Answer
During the installation of EndPointSecurity the installer will ask if you want it to create Active Directory groups to be used in the product. This is intended as a convenience but can cause confusion when creating and administering your policies. The reason is that the installer will add a separate group for each category (10) and port (8). You then have to go to Active Directory and add each user to each of the the different groups that correspond to the access permission you would like he/she to have. If you have hundreds of users, this can be very time consuming and trying to troubleshoot (knowing the resultant permissions for a user can be confusing).
It is reccommended you set up a separate Active Directory Security Group for each level of access and then add a permission for that group that includes all devices that you are controlling.
It is reccommended you set up a separate Active Directory Security Group for each level of access and then add a permission for that group that includes all devices that you are controlling.
For example:
- If GFI EndPointSecurity has already created Active Directory groups and has added them to your policy, remove all the permissions in the policies created by EndPointSecurity and, using Active Directory Users and Computers, remove all Active Directory Security Groups that GFI EndPointSecurity has created.
- Create one Active Directory Security Group (it must be a 'Security Group') for a group of users you want to give the most restrictive access to. Call it 'GFI_ESEC_NormalUsers', for instance.
- In the 'Policy Security Permissions' section, add a permission, choose all devices that you are controlling and choose the 'GFI_ESEC_NormalUsers' group
- Configure the group permissions for each device type accordingly (i.e. if you do not want them accessing USB drives, for Storage devices choose 'No Access').
- If you have another, less restrictive group, create another Security Group. Call it 'GFI_ESEC_Managers', for instance.
- Complete step 4 for this new group
- Add more security groups and configure them accordingly
- Add each user to only one of the security groups (Note: if they are added to more than one group, the most restrictive permission will result)
- If you have particular users whose permissions have to be specified individually, don't add them to any security group. Instead, add a permission directly for the user in the policy.
- Deploy the policy to a test machine. Have users from the different groups log in and insure the policy is working as designed.