1

I'm using KeePass 2.54 installed on a server I'm not managing (please skip pointing out the security implications of it). When trying to create a user-defined profile for the password generator from an RDP session, I see a message talking about enforced configuration, and I'm asked for an administrator password (which I don't have/know):

KeePass2 popup windows about enforced configuration

Reading about Enforced Configuration, I checked for a file named KeePass.config.enforced.xml, but I could not find one; instead I only found KeePass.config.xml with this content:

<?xml version="1.0" encoding="UTF-8"?>
<Configuration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Meta>
<PreferUserConfiguration>true</PreferUserConfiguration>
</Meta>
</Configuration>

So my guess would be that KeePass2 saves my preferences in a user-specific file (known as "Local Configuration"), but would not overwrite the KeePass.config.xml file (known as "Global Configuration").

Actually I found %APPDATA%\Keepass\KeePass.config.xml that contains the predefined password generator profiles and other user-specific settings. So it seems to be writable by my user. I'm owner of that file and I have full access rights on it.

Reference

I think "Installation by Administrator, Usage by User" should apply:

If you use the KeePass installer and install the program with administrator rights, the program directory will be write-protected when working as a normal/limited user. KeePass will use local configuration files, i.e. save and load the configuration from a file in your user directory.

Multiple users can use the locally installed KeePass. Configuration settings will not be shared and can be configured individually by each user.

So I wonder:

  • Is it a configuration bug that prevents creating user-defined password profiles?
  • Is it a software bug?
  • Did I (or the administrator installing the software) do something wrong?
  • Is there actually an enforced configuration (I think: No)?

Related

Maybe you want to read Password generation profiles sync and #2826 Store Password Generator Profiles within the database, too.

U. Windl
  • 943

1 Answers1

0

The discussion in Cannot create new password generator profile in non-enforced configuration indicates that the effect is a mis-feature introduced in KeePass version 2.54:

Password Profiles are stored in the enforced configuration file beginning with KeePass 2.54. See the Important section of the KeePass 2.54 release notes. If writing to the KeePass program directory requires administrative privileges, they are also required to save password profiles.

So even if an enforced profile does not exist (making one assume that there is no enforced profile, and thus no enforced configuration), KeePass wants to create one.

U. Windl
  • 943