWrite strLnKey & "Path", strPath & "\", "REG_SZ"
  Set reg = Nothing
  Exit Function
  Resume checknext
  If intNotUsed = 0 Then intNotUsed = intLocns
  Resume NextLocn

  MsgBox err.Description, , strTitle
  Resume exit_proc
End Function

Open in new window


That dialog is notrmally seen when the ADS Zone Identifier has tagged the file as being from the internet/another machine. Right click the file>properties, and see if there is an "unblock" button....
meirionwylltAuthor Commented:
OK, now I'vw gotten rid of the "Open File - Security Warning" - it was just something that needed to be adjusted in my Trusted Sites group policy settings.  I am now back to having the information bar showing...

"This database has been opened read-only. You can only change data in linked tables..."

So now it doesn't matter if the "Site to Zone Assignment List" setting of my IE group policy has the share set as Intranet of as Trusted Sites - the Read-only warning occurs regardless.

I've been reading your suggestions above, and, Argh!! This is typical Microsoft - making a meal out of something that should be very simple to do!

We have about a hundred of these databases, and at the moment we are using Citrix XenApp (published content) to leave a shortcut to various databases on the desktop of the relevant users.

So I'll have to forget about having them digitally signed I think as it would take too long.

Nick67 - The "Allow trusted locations on my network" is already Enabled via Group Policy.

johnb6767 - No, there isn't an Unblock button in the propertiers of the .ade file.

After writing all this, I tried moving one of the databases to a non-DFS share on another server and running it from there, and it didn't show a warning - great.  So I thought it might be a DFS issue.  But not, because I then bypassed DFS and ran it directly from the DFS source location, and it still gave a warning.

So, what can be the difference between one server and onther, in terms of security?  Can you suggest places I should check?  I think we can rule out IE Security Zones, and Access 2010 Trusteed Locations, as being the issue here - because the server on which it works is not listed in either of these.

meirionwylltAuthor Commented:
Further testing has concluded that it's a permissions issue.  Users can do what they want on their home share (which is where it worked without warning) but only have read access on our 'software distribution' share, for obvious reasons.

But, when these .ade are opened normally, no file is created (i.e. no lock file or anything), so I don't see why this would need modify permissions.  And I don't see why the .ade file would need to be modified upon opening, especially since it is only connecting to an SQL back-end.

Any ideas?
What is happening inside any MSys tables may not be readily apparent, amongst other things.
And the lock file may not being created BECAUSE of the permission issue, and that may be throwing the read-onlyness
meirionwylltAuthor Commented:
No, I can confirm that the lock-file doesn't appear if the .ade is opened in a folder with full permissions - even when all hidden and system files are showing.
<"This database has been opened read-only. You can only change data in linked tables..."
So now it doesn't matter if the "Site to Zone Assignment List" setting of my IE group policy has the share set as Intranet of as Trusted Sites - the Read-only warning occurs regardless.>
<but only have read access on our 'software distribution' share, for obvious reasons.>

If they are opening a file in a read-only location, are you surprised that a read-only warning is coming up?
meirionwylltAuthor Commented:
No, but there should be a way of switching this off, because I know the .ade file doesn't need to be modified.  The .ade files have been fairly locked down, and multiple users can open them simultaneously.
<No, but there should be a way of switching this off>
I don't know of one.
All the Office programs slobber-knock you if they are read-only.
It doesn't matter if you don't want to change the file.  The warning is that you can't
meirionwylltAuthor Commented:
OK, I've resorted to changing permissions on the relevant folders now to get rid of the error
All Courses

From novice to tech pro — start learning today.