How to have a program option set by an admistrator that the user can't change?
https://stackoverflow.com/questions/1015542
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
My application needs to read an option on startup to check if it should start in read-only mode. The option should not be allowed to be changed by the user.
I usually do this now using a value set in the HKLM\Software section of the system registry. The administrator sets the value and the users can't change it (they don't have rights to modify entries in HKLM).
The problem is that on a terminal server (or Citrix) machine this affects all users. I'd like to figure out a way to do this on a per-user basis. How do others handle this? Is there a section in the system registry for this kind of per user setting that the user can't change?
Thanks for any suggestions or comments!
Solution
This is essentially what the HKEY_CURRENT_USER\Software\Policies key is for, i.e. a key within the user-specific part of the registry that is by default read-only to the user himself.
By convention the key hierarchy should complement the one you already have under HKEY_CURRENT_USER\Software, e.g. if your regular user preferences are stored under HKEY_CURRENT_USER\Software\MyCompany\MyProgram then the protected user preferences (or "policies" in MS lingo) should be stored under HKEY_CURRENT_USER\Software\Policies\MyCompany\MyProgram
Note that it is recommended to only set values under this key via Group Policy Objects and never by direct registry access.
OTHER TIPS
The concept of a per-user settings area that the user can't change doesn't really make sense - if they're user settings, "you" (the user) expect to be able to change them.
I can think of two alternatives:
- Write your settings in HKLM, but have a different setting for each user and a global fallback setting for users without the setting set
- Write them in HKCU, but use the registry security APIs to prevent them writing to it. You will probably need permissions greater than theirs to prevent them undoing the permission changes. I don't really like this option, but if you want to follow it you probably want to start with the RegGetKeySecurity and RegSetKeySecurity APIs. This article might be interesting as well.
Personally I think the first option would be the easiest, and also would involve less dodgy stuff in the user's registry tree. Hope that helps!
How about two settings?
1) Set a flag in HKLM specifying that read-only is the default behavior on this machine.
2) For any users that need full access, set a token in HKCU which enables full access.
The token could be a cryptographic hash of some salt plus the username, so it couldn't be copied to give permission to another user.
Why don't you store options in your own database? It seems reasonable and handy enough (at least to me 8) ) No problems with making "portable" version of your product. No users bothering any settings you don't want them to bother.
Whats wrong with HKCU instead of HKLM? This would be per-user. Unfortunately it could be changed by the user if the user knew how to edit the registry and find the key.
- Take one of the files coming with your program, that should not be altered (at least not by the restricted user). If there is no such file, create one just for this purpose.
- Let the administrator set read only rights to that file for those restricted users.
- In the program check whether you have write access to that file.
