This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Safeguard Console - Disable Block Policy Inheritance

Hi,


I've tried to search for the answer (apologies if I've missed it!), but does anyone have an idea if you can disable access to 'Block Policy Inheritance'  on the Domain under Users and Computers (Safeguard Version 7.00.0.07)

We are looking at a locked down console for helpdesk users and don't want them to have the ability to block the Sophos Policy - there doesn't seem to be a way to create lower level security policy that doesn't have access to this setting.


Regards,

Steve



This thread was automatically locked due to age.
Parents
  • "Modify directory objects" is the Security Officer Role permission that gives the rights to check/uncheck the "block policy inheritance" right. I would create a custom Security Officer Role which does not have this right.

    I find the best way is to right click of the Helpdesk Officer role and select "New > new copy of role..." which will create a custom role with the same permissions as the helpdesk officer role. You can then select the additional permissions required, such as "unassign certificates" which would give the rights to delete the users certificate.

    Hope this helps
  • Had a quick look, whilst unchecking that option removes the 'Block Policy Inheritance' it also blocks the 'Account State' for objects - which is what I was hoping to allow helpdesk to re-enable user accounts.


    Maybe we can look at the task scheduler script to see if I can see why 'synchroniseAccountState = 0' doesn;t seem to work?

  • FormerMember
    0 FormerMember in reply to StephenCooper
    Hi Stephen,

    Not sure if this is relevant but it's worth mentioning that the sync script effectively just runs the last sync that was run in the SGN Management centre.
Reply Children
No Data