How to: Change Code Groups Using Caspol.exe

Use the –chggroup option of the Code Access Security Policy tool (Caspol.exe) to change the name, membership condition, permission set, flags, or description of a code group. You can change one, some, or all of these code group attributes.

To change a code group

  • Type the following command at the command prompt:

    caspol [-enterprise|-machine|-user] –chggroup label|name {[mship] [pset_name] [-exclusive {on|off}][-levelfinal {on|off}] [-name name] [-description description_text] }

    Specify the policy-level option before the –chggroup option. If you omit the policy-level option, Caspol.exe changes the specified code group in the default policy level. For computer administrators, the default level is the machine policy level; for others, it is the user policy level.

    The syntax and meaning of mship, pset_name, -exclusive, and -levelfinal are the same as for the –addgroup option. For more information about these arguments and options, see How to: Add Code Groups Using Caspol.exe.

    The following command changes the membership condition for the code group labeled 1.2.1. to the Internet zone membership condition.

    caspol –chggroup 1.2.1. –zone Internet

    The following command changes the name of the code group labeled to MyApp_CodeGroup.

    caspol –chgroup –name MyApp_CodeGroup

    The following command associates the Internet permission set with the code group 1.3. and turns off the -exclusive flag.

    caspol –chggroup 1.3. Internet –exclusive off


    Changing a code group can have wide repercussions for security. Use this option with caution.

See Also


Security Policy Model


Code Access Security Policy Tool (Caspol.exe)

Other Resources

Configuring Security Policy Using the Code Access Security Policy Tool (Caspol.exe)

Configuring Code Groups Using Caspol.exe