Howto make Dropbox compatible with Software Restriction Policy (SRP)

UPDATE for version 3.10.11

You can now just run the Offline Installer as admin. It will install to %PROGRAMFILES% (16.4.30 installs to %PROGRAMFILES%\Dropbox\Client). It creates an autorun-entry in the registry at HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dropbox.
(Note: Eventhough it is always started, new users must manually run dropbox.exe once and authenticate, otherwise they will not see it.)

Or (without fully installing it): use 7zip to extract the file Installer.exe.{*} from the offline installer, rename it to installer.exe, run it (not as admin), wait until task-manager shows that the process does not run any more, then grab the contents of %appdata%\Dropbox\bin.

If you use the default SRP settings (which does not restrict libraries aka DLL-files), it will just work. Otherwise the special handling of the temp directory (see start script below) is still required for the file %APPDATA%\Dropbox-temp\dropbox_sqlite_ext.*.dll
In this case you should remove the autorun-entry from the registry mentioned above, to have it run from the script.

The automatic updater does still not work. And sometimes you must update, otherwise it will stop syncing. But it will warn you approximately each time before this happens.

Install Program

Login as restricted user (no admin rights).
Run the dropbox installer.
If the installer wants the Administrator password: click Abort (it will continue to install).
Wait until the installer asks to login.
Copy all files from "%AppData%\Dropbox\bin" to a temporary directory.
Abort the Dropbox installer.
Uninstall Dropbox.
If the uninstaller wants the Administrator password: click Abort.
Remove the shortcut to dropbox from Startmenu\Autostart of that user.
Erase %AppData%\Dropbox if it still exists.
Login as Administrator
Copy the files captured from "%AppData%\Dropbox\bin" to "%PogramFiles%\Dropbox-bin".

In 64bit Windows use %ProgramFiles(x86)% instead of %ProgramFiles%.

Create start-script

Create %ProgramFiles%\Dropbox.cmd with these contents:

@echo off

rem set bin directory
set bindir=%PROGRAMFILES%\Dropbox-bin
if defined PROGRAMFILES(x86) set bindir=%PROGRAMFILES(x86)%\Dropbox-bin

rem set temp directory
set tempdir=%APPDATA%\dropbox-temp
if defined LOCALAPPDATA set tempdir=%LOCALAPPDATA%\dropbox-temp
if not exist "%tempdir%" mkdir "%tempdir%"

rem clean temp directory
%tempdir:~0,1%:
cd %tempdir%
for /d %%i in ("scoped_dir*") do echo rmdir /s /q "%%i"

rem start program
set tmp=%tempdir%
set temp=%tempdir%
start "" "%bindir%\Dropbox.exe" /systemstartup

Create a shortcut to this file in Autostart of each user (in Win7 this is in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup), and rename the shortcut to just "Dropbox".

Configure SRP

Now you can run secpol.msc and declare that everything in
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\ProfilesDirectory% is disallowed, except %APPDATA%\Dropbox-temp\dropbox_sqlite_ext.*.dll must be allowed (or the hash of the file dropbox_sqlite_ext.dll from the dropbox-bin directory). Also you should remove LNK files from the list of restricted programs.

more info

When the user logs in the next time, Dropbox will ask for login. On any further logins it will just run.

Dropbox will collect more and more garbage in that temp directory, so maybe you should add a command to empty it each time.


Tested with Dropbox 2.6.2 and 2.10.1 in Windows XP, and 3.5 in Windows 7-64.