Tuesday, September 01, 2015

KeePass enforced configuration

I don't know why but despite all of my searches, I haven't been able to find a good tutorial on how to deploy KeePass with an enforced configuration (set parameters that users cannot change).

First, deployment: You can deploy the .msi and the related files using GPO, for example. But there is an easier way: simply copy the KeePass folder that contains the .exe to a network share.  Make sure only admins (only admin accounts, not your regular account). have write access to this share, all other users read-only. To do that you can install KeePass on your computer temporarily an copy the folder that is in the Program Files folder.

Second, configuration enforcement: execute the local version of KeePass that you installed for step one.  Set the parameters as you would like them, then close KeePass.  A configuration file will be created in C:\Users\$username\AppData\Roaming\KeePass\KeePass.config.xml.  You can create a copy of this file that you will name KeePass.config.enforced.xml in the KeePass directory that you've put on the network share. One thing left: remove the "<LastUsedFile>" section from your enforced.xml file (http://sourceforge.net/p/keepass/discussion/329220/thread/0e379d6d/#a8bf). If you don't, KeePass will not remember the last used database, forcing your users to manually open the last used database each time.  You can also delete the "<Items>" sub-section of the "<MostRecentlyUsed>" section and replace it by just by "<Items />".

Have fun!


Post a Comment

<< Home