Rules for assigning and analyzing policies

The management and analysis of policies is carried out according to the rules described in this section.

Definitions

The policy's origin decides whether it is a user or computer policy. A user object "brings" a user policy, while a computer "brings" a computer policy. The same policy can be a computer or a user policy, depending on the perspective.

  • User policy

    Any policy provided by the user for analysis. If a policy is implemented through only one user, the computer-related settings of that policy are not applied, this means that computer-related settings do not apply. Default values do.

  • Computer policy

    Any policy provided by the computer for analysis. If a policy is implemented through just one computer, the user-specific settings for this policy are also applied. The computer policy therefore represents a policy for all users.

Assign and activate policies

To enable a policy to be implemented for a user or computer, you need to assign it to a container object (root nodes, domain, OU, BuiltIn container or workgroup). For the policy assigned to the user or computer to become effective, when you assign a policy anywhere in the hierarchy, all computers (authenticated computers) and all users (authenticated users) are activated automatically (assignment without activation is not enough). All users and all computers are combined into these groups.

Policy inheritance

Policies can only be passed on between container objects. Policies can be activated within a container provided it contains no further container objects (at group level). Inheritance between groups is not possible.

Policy inheritance hierarchy

Where policies are assigned along a hierarchy chain, the policy closest to a target object (user or computer) is the highest ranking. This means that as the distance to the target object increases a policy will be superseded by any policies that are closer.

Direct assignment of policies

The user or computer obtains a policy which is assigned directly to the container object in which it is located (membership as a user of a group located in another container object is not sufficient). The container object did not inherit this policy.

Indirect assignment of policies

The user or computer obtains a policy which the container object it is located in (membership as a user of a group located in another container object is not sufficient) has inherited from a higher-ranking container object.

Activate/deactivate policies

For a policy to be effective for a computer/user, it has to be activated at group level (policies can only be activated at group levels). It makes no difference if this group is in the same container object or not. All that matters is that the user or computer has been directly or indirectly (through inheritance) assigned to the policy.

If a computer or user is outside an OU or inheritance line and is a member of a group which is inside this OU, this activation does not apply to this user or computer. Because there is no valid assignment for this user or computer (directly or indirectly). The group was, indeed, activated but an activation can only apply to users and computers for which there is also a policy assignment. This means that the activation of policies cannot go beyond container boundaries if there is no direct or indirect policy assignment for that object.

A policy becomes effective when it has been activated for user groups or computer groups. The user groups and then the computer groups are analyzed (authenticated users and authenticated computers are also groups). Both results are OR-linked. If this OR-link gives a positive value for the computer/user relationship, the policy applies.

Note If more than one policy is active for an object, the individual policies are, while complying with the rules described, merged. This means that the actual settings for an object can be composed of multiple different policies.

A group can have the following activation settings:

  • Activated

    A policy has been assigned. The group is displayed in the activation area of the SafeGuard Management Center.

  • Not activated

    A policy has been assigned. The group is not in the activation area.

If a policy is assigned to a container, the activation setting for a group (activated) determines whether that policy for that container feeds into the calculation of the resulting policy.

Inherited policies cannot be controlled by these activations. Block policy inheritance would have to be set at the more local OU so the more global policy cannot be effective here.

User/group settings

Policy settings for users (shown in black in the SafeGuard Management Center) take priority over policy settings for computers (shown in blue in the SafeGuard Management Center). If user settings are specified in a policy for computers, those settings are overridden by the policy for the user.

Note Only the user settings are overridden. If a policy for users also includes computer settings (shown in blue), they are not overridden by a user policy!

Example 1:

If password length 4 has been defined for a computer group, the user group is assigned value 3 for the same setting and this user is subject to password length 3 on a computer in the computer group.

Example 2:

If a server interval of 1 minute is defined for a user group, and the value 3 for a computer group, value 3 is used because value 1 minute is a computer setting which was defined in a policy for users.

Contradictory encryption policies

Two policies (P1 and P2) are created. File-based encryption for drive E:\ was defined for P1, and volume-based encryption for drive E:\ was defined for P2. P1 is assigned the OU FBE-User and P2 the OU VBE-User.

Case 1: A user from OU FBE-User logs on first to the Client W7-100 (container computer). Drive E:\ is encrypted with file-based encryption. If a user from the OU VBE-User then logs on to Client W7-100, drive E:\ will be encrypted with volume-based encryption. If both users have the same key, both can access the drives or files.

Case 2: A user from OU VBE-User logs on first to the computer W7-100 (container computer). The drive is encrypted with volume-based encryption. If, now, a user from OU FBE-User logs on and has the same key as users from OU VBE-User, drive E:\ will be encrypted with file-based encryption within the volume-based encryption (the volume-based encryption is kept). However, if the user from OU FBE-User does not have the same key, they cannot access drive E:\.

Priority within an assignment

Within an assignment, the policy with the highest priority (1) ranks above a policy with a lesser priority.

Note If a policy with a lesser priority, but with the property No Override is assigned to the same level as a higher ranking policy, this policy will take priority despite its lower ranking.

Priority within a group

Within a group, the policy with the highest priority (1) ranks above a policy with a lesser priority.

Status indicators

Setting status indicators allows the standard rules for policies to be changed.

  • Block policy inheritance

    Set for containers for which you do not want higher-ranking policies to apply (right-click the object in the Properties navigation window).

    If you do not want a container object to inherit a policy from a higher object, select Block Policy Inheritance to prevent this. If Block Policy Inheritance has been selected for a container object it will not be affected by higher-ranking policy settings (exception: No Override activated when policy was assigned).

  • No Override

    Set during assignment process this policy cannot be overridden by another policy.

    The further away the policy assignment with No Override is from the target object, the stronger the effect of this policy will be for all the lower-ranking container objects. This means that a higher ranking container subject to No Override overrides the policy settings of a lower ranking container. So, for example a domain policy can be defined and its settings cannot be overridden, even if Block policy inheritance has been set for an OU!

    Note If a policy with a lesser priority but which has been designated No Override is assigned to the same level as a higher ranking policy, this policy will take priority despite its lower ranking.