1

I'm using KeePass 2.54 installed on a server I'm not managing (please skip pointing out the security implications of it). When trying to create a user-defined profile for the password generator from an RDP session, I see a message talking about enforced configuration, and I'm asked for an administrator password (which I don't have/know):

KeePass2 popup windows about enforced configuration

Reading about Enforced Configuration, I checked for a file named KeePass.config.enforced.xml, but I could not find one; instead I only found KeePass.config.xml with this content:

<?xml version="1.0" encoding="UTF-8"?>
<Configuration xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<Meta>
<PreferUserConfiguration>true</PreferUserConfiguration>
</Meta>
</Configuration>

So my guess would be that KeePass2 saves my preferences in a user-specific file (known as "Local Configuration"), but would not overwrite the KeePass.config.xml file (known as "Global Configuration").

Actually I found %APPDATA%\Keepass\KeePass.config.xml that contains the predefined password generator profiles and other user-specific settings. So it seems to be writable by my user. I'm owner of that file and I have full access rights on it.

Reference

I think "Installation by Administrator, Usage by User" should apply:

If you use the KeePass installer and install the program with administrator rights, the program directory will be write-protected when working as a normal/limited user. KeePass will use local configuration files, i.e. save and load the configuration from a file in your user directory.

Multiple users can use the locally installed KeePass. Configuration settings will not be shared and can be configured individually by each user.

So I wonder:

  • Is it a configuration bug that prevents creating user-defined password profiles?
  • Is it a software bug?
  • Did I (or the administrator installing the software) do something wrong?
  • Is there actually an enforced configuration (I think: No)?

Related

Maybe you want to read Password generation profiles sync and #2826 Store Password Generator Profiles within the database, too.

Improve this question
8
  • 1
    I would be very shocked if KeePass2 stored anything in the Windows registry. In fact, the notification message specifically suggests it's a file not a registry key that will be written to. Have you ran KeePass2 with elevated permissions so the configuration file can be created?
    – Ramhound
    Commented Nov 27, 2023 at 16:32
  • You missed the important thing: I'm user, not administrator on that machine. Also on another installation, I can add password generator profiles without administrator privileges. And I'm mostly surprised about the two close votes.
    – U. Windl
    Commented Nov 28, 2023 at 7:32
  • I didn’t miss anything i am suggesting you need to be an Administrator to solve your problem
    – Ramhound
    Commented Nov 28, 2023 at 11:30
  • On a different Windows 10 machine I have KeePass2 installed, too, and there I can save password generator profiles! As I pointed out in the question, those profiles are not saved in the config file in the program directory, but in the configuration file within %APPDATA%. And it seems user-defined configuration is allowed. So I don't see where the admin did enforce this restriction. Are asked in another way: What should the administrator do then?
    – U. Windl
    Commented Nov 28, 2023 at 13:07
  • An Administrator is supposed to rename the configuration file to KeePass.config.enforced.xml which is the reason it doesn’t exist in the AppData directory. The documentation suggests that if an KeePass2 was installed as an Administrator, then the configuration data is shared among all users on the system, have you ask the Administrator who installed KeePass2 on the system? A different system could have had KeePass2 installed as a normal user. Without more information I can’t fully explain the behavior.
    – Ramhound
    Commented Nov 29, 2023 at 12:30

1 Answer 1

Reset to default
0

The discussion in Cannot create new password generator profile in non-enforced configuration indicates that the effect is a mis-feature introduced in KeePass version 2.54:

Password Profiles are stored in the enforced configuration file beginning with KeePass 2.54. See the Important section of the KeePass 2.54 release notes. If writing to the KeePass program directory requires administrative privileges, they are also required to save password profiles.

So even if an enforced profile does not exist (making one assume that there is no enforced profile, and thus no enforced configuration), KeePass wants to create one.

Improve this answer
2
  • What exactly is a “misfeature”? Your final response is that, “ Profiles are moved to the enforced config file. You can no longer use / store them in the user config file.”, which goes back to “you need an administrator account”.
    – Ramhound
    Commented Nov 30, 2023 at 12:43
  • 1
    The mis-feature is that an installation for all users cannot be used to let a user setup a password generator profile in their own user profile; the user would still require an administrator password, and then the profile would be visible for everyone. Also there is no gain in security, as a user could use a local portable installation of KeePass (possibly even weakening the security by using a vulnerable version of KeePass).
    – U. Windl
    Commented Dec 5, 2023 at 9:58

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .