13.6 Creating an Active Directory Group Policy

13.6.1 Group Policy Object Support

Prerequisites:

  • SecureLogin is installed with support for group policies.

  • The Active Directory Users and Computers snap-in or Group Policy Management Console is open.

Using Group Policy object support, you can manage SecureLogin users in Active Directory users at the container, OU, and user object levels.

Group Policy object support is useful for organizations with flat directory structures where a more granular approach is required when applying settings, policies, and application definitions for users. For example, applying a group policy for a global marketing group in a worldwide organization. Several group policies can be defined and applied to any user, group, or container at the directory level. These different policies are then applied to a specific user object or container or organizational unit through the inheritance process.

To limit network traffic during the Group Policy object synchronization, SecureLogin leverages an existing Microsoft Windows feature to specify policy settings that are updated when the group policy object changes.

Edit the WinLogon/GPextensions in the Windows Registry, and set the NoGPOListChanges key to 1.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\{2893059c-1175-11d9-8088-00e018f97d4d

13.6.2 Group Policy Management Console Support

You can see the resultant set of single sign-on policy settings that apply to a particular user object when multiple SecureLogin group policies and organizational unit or user object setting are applied through the Microsoft’s Group Policy Management Console (GPMC), which now includes support for Resultant Set of Policy (RSOP).

NOTE:The GPMC must be installed on the administrative workstation where you want to see the resultant set of policies.

Resultant Set of Policy Settings

The Resultant Set of Policy (RSOP) is a feature of a group policy that makes the implementation, troubleshooting, and planning of group policies easier and allows you to plan how the group policy changes might affect a targeted user or computer or remotely verify the policies under effect on a specific computer.

When multiple group policy objects are applied to a given user or computer, the policy can often contain conflicting policy settings. For most policy settings, the final value of the setting is set only by the highest precedent Group Policy object that contains that setting.

RSOP assists directory administrators to understand and identify the final set of policies that are applied as well as settings that did not apply as a result of policy inheritance.

In this version of SecureLogin, you can see the final SecureLogin settings that apply to a user when he or she starts SecureLogin. You have the ability to do the following:

  • Retrieve the policy applied to the user object in the Microsoft Management Console.

  • Retrieve the policy applied to the user object in SLManager.

  • Define from which policy the setting is inherited.

13.6.3 Definition of a Group Policy Object

IMPORTANT:Group policy functionality is enabled only if it was selected during the installation of SecureLogin in Microsoft Active Directory mode. For more information, see the Installing and Configuring in an Active Directory Environment.

For more information about Group Policy Objects (GPOs), go to the Microsoft website.

Policy settings are stored in Group Policy Objects (GPOs). Settings for each GPO can be edited using the GPO Editor from within Microsoft’s Group Policy Management Console (GPMC).

When an administrator defines a SecureLogin GPO, they can now use the GPMC to add this group policy or edit and configure the SecureLogin settings.

13.6.4 Adding or Editing a Group Policy Object

Policy settings are stored in Group Policy object settings for each Group Policy object and can be edited using the Group Policy object editor from Microsoft (GPMC).

The group policy functionality is enabled during the installation of SecureLogin in Microsoft Active Directory mode. For more information, see Installing and Configuring in an Active Directory Environmentin the SecureLogin 9.1 Installation Guide.

When you define a SecureLogin Group Policy Object, administrative users can use the GPMC tool to add this group policy or edit and configure the SecureLogin settings.

13.6.5 Installing the GPMC Plug-In

With the Microsoft’s GPMC plug-in, you can manage core aspects of Group Policy object across enterprises.

For Microsoft Vista (or higher) customers, the GPMC snap-in is already integrated in to the operating system.

Existing Windows XP and Server customers can download the gpmc.msi installer package at the Microsoft website and install the Microsoft GPMC plug-in.

NOTE:After installation, the Group Policy tab that previously was on the Property pages of sites, domains, and organizational units in the Active Directory plug-in is updated to provide a direct link to GPMC. The functionality that previously existed on the Group Policy tab is no longer available because all functionalities for managing a Group Policy is available through the GPMC plug-in.

Managing Group Policy Objects through the GPMC

Use any of the following methods to open the GPMC plug-in directly:

  • Click Start > Programs > Administrative Tools > Active Directory Users and Computers. The Active Directory Users and Computers page is displayed.

  • In the navigation tree, right-click the appropriate organizational unit, then click Properties. The selected organizational unit page is displayed.

  • Click Group Policy, then click Open.

  • Click Start > Programs > Administrative Tools > Group Policy Management.

  • Click Start > Run. The Run page is displayed.

  1. At Open, type mmc.

  2. Click OK. The Management Console is displayed.

  3. Click File.

  4. Click Add/Remove Snap-in. The Add/Remove page is displayed.

  5. Click Add. The Add Standalone Snap-in page is displayed.

  6. Select Group Policy Management and then, click Add.

  7. Click Close. The Add Standalone Snap-in page is displayed.

  8. Click OK. The Group Policy Management page is displayed.

NOTE:When you launch the GPMC for the first time, it loads the forest and domain containing the user object logged in to the computer. You can then specify the forest and domain to be displayed.

When you close the GPMC, it automatically saves the last view and returns that view the next a user opens the console.

13.6.6 Retrieving a Policy Applied to the User Object in GPMC

The definition of the Group Policy Objects are defined by the administrator at the directory level, so changes can now be seen immediately at the OU, container or user object level, depending on the level where the group policies have been applied and the SecureLogin preferences applied.

These settings must follow the rules already defined of inheritance and precedence:

  • The Stop walking here preference

  • The Corporate Redirection setting

  • The Group Policy object settings and their priorities

  • The directory hierarchy settings

The precedence rules are respected and follow the rules already defined:

  • The deepest object in the tree has the precedence over any other higher-level object

  • The group policies have the lower precedence than all OUs and User objects.

As a consequence of all these processes, the administrator can now see the resultant set of the policies in the user object either through MMC interface or administrative management utilities.

The resultant set of policies are displayed in the bottom left hand corner of the SecureLogin Administration Management utility. They show from which Group Policy the current setting has been inherited.

NOTE:The retrieval of all SecureLogin configuration information is subject to both SecureLogin and native Directory access controls. In the unlikely circumstance that the user has rights to read a Group Policy object but the administrator does not, this system displays incorrect effective configuration information. This is because the administrator simply cannot access the same information as the user, and any mechanism for allowing this would introduce a security problem.

In this specific configuration, if SecureLogin has no way to retrieve the exact policy applied to the user object, then a message is displayed indicating that the information displayed does not correspond to the resultant set of policies applied to this user object. The message RSOP not available is displayed in the bottom left side of the Administration Management console.

13.6.7 Retrieving a Policy Applied to the User Object in SLManager

Because the definition of the Group Policy objects are performed by you at the directory level, any changes are now seen immediately at the OU, container, or the user object level.