Using CasPol to Fully Trust a Share

Since network shares by default only get LocalIntranet permissions, it’s relatively common to want to use CasPol to fully trust some shares that you control and know are safe.  However, CasPol syntax being what it is, the command to do this isn’t immediately obvious.  If I wanted to trust everything on the share \\ShawnFa-Srv\Tools, the command:

CasPol.exe -m -ag 1.2 -url file://\\ShawnFa-Srv/Tools/* FullTrust


Would setup the policy to do what I needed.  Lets break down this command:

  • m  – modify the machine level of the policy.  This is needed, since the machine level is where all of the default policy lives.  On NT platforms it’s also the default level that CasPol works with, however on Win9x, CasPol will default to the user level, so putting -m in the command line explicitly tells CasPol to use the correct level.

  • -ag 1.2  – add a code group under group 1.2.  In the default policy, group 1.2 is the LocalIntranet group, so the new code group that we’re creating will only be checked if the file comes from the intranet.

  • -url file://\\ShawnFa-Srv/Tools/– The membership condition for the new code group should be a UrlMembershipCondition, and it should match anything with a URL that starts with file://ShawnFa-Srv/Tools, meaning that any file on the \\ShawnFa-Srv\Tools share will match this code group.

  • FullTrust  – The permission set to grant assemblies that match the code group.  In this case, FullTrust.

Once you know the pattern, it’s pretty easy to modify this command line to do slightly different things.  For instance, if I want to trust only a specific non-strongly named assembly on my share, I might use

CasPol -m -ag 1.2 -hash SHA1 -file \\ShawnFa-Srv\Tools\CodeCSS\CodeCSS.exe FullTrust


Which will create a hash membership condition that matches the SHA1 hash of the CodeCSS.exe file.

When I install a new build of the runtime, my install script actually ends with two lines that do just this:

CasPol.exe -pp off -m -ag 1.2 -url file://\\ShawnFa-Srv/Tools/* FullTrust
copy config\security.config config\security.config.default


Which trusts everything coming off of a share on my computer, and then makes a copy of that policy as the new default, so that all future calls to CasPol -all -reset do not remove this modification.

Comments (73)

  1. corbin says:


    I’ve added FullTrust to a share where we launch an application and it takes a heck of a long time. Are there factors (other than the network speed / latency) that would slow down a .NET application starting from a network share?

    Thanks! BTW very helpful blog entry.

  2. Uwe says:

    Just tried

    CasPol.exe -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust

    and got the message

    Are you sure you want to perform this operation? (yes/no)

    which I had to confirm with YES, of course.

    I thought I can use CasPol.exe to write a custom setup action to perform this update, but I don’t want the user to be displayed this message. Any chance to do the same, WITHOUT the message?

  3. Nick Webb says:

    Regarding the -url parameter (e.g.)

    CasPol.exe -pp off -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust

    If EXE’s are placed in subfolders under the root of the share are they automatically granted FullTrust? (e.g. //ShawnFa-Srv/Tools/subFolder/someprog.exe )

    If yes, then I’m doing something wrong because they’re not on my system?

  4. Preben says:

    Very useful, thanks.

    Why cant Microsoft be so clear in the doc.

    BTW: It can be nice to give the code group a name: add: -name "name" to secpol.exe cmd.line.

  5. One of the V1 decisions we made was to not allow partially trusted callers in our policy framework. …

  6. I am trying to add a full trust to a share,

    so the VS will allow me to run a solution from a share.

    the Share is located at


    and the Solution knows it as


    what do i do ?

    Your solutions didn’t work for me.


  7. You have to trust the share with the name that the managed code sees, so if it’s accessable via S:Projects your URL would be file://s:projects


  8. xmasangel says:


    I have tried to turn .Net security off…no dice

    I have tried to submit an edited security file with security and execution checking off… no dice still says security is on

    I have added a group to the intranet as indicated in the blog above…put FullTrust still no access… the error that I get indicates that the assembly is not trusted.

    I don’t want to have to register every single executable or is that the only way to solve the problem?:

  9. Are you sure you’re using a matching caspol and runtime?  Settings applied to v1.1 don’t affect apps running against v2.0.  Similarly v2.0 32bit and v2.0 64bit are seperate.


  10. Every once in a while someone will ask how they can do something similar to these caspol commands from…

  11. Jesse Albert says:

    Ok, I’ve got a script I made to fully trust a share using caspol.  The problem is that it will only work on machines that have the SDK installed.  I can open the security.config file and I can see the group, but the code will not run.  The command line I’m running to get the permissions is:

    call %windir%Microsoft.NETFrameworkv2.0.50727caspol -q -m -ag 1.2 -url %1* FullTrust -n %1 -d "FullTrust granted to:  %1"

    where %1 is the server share (eg \server01share)

    On a machine where I do have the .NET Framework 2.0 configuration utility, this works like a charm.  On similar machine without this, no dice.  Any clues that can point me in the right direction?

  12. Jesse Albert says:

    That link lead me to check some other things out.  Since I control the code I was able to check what kind of permissions were being requested.

    Turned out that the computer with the SDK installed was running the code from the Intranet group.  While the computer without the SDK was running it from the Internet group.  Both computers are on the domain with the same login credentials and running the code from a network drive, so I’m a bit perplexed as to what’s causing the difference, however this provides a fix since none of the end users for the app will have the SDK.  Problem worked around until I test it out a bit more 😉  Thanks!


  13. Mike Taverne says:

    Shawn –

    I want to use an ActiveX control written in C# 2.0 in an intranet ASP.NET application.

    The control downloads fine on my computer, but only after I used the 2.0 Configuration tool to adjust my LocalIntranet zone security to FullTrust. My IE zone security setting for LocalIntranet is at the default, Medium-Low.

    End users have the .NET 2.0 Framework installed, but not the 2.0 Configuration applet. Even if they did, we wouldn’t want them to manually change their configuration.

    What I’m wondering is how best to deploy security policy? Can we run CasPol on end user PC’s to grant FullTrust to our intranet application? I have tried various combinations of parameters to CasPol, with no luck.

    Thanks, Mike

  14. Caspol can be run on the users machine, or you can install the configuration wizard and push an MSI out to each of them.  Since you’re using ActiveX, ClickOnce won’t help you out, but that’s generally where I’ll point people to shipping v2.0 apps off of a share.


  15. DaveB says:


    I’m having trouble with the caspol command.  Our developers are build a new app based around sharepoint and need us to register some components on every workstation. For business reasons our desktop environment is locked down – no power user access etc.

    I have 3x commands that i need to run that I have listed below in order:

    Command 1:

    "C:WINDOWSMicrosoft.NETFrameworkv2.0.50727caspol" -quiet -m -ag "LocalIntranet_Zone" -url "http://<my serer name>/*" Nothing -n "My App Data Folder"

    Command 2:

    "C:WINDOWSMicrosoft.NETFrameworkv2.0.50727caspol" -quiet -m -ag "My App Data Folder" -custom "C:Program FilesMicrosoft OfficeOFFICE11ADDINSmsosec.xml" FullTrust -n "My App Data Documents" -d "Grants full trust"

    Command 3:

    "C:WINDOWSMicrosoft.NETFrameworkv2.0.50727caspol" -quiet -m -ag "LocalIntranet_Zone" -url "\My Server Namevsto*" FullTrust -n "My App Development Assembly" -d "Grants full trust"

    Now when I run this at the command prompt it seems to be all general goodness, I can access my site and our developers are quite happy, but the problem is command 2. After executing this I get prompted with the following message:

    You have added the following assembly to the policy system: msosec 7.0.5000.0

    If you do not add this assembly to the full trust list, load errors and other unexpected behavior can occur.  However, adding the assembly to the full trust list gives all code in this assembly potentially dangerous abilities.  Do you want to add this assembly to the full trust list? (yes/no)

    My objective is to run this command on a pile of workstations bundled up in an SMS job. I don’t need this prompt becasue when my script executes silently the user can’t see or respond to this message.

    I have tried nearly every option on the caspol -help screen for turning stuff off but have hit a blank – any ideas gratefully accepted



  16. Hi Dave,

    Normally you would use caspol -pp off to cause caspol to no longer prompt for confirmation.  However, it appears that there is a bug where caspol does not respect that setting when adding an assembly to the full trust list.

    One workaround is that you could pre-populate the workstation’s full trust lists with the msosec.dll assembly, since caspol will not prompt if the assembly is already on the list.


  17. Jayshree Gohil says:

    Awesome, very straight forward n clear explanation. Kudos to Shawn

  18. Jeff Hayward says:

    We used caspol.exe on a server functioning as Windows Terminal Services.  caspol.exe was run on that server to grant full trust to an application on a second server. This worked fine for a while (and still does for most users). However, when we add new users to the domain and give them access to this machine, they cannot run the application (they get the

    "…has encountered a problem and needs…" message indicating that the trust does not exist.  We have been unsuccessful getting any new users to be able to run the application.  If we remove .Net 2.0, reinstall, no users can run the application.  If we then run caspol.exe , the original set of users that could run the application can now run it again, but none of the new users can run it.

    Any ideas?


  19. Hi Jeff,

    One thought is that some users have modified their user-level security policy, and it is not granting the share full trust.  If you check the user level policy in caspol:

    caspol -u -lg

    It should show that AllCode gets FullTrust and nothing else.

    You can also try caspol -all -rsg <path to assembly on server>, which will dump out the groups that the CLR is matching when resolving policy for your server.


  20. Diederik says:

    How would one create a functioning grouppolicy for active directory use?

    We want to run a program from a share on 20 terminalservers, and i like to make just one setting 🙂

  21. Hi Diederik,

    You’ll need to use the MMC snap-in to export your security policy to an MSI file.  (Right click on the security policy and export to MSI should be an option).  Then you can deploy this MSI file to your domain.  The MSI does not conatin any merge logic however, it will literally overwrite the existing security policy with a copy of the policy from your local machine.


  22. Idriss says:


    just to be sure, so If I want to run a windows app over the network, I need to create a machine policy on that computer and then copy it to everyone pc that needs to access that program.



  23. Yep Idriss — that’s correct, you need to deploy that policy to every client machine that will run your application.  Alternatively you could look at ClickOnce deployment, which does not rely on machine security policy.


  24. Sai says:

    Hi Shawn

    I am trying to use CasPol to fully trust a share. I have .Net installed on my PC. When I issue the folowing command

    C:>caspol.exe -m -ag 1.2 -url file:\uhscorpsustain/Tools/* FullTrust

    The output I get is

    Microsoft (R) .NET Framework CasPol 1.0.3705.6018

    Copyright (C) Microsoft Corporation 1998-2001. All rights reserved.

    ERROR: Invalid option: -m

    Usage: caspol <option> <args> …

    caspol -m[achine]

       Modifier that makes additional commands act on the machine level

    caspol -u[ser]

       Modifier that makes additional commands act on the user level

    caspol -en[terprise]

       Modifier that makes additional commands act on the enterprise level




    Why am I getting this error and how can make the command to work? Any help is greatly appreciated.



  25. Hi Sai,

    I see this most often if the caspol command line has been copied and pasted from a program such as Word or Outlook which replaces a – with a fancier character that looks similar to -, but is not the same.  I recommend typing the command line by hand to see if that solves your problem.


  26. Sai says:

    Hi Shawn

    You solved my problem. Now I understand that copy and paste does not work sometimes in cmd. Learnt a lesson here. You are the man.



  27. james says:

    Several people have commented about getting the (yes/no) prompt when using caspol.  Have we all forgotten the command line?  Simply echo y|caspol and the problem is solved

  28. Hi James,

    That will work, however caspol also has built-in functionality for that.  If you do:

    caspol -pp off

    It will suppress the prompt as well.


  29. johnf says:


    I need to run a VB.NET 2005 app as a logon script.

    Would it still be appropriate to grant "FullTrust" to the "\servernetlogon" share? OR is there a better way?



  30. Hi John,

    You could certainly do that if you trust your internal network.  Another option would be to sign your scripts and trust the signature.


  31. David says:

    I am trying to do my first .net install.  The program is to be used via a citrix environment.  I have run the caspol settings on the .exe’s computer however I get the security message still.  How can I check to see where the security is being pulled from and can I check/run caspol when my program starts to set the appropriate security?


  32. Hi David,

    Security policy must be updated on the machines that run the application, not the machine that hosts the application.  Otherwise malware would just say "trust me, Evil.exe is trusted!".

    For the same reason, partial trust code cannot say "Hey, I’m trusted — let me just elevate my permissions."  Your best bet is to use ClickOnce to deploy your application.


  33. Ingo says:


    we use Windows Vista 32bit EE or BE and tried caspool for our (web-)development shares. Even though the command itself works fine and the share is correctly in the list of trusted locations, whysoever VS2005 is still believing that the share isn’t trusted?!

    Do you have an idea what else we can try?

    Thanks in advance,



    We thought that somehow the domain policies might interfere and tried the same thing with a machine outside the domain but with proper access rights to the share – the result is the same.

  34. Guy kolbis says:

    Recently I visited Toronto for Beta release of software I designed. As always with Beta versions, we

  35. Hugo Dias says:

    Shawn, plz help me out

    im driving crazy..!!

    i’ve made a Console Application and copied the EXE to a shared folder in the network.

    The Console Application will be called from a JOB in SQL SERVER… and everytime the JOB calls the APP i getting an error:

    Request for the permission of type ‘System.Data.SqlClient.SqlClientPermission, System.Data, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.


    Request for the permission of type ‘System.Security.Permissions.FileIOPermission, mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.

    The SQL SERVER and the shared folder are in the same machine…


    the path to shared folder is:


    the path to the program is


    i have done the command:

    caspol -addfulltrust \betaSql_tempAppCIDSca.exe

    and also tried the caspol -addgroup -url file:\betaSql_temp/* FullTrust

    but i always get that error….

    what can i do…?

  36. Matt says:

    Hi there,

    We have recently installed .NET 2.0 to our web servers (3 in a cluster talking to a Network Share). We previously had to set each web server to have full trust permissions to the share for .NET 1.1 to work. However, it seems this has not helped for .NET 2.0

    If i run: CasPol.exe -m -ag 1.2 -url file://ShawnFa-Srv/Tools/* FullTrust

    will this resolve the problem for .NET 2.0 or do I need to add more parameters to the CasPol.exe?

    What is interesting is that .NET 2.0 applications work if they are created as Web Sites in VS 2005 and not Web Projects (compiling to a BIN).

  37. srini says:

    Hi Shawn,

    I have a c# 2.0 exe which has some file IO commands where it checks whether a file is there (File.Exists).

    When I copy this exe on a network share and run it, I get this error

    Request for the permission of type ‘System.Security.Permissions.FileIOPermission

    , mscorlib, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089′ f


    I have given Full Trust like what you have specified and the command works great, why do I get this error message

  38. Hi Srini,

    You get the error because by default Intranet applications do not have rights to check for files on the local machine.  Once you elevate the permissions using caspol, it has permission and the code succeeds.


  39. Hi Matt,

    You’ll of course need to substitute \shawnfa-srvtools* with your own server and share 🙂  Since each CLR version has its own policy you’ll need to make the changes to every version of the CLR (1.1, 2.0 32 bit, 2.0 64 bit) that you intend to run ASP.NET applications against.


  40. Hi Hugo,

    You don’t want the -addfulltrust command, this is for setting up policy assemblies and is obsolete in v2.0 of the framework.  One thing to check with your other command line is to make sure that you’re matching the caspol version to hte runtime version that your assemblies will be running against.  You can also use caspol -rsg <assembly> to see what code groups your asembly is matching.


  41. Hi Ingo,

    I’ve noticed that behavior too 🙂  Unfortunately VS isn’t smart enough to do a policy resolution against your assembly (and it really can’t since it doesn’t know the full set of evidnece for the assembly until it is loaded).  Because of that it will give you the warning whenever you load any code from a network share.  If you’ve setup policy properly, it should be safe to ignore.


  42. A K S says:


    i’m getting error System.Security.SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=, Culture=neutral, PublicKeyToken=b77a5c561934e089’ failed.

    can anybody help help me out by setting up security trust using caspol, i’m using 2.0 files resides on UNC network.

    Thanks in advance,

    A K S

  43. ASP.NET grants AspNetHostingPermission within AppDomains that it controls.  That error indicates that you’re attempting to access an API that is only meant to be accessed from within an ASP.NET application from outside ASP.NET.

    If you are in an ASP.NET application, another possibility is that the ASP.NET trust levels got corrupted and the hosting permission is no longer being granted there — in that case you’ll have to check the ASP.NET forums to find an ASP.NET expert that can help you reset your settings.


  44. Chris V V says:

    I had alot of trouble getting this working, but it finally did when I used this command:

    caspol -q -machine -addgroup 1 -url file://z:/* FullTrust -name "Z Drive"

    caspol.exe is located at C:WINDOWSMicrosoft.NETFrameworkv2.0.50727 also you need to restart devenv.exe after doing this.

  45. Aron says:

    Thank you "Full trust"! I’ve spent several hours on this, being in need of running .net assemblies from my development-server share.

    caspol -q -machine -addgroup 1 -url file://z:/* FullTrust -name "Z Drive"

    worked like a charm. Thank you again!

  46. sth_Weird says:

    hmm, what I miss and haven’t been able to find anywhere on the net yet is a list of all possible trust levels.

    as for me, I’m trying to develop a script that automatically sets the trust level, problem is that I’ve managed  to set it to full trust once and now my program on the net always works. I have not managed to set a smaller level that makes my program crash any more. But I need this to test my script. Can anybody help?

  47. Srinath says:

    Thank you very much it really worked i struggled around a day to fix this

  48. Michael says:

    Shawn, after using sn.exe I can add my assembly on my local box.  But I still get the "…must have a strong name…" error on the server.  Tried caspol.  It claimed success, but the assembly is not there in the Config manager.  Here’s the command-line from caspol:

    D:MyDir>C:WINDOWSMicrosoft.NETFrameworkv2.0.50727caspol.exe /af MyNewDLL.dll

    Microsoft (R) .NET Framework CasPol 2.0.50727.3053

    Copyright (c) Microsoft Corporation.  All rights reserved.

    Because all GAC assemblies always get full trust, the full trust list is no longer meaningful. You should install any assemblies that are used in security policy in the GAC to ensure they are trusted.

    The operation you are performing will alter security policy.

    Are you sure you want to perform this operation? (yes/no)



    Did I miss a step somewhere?

  49. You shouldn’t be using the full trust list to do this – as caspol is warning you, that list is no longer used as of v2.0 of the .NET Framework.   Instead, you’ll want to use one of the other options such as the URL membership condition that I show in the example.


  50. There’s no such thing as "all the possible trust levels".   .NET 3.5 SP1 ships with 6 predefined permission sets – (in decreasing order) FullTrust, Everything, LocalIntranet, Internet, ExecuteOnly, and Nothing.  

    However, anyone can make their own permission sets with different trust levels.  For instance, ASP.NET addded Low, Medium, and High trust.  SQL Server has their three trust buckets as well.

    Additionally, anyone can define their own custom permissions to further expand the possbible list of permission sets.  So, what you end up with, is an infinite theoretical combiation of permsision sets.


  51. Steve-o says:

    I’m running the Visual Studio 2008 in a VMWARE instance of Vista Ultimate and I have a mapped drive Projects (B:) that I’m trying to use caspol on to allow fulltrust for all projects I create.  

    I’ve used:

    caspol -m -ag 1.2 -url file://B:* FullTrust

    I get the success and prompted for yes or no. Like normal not in that order. But when I fire up VS2008 again I still get the same issue when I create a new project.  I’ve proceeded to restart the VMWARE instance same issue.  I’ve also tried individually allow applications.

    caspol -m -ag 1.2 -url file://B:WebApplication99* FullTrust

    still same results…..

    Could you please advise?  Thanks for any help you have.

  52. I don’t believe VS applies CAS policy when showing that dialog box, instead it only looks at the zone.

    You should be fine ignoring the box and letting CAS policy take over at runtime for you.


  53. Les.Kinney says:

    I was wondering if it is possible to use Caspol to enable full trust for a folder for running a Access 2007 runtime app from.  What I have done is created a click-once console app to extract an updated version of the access app to a local folder (c:hcprect) if IsFirstRun is true, otherwise it just uses System.Diagnostics.Process.Start to run the app using the runtime.  However, on client machines that don’t have full version of Access 2003/2007, i want to be able to set Full Trust via batch file maybe so they don’t have to answer the dialog and click Open button.  Is this possible?  If I am in the wrong place let me know too!  Thanks,

  54. Sebastian says:

    Great blog entry 😉

    I miss the information how to remove this Full Trust entries. Is there a way doing that with CasPol? Please both ways (Full Trust to share and file).

    Thank you 🙂

  55. Cip D says:

    Hi Shawn-

    I’m running into an issue with CASPOL where if I run it as a user without administrator permissions it fails.  My command is such:

    %SystemRoot%Microsoft.NETFrameworkv2.0.50727caspol -q -machine -addgroup 1. -url http://SERVERNAME/* FullTrust -name "APPName"

    What do I need to do to allow any user to run this command?



  56. Ian Ambrosen says:

    Shawn, have an exe running from a network drive v, tried the command


    27CasPol.exe -pp off -m -ag 1.2 -url file://v:* FullTrust

    appeared to go ok but still get the same P9  error

    for caspol -m – lg got the following:

        1.1.2.  StrongName – 00000000000000000400000000000000: FullTrust

     1.2.  Zone – Intranet: FullTrust

        1.2.1.  All code: Same site Web

        1.2.2.  All code: Same directory FileIO – ‘Read, PathDiscovery’

        1.2.3.  Url – W:*: FullTrust

        1.2.4.  Url – \*: FullTrust

        1.2.5.  Url – V:*: FullTrust

        1.2.6.  Url – file://v:*: FullTrust

        1.2.7.  Url – file://v:: FullTrust

        1.2.8.  Url – file://v:*: FullTrust

     1.3.  Zone – Internet: Internet

        1.3.1.  All code: Same site Web

     1.4.  Zone – Untrusted: Nothing

     1.5.  Zone – Trusted: Internet

        1.5.1.  All code: Same site Web

    Any ideas what I am doing wrong?

    Thanks Ian

  57. Suyambu says:


    Is there a way to give FullTrust programatically without using CASPOL tool.

    So that I don’t have to execute the CASPOL command in each client machine.

    Can we achieve the same programatically what CASPOL does. Something similar to…

    [assembly: FileIOPermissionAttribute(SecurityAction.RequestMinimum, Unrestricted = true)]

    [assembly: PermissionSet(SecurityAction.RequestOptional, Unrestricted = false)]

    Just wanted to know whether this is possible or not.

    Thanks in Advance.


  58. Steve says:

    I have a .Net 2.0 app that a vendor has given me to deploy in our organization.  They created an app that goes along with it that takes care of the caspol part, however, it needs to be run with admin permissions against a network drive.  I’ve created an installer myself that will map a drive as a local admin, then apply the permissions but it’s buggy and doesn’t always work.  I’d rather just run their application but all of our users have "power user" rights so they can’t do it themselves.  The command is:

    caspol -pp off -m -ag All_Code -url "file:// R:Programsimswincleardecisions* " FullTrust -n Network_Apps

    We’re a novell shop that uses zenworks for deployments.  Any help, like possibly using group policy instead, would be greatly appreciated.  I’m not a .net programmer so my knowledge is limited.

  59. Steve says:

    I did find this:

    Seems to be what I need, but not sure.  If it’ll work I can just distribute that as an msi, but not sure since the "admin" account that will run it won’t have an R drive mapped.

  60. dylan says:

    I am trying to solve the trusted location issue when opening visual studio 2008 projects. When using CasPol.exe -m -ag 1.2 -url file://O:/* FullTrust I get the following:

    ERROR: Runtime error: Access denied. You might now have administrative credentials to perform this tast. Contact your system administrator for assistance.

    This is on a new Windows 7 installation, not sure if that has anything to do with it or not.

  61. Paul says:


    This is doing my head in.

    I have a screensaver app that runs 100% when i’m logged in, but it fails when it is invoked as the pre-login screensaver. Fails with a security exception. The winform app has a winforms webbrowser control embedded, when this control is removed no exception occurs and it works. According to MSDN the webbrowser control needs FullTrust. I’ve signed the app and used CASPOL to grant fulltrust, but still no go.

    What am I doing wrong?



  62. In order to diagnose a security exception, having the full exception text and call stack is useful – this way we can figure out who was demanding what.


  63. Dylan – CAS sits on top of NT security, so if you are getting an access denied trying to perform an operation, that cannot be fixed with Caspol.  Instead, you’ll need to ensure that your user account has permission to write to the machine wide CAS settings file.

    Make sure you’re attempting this operaiton from an elevated command prompt, otherwise it won’t succeed.


  64. Suyambu – Check out ClickOnce deployment for applications.  In a ClickOnce application, the application declares what permissions it needs (for instance FullTrust), and will be guaranteed to either run with those permissions or not run at all.


  65. What error are you getting?  P9 doesn’t sound like a SecurityException so it may not be caspol related at all.


  66. Cip – that requires admin privilege because that command modifies the security settings for the entire machine.  Modification to machine wide security state is not allowed by unprivileged users.


  67. Jeff Drake says:

    Thank you, thank you, thank you.  We had an oddball problem I still can’t explain…We are migrating from one build server to another. We have a shared libraries directory on a DFS share where common pre-compiles assemblies come from. When we checkout from old server and compile, it works perfectly. Copy that code to new server and it compiles perfectly, too.  Checkout from the second server and we get the permissions error.  Took 3 tries, but Cspol fixed it C:WINDOWSMicrosoft.NETFrameworkv2.0.50727>caspol -q -machine -addgroup 1 -ur

    l file://\mysharesubdiranothersubdirsharedlibs/* FullTrust -name "Sharedlib"


  68. Hi Jeff,

    My guess is that Windows was mapping the Zone to something unexpected.  You can figure out what groups the file is matching by running caspol -rsg \mysharesubdiranothersibdirsharedlibsassembly.dll

    Which may shed some light for you.


  69. Adam says:

    YAY!!  Solved it!  Okay, so if you are using Microsoft practices/application blocks for logging, make sure the assemblies have been correctly installed using the installutil.exe.  I have a rather lengthy scripted setup for creating the dev environment for this web 1.1 application and it seems I left out the full path to the installutil.exe.  I discovered the issue by putting Process Monitor to work and seeing that a reg key for the distributed logging was missing.  Made me think something was up with the installation of the app block.  Checked the batch file for this and realized the full path was missing off the installutil.exe.  Anyhow, guess I really should properly log the install so that I can check the results for failure.  Thanks!  ~ Adam  (

  70. Ajit Yadav says:

    Thanks a lot Shawn, it resolved my issue after I run the caspol command.

  71. Hi

    I have a strange problem that i wish to find some help here.

    I have an excel Template deployed in a mapped disk (net 4.0 office2010) and i have 2 computer with the same local polisies both have windows7 as O.S and office2010. When i try to excute the template the first computer run without problem but the other one prompt an error message "Microsoft.VisualStudio.Tools.Applications.Runtime.CannotCreateCustomizationDomainException: La personnalisation n'a pas les autorisations requises pour créer un domaine d'application. —> System.Security.SecurityException: La fonctionnalité personnalisée dans cette application ne fonctionnera pas car l'administrateur a qualifié file:///T:/PAM/VA61A/PAMMain/EXCEL_Plan/PAMExcel.vsto comme étant non fiable"

    The only difference that i can see is there is an English office (witch have no problem) and a frensh office witch prompt the error.

    Thanks for any help.