3. DeviceLock Group Policy Manager
Contents
1. OK Cancel Apply 4 Under Computer Configuration select SmartLine DeviceLock i Group Policy Rfs EE l Fie Action view Favorites Window Help 151 xl e ameg Computer Configuration C Software Settings J Windows Settings C Administrative Templates Not Configured Firewire port Not Configured g Smartline DeviceLock ir sired BE Service Options POPPY Not Configure amp Hard disk Not Configured DeviceLock Administrators pl Infrared port Not Configured BP Devices a Parallel port Not Configured Permissions F P 9 gg Auditing Removable Not Configured 2 USB White List Serial port Not Configured Devices Tape Not Configured Configured Not Configured gt g Security Settings Fei User Configuration Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 18 Alternatively you can start MMC and add the Group Policy snap in manually 1 Run mmc from the command line or use the Run menu to execute this command 2 Open the File menu and then click Add Remove snap in fn Console Console Root Action View Favorites Window Help New Ctrl N Open Ctrl 0 Save Ctrl S Save As There are no items to show in this view Add Remove Snap in Ctrl M Options 1 C download2. Container Operations Masters New gt All Tasks gt View gt New Window from Here Refresh Export List Properties Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 7 3 Click the Group Policy tab and then click New 4 Type the name that you want to call this policy for example DeviceLock Service distribution and then press ENTER Up DVT WeriCe Epp 5 Click Properties and then click the Security tab Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 6 Click on the Deny check box next to Apply Group Policy for the security groups that you want to prevent from having this policy applied Click on the Allow check box for the groups to which you want to apply this policy When you are finished click OK DeviceLock Service distribution Properties General Links Security Name P4RUSLAN NT4 SL2 P4RUSLAN NT4 m P4RUSLAN W2K SL2 P4RUSLAN W2K m P4SUPPORT SL2 P4SUPPORT m P4SUPPORT_NT SL2 P4SUPPORT_NT m P4SUPPORT_W2K aac all b Add Remove CO BW ee a ee Ee ee eau am amme a a a Permissions Allow Deny Full Control Read Write Create All Child Objects Delete All Child Objects Apply Group Policy fw Advanced OOoOoOO OOOOOO Cancel Apply Assign
3. DeviceLock does not need to have its own server based version to control the entire network instead it uses standard functions provided by the Active Directory Via Group Policy it is possible to Install DeviceLock Service on all the computers in a network Change DeviceLock s settings on every computer Control user access to devices and change permissions for an entire domain Please note that to manage DeviceLock via Group Policy you must have Active Directory properly installed and configured For more information about installing and configuring Active Directory please refer to the related Microsoft documentation Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 4 1 2 Applying Group Policy Policy is applied when the computer starts up When a user turns on the computer the system applies DeviceLock s policy Policy can be optionally reapplied on a periodic basis By default policy is reapplied every 90 minutes To set the interval at which policy will be reapplied use the Group Policy Object Editor For more information please refer to the Microsoft s Knowledge Base http support microsoft com default aspx scid kb en us 203607 Policy can also be reapplied on demand To refresh the current policy settings immediately on Windows XP and later administrators can call the goupdate exe force command line utility provided by Microsoft On Windows 2000
4. A parent has a value for a setting and a child does not A parent has a value for a setting and a child has a nonconflicting value for the same setting A parent has a value for a setting and a child has a conflicting value for the same setting If a GPO has settings that are configured for a parent Organizational Unit and the same policy settings are unconfigured for a child Organizational Unit the child inherits the parent s GPO settings That makes sense If a GPO has settings configured for a parent Organizational Unit that do not conflict with a GPO on a child Organizational Unit the child Organizational Unit inherits the parent GPO settings and applies its own GPOs as well If a GPO has settings that are configured for a parent Organizational Unit that conflict with the same settings in another GPO configured for a child Organizational Unit then the child Organizational Unit does not inherit that specific GPO setting from the parent Organizational Unit The setting in the GPO child policy takes priority although there is one case in which this is not true If the parent disables a setting and the child makes a change to that setting the child s change is ignored In other words the disabling of a setting is always inherited down the hierarchy Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 6 2 DeviceLock Service Deployment This step by step instruction de
5. Do not browse to the location Ensure that you use the UNC path to the shared folder 7 Click Open 8 Click Assigned and then click OK The package is listed in the right pane of the Group Policy window Deploy Software 21x Select deployment method Advanced published or assigned Select this option to Assign the application without modifications Cancel Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 10 9 Close the Group Policy snap in click OK and then quit the Active Directory Users and Computers snap in When the client computer starts DeviceLock Service is automatically installed gE Group Policy Iof x ent state Deplo amp DeviceLock Service a IF Assigned DeviceLock Service distribution sl_ 2 Computer Configuration Pa Software Settings Software installation H E Windows Settings SmartLine DeviceLock H Administrative Templates E Esi User Configuration H E Software Settings H E Windows Settings H E Administrative Templates Upgrade a Package If the previous version of DeviceLock Service was already deployed and you want to upgrade it to the new one 1 Start the Active Directory Users and Computers snap in 2 In the console tree right click your domain and then click Properties 3 Click the Group Policy tab select the group policy object that contains the old Device
6. Policy window right click the program point to All Tasks and then click Redeploy application The following message is displayed Redeploying this application will reinstall the application everywhere it is already installed Do you want to continue Click Yes Quit the Group Policy snap in click OK and then quit the Active Directory Users and Computers snap in Remove a Package To remove DeviceLock Service 1 2 Start the Active Directory Users and Computers snap in In the console tree right click your domain and then click Properties Click the Group Policy tab click the group policy object with which you deployed the package and then click Edit Expand the Software Settings container that contains the Software installation item with which you deployed the package Click the Software installation container that contains the package Inthe right pane of the Group Policy window right click the program Point to All Tasks and then click Remove Click Immediately uninstall the software from users and computers and then click OK Quit the Group Policy snap in click OK and then quit the Active Directory Users and Computers snap in Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 14 Please keep in mind Deployment occurs only when the computer starts up not on a periodic basis This prevents undesirable
7. a Package To assign DeviceLock Service to computers that are running Windows 2000 or later 1 Start the Active Directory Users and Computers snap in 2 In the console tree right click your domain and then click Properties 3 Click the Group Policy tab select the group policy object that you want and then click Edit 4 Under Computer Configuration expand Software Settings Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 5 Right click Software installation point to New and then click Package sl2 com Properties 2 xi nue eee i bisane MN Brann Poalien Action View gt lm ef 2 Name Version Deployment state_ Auto install__ Tree DeviceLock Service distribution sl_ B E Computer Configuration Software Settings Software installation C Windows Settings New Package amp SmartLine DeviceLock C Administrative Template User Configuration Refresh C Software Settings Windows Settings C Administrative Template Properties View Export List o ey JE Adds a package I Block Policy inheritance Apply Close Sancel 6 In the Open dialog box type the full Universal Naming Convention UNC path to the shared folder that contains the DeviceLock Service MSI package For example file server share DeviceLock Service msi IMPORTANT
8. administrators can call another command line utility provided by Microsoft secedit refreshpolicy machine_policy enforce When applying policy the system queries the directory service for a list of Group Policy Objects GPOs to process Each GPO is linked to an Active Directory container in which the computer or user belongs By default the system processes the GPOs in the following order local site domain then organizational unit Therefore the computer receives the policy settings of the last Active Directory container processed When processing the GPO the system checks the access control list ACL associated with the GPO If an access control entry ACE denies the computer access to the GPO the system does not apply the policy settings specified by the GPO If the ACE allows access to the GPO the system applies the policy settings specified by the GPO Note that application deployment occurs only during startup not on a periodic basis This prevents undesirable results such as uninstalling or upgrading an application that is in use However DeviceLock s policy settings are applied periodically Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 5 1 3 Standard GPO Inheritance Rules Any unconfigured settings anywhere in a GPO can be ignored since they are not inherited down the tree only configured settings are inherited There are three possible scenarios
9. results such as uninstalling or upgrading an application that is in use DeviceLock Service will be copied to the Windows system directory e g c winnt system32 if this service doesn t exist on the system If the service exists on this system but is too old DeviceLock Service will be copied to the directory of the old version and the old version will be replaced If DeviceLock Service is installed on an NTFS partition an installation routine protects the service s file by allowing only members of the Administrators group or the SYSTEM account to access this file An installation routine also protects DeviceLock Service by allowing only members of the Administrators group or the SYSTEM account to start stop or delete the service Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 15 3 DeviceLock Group Policy Manager 3 1 Installation DeviceLock Group Policy Manager can be installed on any computer running Windows 2000 XP or Windows Server 2003 DeviceLock Group Policy Manager includes DeviceLock Management Console that is similar to DeviceLock Manager It can be used to directly manage computers with running DeviceLock Service DeviceLock Management Console can be installed on the computer running Windows NT 4 but Microsoft Management Console had to be installed as well To download Microsoft Management Console for Windows NT 4 visit the Microsoft s website http Aw
10. trademark of SmartLine Inc 12 10 Click Add select the old DeviceLock Service package you want to upgrade click Uninstall the existing package then install the upgrade package and then click OK Add Upgrade Package DeviceLock Service fold 11 Click OK to close the Properties window close the Group Policy snap in click OK and then quit the Active Directory Users and Computers snap in When the client computer starts DeviceLock Service is automatically upgraded g Group Policy gs New Group Policy Object sl_s Computer Configuration Software Settings Windows Settings E8 SmartLine DeviceLoct Administrative Templal User Configuration Software Settings Windows Settings qim 13 Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc Redeploy a Package In some cases you may want to redeploy DeviceLock Service To redeploy a package 1 2 Start the Active Directory Users and Computers snap in In the console tree right click your domain and then click Properties Click the Group Policy tab click the group policy object with which you deployed the package and then click Edit Expand the Software Settings container that contains the Software installation item with which you deployed the package Click the Software installation container that contains the package Inthe right pane of the Group
11. Lock Service package and then click Edit 4 Under Computer Configuration expand Software Settings 5 Right click Software installation point to New and then click Package Tree New Group Policy Object s _ser 5 DeviceLock Service fold 5 J Assigned E a Computer Configuration 3 Software Settings a Windows Setting gy SmartLine Devic View gt J Administrative Te SS E User Configuration Refresh H E Software Setting Export List H E Windows Setting Adds a package Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 11 Properties Help 6 In the Open dialog box type the full Universal Naming Convention UNC path to the shared folder that contains the new DeviceLock Service MSI package For example file server share DeviceLock Service msi 7 Click Open 8 Click Assigned and then click OK The new package is listed in the right pane of the Group Policy window g Group Policy EH Computer Configuration B Software Settings L d ned Administrative Templates User Configuration 9 Right click the new package click Properties and then click the Upgrades tab DeviceLock Service Properties New Group HENGE Vv A EquITeED UpGTaGE Tor eristing packages Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered
12. SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 5 Select a Group Policy Object either from the Active Directory or a local computer and then click Finish Select Group Policy Object Welcome to the Group Policy Wizard Group Policy Objects can be stored in the Active Directory a A or on a local computer oe Use the Browse button to select a Group Policy Object Group Policy Object Remote computer sl_server2 Browse _ Allow the focus of the Group Policy Snap in to be changed when launching from the command line This only applies if you save the console 6 Click Close to close the Add Standalone Snap in window 7 Click OK to add the snap in Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 21 8 Expand the Computer Configuration container and then select SmartLine DeviceLock im Group Policy Console Root efault Domain Controllers Policy SEE Action View Favorites Window Help aB e C Console Root 3 Default Domain Controllers Policy sl_server2 sl 3 Bluetooth Not Configured a Computer Configuration Software Settings J Windows Settings C Administrative Templates 2 Smartline DeviceLock B Service Options DeviceLock Administrators BY Devices USB White List amp Permissions g Auditing Devices amp cb ROM S FireWire po
13. User Manual DeviceLock Management via Group Policy SmartLine Inc Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 1 Contents Using this Manual esccccccccccsisessccccacazccnetececcestncecseseteecceseiwpeceetinccuegess 3 1 General Information cncsnccce ieee oo acca eee 4 Test OWORVIGW ecco e scans os e nh Socata Dac anan tte a bogie acct staan ad 4 1 2 Applying Group PONCY cerier essin eaan aak 5 1 3 Standard GPO Inheritance Rules eee eeeees 6 2 DeviceLock Service Deployment esseesseeeseeeeeees 7 3 DeviceLock Group Policy Manager sssssesseeee 16 Sal AMStANAWOMN sirere iE eE a E Re Maecenas 16 Bee MI SACS e a e a E 17 Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 2 Using this Manual This manual assumes you re familiar with basic functions like click right click and double click and that you re familiar with the basics of the operating system you re using This manual also assumes that you have basic network knowledge as well as the ability to install a Local Area Network LAN We strongly recommend reading this manual very carefully and thoroughly This manual uses the following conventions a Italics for file names paths buttons menus and menu items a Bold Italics for notes and comments a Keyboard keys with a plus sig
14. ine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 22
15. n separating keys that you press simultaneously For example press Ctrl Alt Del to restart your computer Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 3 1 General Information 1 1 Overview In addition to the standard way of managing permissions via DeviceLock Manager DeviceLock also provides you with a more powerful mechanism permissions and settings can be changed and deployed via Group Policy in an Active Directory domain Group Policy enables policy based administration that uses Active Directory Group Policy uses directory services and security group membership to provide flexibility and support extensive configuration information Policy settings are created using the Microsoft Management Console MMC snap in for Group Policy System administrators can use system policies to control user and computer configurations from a single location on a network System policies propagate registry settings to a large number of computers without requiring the administrator to have detailed knowledge of the registry Tighter integration into the Active Directory is a very important function of DeviceLock It makes DeviceLock s permissions management and deployment easier for large networks and more convenient for system administrators Integration into the Active Directory eliminates the need to install more third party applications for centralized management and deployment
16. rt Floppy Hard disk P Infrared port wy Parallel port Removable F Serial port Tape CSUSB port Y WiFi Configured Not Configured Not Configured Not Configured Not Configured Not Configured Configured Not Configured Not Configured Configured Not Configured 3 Security Settings User Configuration sl_server2 sl1 smart There is no difference between the procedure for defining DeviceLock s permissions and audit rules in DeviceLock Manager and in DeviceLock Group Policy Manager Just select a device type and set permissions and or audit rules for it as described in the DeviceLock Manual pdf document If you want to disallow changing permissions and audit rues for individual computers without the GPO editor enable Override Local Policy in Service Options It enables the Group Policy mode for all the computers in GPO such that the Local Policy mode can t be enabled for these computers NOTE In order to change DeviceLock s permissions and settings via Group Policy DeviceLock Service must be installed and started on all the computers belonging to the GPO For more information about service installation please read the DeviceLock Service Deployment section of this document Also don t forget that Group Policy is reapplied on a periodic basis by default every 90 minutes so your changes do not take effect immediately For more information read the Applying Group Policy section Copyright 1997 2006 SmartL
17. s Group Policy msc 2 C AWINDOWS compmamt msc 3 DeviceLock Management msc 4 DeviceLock Management msc Exit Adds or removes individual snap ins 3 Click the Standalone tab and then click Add Add Remove Snap in Standalone Extensions Use this page to add or remove a standalone Snap in from the console Snap ins added to Ee Console Root v Bi Description Remove About Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 19 4 Select Group Policy from the list then click Add i Console1 Console Root rA NOM Add Remove Snap in Standalone Use this page to add or remome SOR CUTE en STE TE Snap ins added to Available Standalone Snap ins Snap in Vendor amp Disk Defragmenter Microsoft Corp Executive Eo Disk Management Microsoft and VERITAS Sc al Event Viewer Microsoft Corporation Folder Microsoft Corporation Group Policy Microsoft Corporation Indexing Service Microsoft Corporation Inso a IP Security Monitor Microsoft Corporation a IP Security Policy Management Microsoft Corporation S Link to Web Address Microsoft oe E lt iij gt Description Description This snap in allows you to edit Group Policy Objects which can be linked to a Site Domain or Organizational Unit in the Active Directory or stored on a computer Remo Yi T _oee_ Copyright 1997 2006
18. scribes how to use Group Policy to automatically distribute DeviceLock Service to client computers DeviceLock Service can be deployed in an Active Directory domain using the Microsoft Software Installer MSI package DeviceLock Service msi NOTE Microsoft Windows Group Policy automated program installation requires client computers that are running Windows 2000 or later You can use Group Policy to distribute DeviceLock Service by using the following steps Create a Distribution Point To install DeviceLock Service you must create a distribution point on the server 1 Log on to the server computer as an administrator 2 Create a shared network folder in which to place the MSI package 3 Set permissions on the share to allow access to the distribution package 4 Copy the MSI package DeviceLock Service msi to the distribution point Create a Group Policy Object To create a Group Policy object GPO with which to distribute DeviceLock Service 1 Start the Active Directory Users and Computers snap in 2 In the console tree right click your domain and then click Properties Ig Console Window Help lal xi Tree Opens prope sl2 com 5 objects builtinDomain Delegate Control Find Connect to Domain ters Container Controllers Organizational Unit SecurityPrincipals Container Connect to Domain Controller
19. tive Directory Users and Computers i Console Window Help pea pes Tree sl2 com 5 objects 3 Active Directory Users and Computer Name i y O Type AR ili builtinDomain H E Delegate Control ters Container g Find Controllers Organizational Unit H E Connect to Domain SecurityPrincipals Container HCF Connect to Domain Controller Container l Operations Masters New gt All Tasks gt View gt New Window from Here Refresh Export List Opens prope Properties Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 3 Click the Group Policy tab select the group policy object that you want and then click Edit If you wish to create the new group policy object click Add amp Active Directory Users and Computers ioj x le Console Window PYAS E a ELE 20x Tree General Managed By Group Policy 73 Active Directory Users gp sl2 com Builtin E Computers E Domain Contre E ForeignS ecurit Users Current Group Policy Object Links for sl2 eS Group Policy Object Links No Override Disabled ah Default Domain Policy v A A Group Policy Objects higher in the list have the highest priority This list obtained from sl_server2 sl2 com New a Options Delete Prat Down I Block Policy inheritance
20. ww microsoft com downloads details aspx familyid 3F620A07 C996 4A8 1 AAD8 30134A43EC468 amp displaylang en To install DeviceLock Group Policy Manager run Setup setup_gp exe DeviceLock Group Policy Manager installs to the directory of your choice Setup tries to find a DeviceLock Group Policy Manager installation and if one exists Setup suggests you install DeviceLock Group Policy Manager to the same directory If a previous installation does not exist Setup suggests you install DeviceLock Group Policy Manager to the Program Files directory on the system drive e g C Program Files DeviceLock Group Policy Manager You can select another directory for installation After a successful install you can open DeviceLock Group Policy Manager by running the Windows Group Policy Object editor To run DeviceLock Management Console select the DeviceLock Management Console item from the Programs menu Copyright 1997 2006 SmartLine Inc All rights reserved DeviceLock is a registered trademark of SmartLine Inc 16 3 2 Usage You can use DeviceLock Group Policy Manager to control DeviceLock s permissions and settings via Group Policy in an Active Directory domain DeviceLock Group Policy Manager integrates into the Group Policy Object GPO editor To open DeviceLock Group Policy Manager 1 Start the Active Directory Users and Computers snap in 2 Inthe console tree right click your domain and then click Properties amp Ac
Download Pdf Manuals
Related Search