Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 7 subscribers
  • Views 17671 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safeguard Console - Disable Block Policy Inheritance

StephenCooper

Hi,


I've tried to search for the answer (apologies if I've missed it!), but does anyone have an idea if you can disable access to 'Block Policy Inheritance'  on the Domain under Users and Computers (Safeguard Version 7.00.0.07)

We are looking at a locked down console for helpdesk users and don't want them to have the ability to block the Sophos Policy - there doesn't seem to be a way to create lower level security policy that doesn't have access to this setting.


Regards,

Steve



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember
    Hi Stephen,

    Good question. There isn't a specific setting for this, but you can do this in the following manner:

    - Login to the Management Console as an MSO
    - Security Officers > Right click Security Officers > New > New Security officer
    - In the Roles section just give the user 'Helpdesk Officer' privileges.

    When this user logs in they won't have access to the domain structure where they can fiddle with the policies.
    For the parts that are left in Users and Computers the access to 'Block Policy Inheritance' will be disabled.

    I hope this helps Stephen, but please let me know if you need any further help.
  • 0

    Hi Toby,

    Thanks for the answer - but one of the things our helpdesk require is ability to unlock passwords which means they need access to ADUC - I'm surprised that something like this can't be disabled. Is it worth mentioning it to the safeguard product team to look at it in a future release / update.

    Regards,

    Steve

  • 0
    "Modify directory objects" is the Security Officer Role permission that gives the rights to check/uncheck the "block policy inheritance" right. I would create a custom Security Officer Role which does not have this right.

    I find the best way is to right click of the Helpdesk Officer role and select "New > new copy of role..." which will create a custom role with the same permissions as the helpdesk officer role. You can then select the additional permissions required, such as "unassign certificates" which would give the rights to delete the users certificate.

    Hope this helps
  • 0 in reply to JoeD
    Sorry about the delay, I'll have a look at this to see if it can work for us.
  • 0 in reply to JoeD

    Had a quick look, whilst unchecking that option removes the 'Block Policy Inheritance' it also blocks the 'Account State' for objects - which is what I was hoping to allow helpdesk to re-enable user accounts.


    Maybe we can look at the task scheduler script to see if I can see why 'synchroniseAccountState = 0' doesn;t seem to work?

  • FormerMember
    0 FormerMember in reply to StephenCooper
    Hi Stephen,

    Not sure if this is relevant but it's worth mentioning that the sync script effectively just runs the last sync that was run in the SGN Management centre.
Unfiltered HTML