Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 6 subscribers
  • Views 17340 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Create POA exception.

PeterRL

Hi all

I´m using Safeguard 7.00.0.97 and i am facing some trouble with a specific configuration.

My environment has three groups ("sales", "tec" and "managment"). POA is enabled to the "Sales" and "Tec" group  (the "tec" group is using BitLocker), and i need to ensure that the "manage" does not have the POA enabled.

I´ve created 4 Group Policies to basicaly configure file share encryption, device encryption (removable media) and logs per deparment).

I´ve created also a Default File Policy where i´m configuring some general file shares and to encrypt everything that is being copied to the Desktop, Documents, and Downlodas on each machine), and finally a Default General Policy to configure a Default Device Encryption to all the computers.

By Order:

Policy "No - POA" (applied to group "management". - This is just to prevent POA to be enabled.

Policy "Tec" (applied to the group "tec" - this group has the user tec1)

Policy "Sales" (applied to group "Sales" - has the user sales1)

Policy "Default File" (appled to .Authenticated Users) 

Policy "Default General Policy" (applied to .Authenticated computers).

The fact is that despite that first policy "No - POA" is being applied, when i try to make a RSOP on the machine where the user from "managment" group logs in, the Enable Power-on Authentication is set to "yes".


Would you be so kind to help in configuring this exception? :)


Thanks in advance.



This thread was automatically locked due to age.
  • FormerMember
    0 FormerMember

    Hi Peter,

    I'd recommend having three folders setup for sales, tec and managment with the machines under thereMight be best to do this in AD to keep the setup consistent between your environments).

    You can then create a Policy Group for each department applied on the top level folder without worrying about policies overlapping.
    Please also make sure you don't have any of the policies applied at root if you go for this method.

  • 0 in reply to FormerMember

    Hi Toby,

    thank you for your reply. This approach worked. However, and reviewing the documentation, rules applied to users have higher priority over the machines ones - my original policy was being applied to the group managment that had just the user "dire1". This rule was applied to top of the root before the machine specific ones were applied. Do you know what could be causing this?

  • 0 in reply to PeterRL

    I actually just ran into a very similar issue we wanted to exempt an AD imported user group from certain policy's in relation to token usage. Opened a support case with Sophos and basically found out you cant for us moving users or machines to other OU"s would have to much risk of causing issues with Windows Group Policy which was more important. This seems like a glaring issue given that most of the policys in Safeguard work and apply in very similar fashion to ADGP.

  • 0 in reply to Typhoon87

    Typhoon87 said:

    I actually just ran into a very similar issue we wanted to exempt an AD imported user group from certain policy's in relation to token usage. Opened a support case with Sophos and basically found out you cant for us moving users or machines to other OU"s would have to much risk of causing issues with Windows Group Policy which was more important. This seems like a glaring issue given that most of the policys in Safeguard work and apply in very similar fashion to ADGP.


    Hi Typhon, that it´s actually not good. Did support advance some conclusion? I mean, was it a bug, or the behaviour is by design?

  • 0 in reply to PeterRL

    Appears to be by design there is no way to exempt a user or group unless they are in a different OU so you can apply a different policy group. You also need to be careful with sub OU's even though you can enable inheritance blocking items applied at the root do not get exempted only higher level OU's in the same OU branch.

  • 0 in reply to Typhoon87

    Thank you Typhoon87. Reading your post makes a lot easier to undersand the behviour that i was noticing on my environment.

Unfiltered HTML