0
I created a database where you have to change the MasterKey the first time that it gets opened, after this change it shouldn't be possible to change the masterkey anymore. To archieve this, I created this batch-file:
@CD /d "%~dp0"
KeePass-2.42.1-Setup.exe /verysilent
REM Installs KeePass 2.42.1 very silent
COPY KeePass.config.xml "C:\Program Files (x86)\KeePass Password Safe 2\"
REM Recplaces the Configuration File with a modified file. Modification are:
REM -Setting UIFLAG to 35
REM -CheckForUpdate to false and CheckForUpdateConfigured to true
REM - <Policy> <NewFile> to false
COPY Datenbank.kdbx "D:\Eigene Dateien\KeePass\"
REM Copies the modified Database onto the PC, this Database asks for a change of the masterkey the first time it gets opened
ECHO "Please open the database PasswortManager on your Desktop now, change the masterkey as prompted, save it and close Keepass. Press Enter after finishing"
PAUSE
COPY KeePass2.config.enforced.xml "C:\Program Files (x86)\KeePass Password Safe 2\"
REM Replaces the configuration file again this time with <ChangeMasterKey> to False
Some parts of the code are taken out because they change setting that don't matter to my question.
This method works but feels weird and there are many ways it can come to problems. For example if they press enter before opening the database or enter while keepass is still open. Is there a way to only allow the first masterpassword change? Without having to override the configuration to times.
If I can improve my question please tell me and thank you for your help
Edit: After a suggestion of a user here I changed the second configuration file to enforced and am playing around with that. Seems like I will continue to use the double configuration file.
ChoTimberwolf
Posted 2019-05-23T06:40:53.683
Reputation: 103
If you want them to change their masterkey what's the harm at letting them do it at will? You won't be able to do this with a single configuration file. Also you might want to use the enforced configuration file to disallow changing the configuration.
– Seth – 2019-05-23T06:57:41.8471The configuration file is in the keepass install folder that can only be changed with admin privileges. The reason they should only change it one time is that they will create a paper with the masterkey on it that we can then put into a safe should they forget their masterkey. If they can change it anytime they want it will only be a matter of time till its our fault that they now cant access their passwords anymore.
And yes I should change it to enforced thats a good idea I overlooked that one. Thank you – ChoTimberwolf – 2019-05-23T07:06:33.903
If it's a company enviornment you might be able to set it up to use the Windows User Account the help doesn't seem to support what you want. So exchanging the configuration twice is probably what you need to do.
– Seth – 2019-05-23T07:28:45.010