3 Replies Latest reply: Oct 16, 2012 1:56 AM by reduakari RSS

    Best Practices/Successful Practices for Applying Rules to User Assignment Groups

    cweatherall

      I am testing out different methods of applying rules to users and just wanted to get some input on what others are doing.  Can't find any best practices, recommendations or methodologies for assigning policies. My scenario is this.  I have 300 users of which only 25 should be allowed to write to cd/dvd rom drives.  I created all of the pertinent device rules making the cd/dvd read only.  Here is where I am hitting a road block.

       

      Originally, I created a user assignment group that inlcuded "Everyone". This policy assignment applied all of my e-mail, printer, network and read only protection rules to everyone.  For the group of 25 users that I wanted to allow CD/DVD writing, I put them in a different user assignment group applying only the device rule for CD/DVD read only (my logic being, because they are a part of everyone, the other rules are already applied) and I chose toexlude the users from the selected CD/DVD read only rule.  It seemed to be working after some initial testing, then excluded users began to inform me that they could not write to cd, so I contacted support, I was told this method probably would not work because the most restrictive policy of setting the CD/DVD drive to read only would take effect when a user was in multiple user assignments.  I called this an ACTIVE exclusion, since I told the assignment specifically not to apply the rule to those users.

       

      Method two, the PASSIVE exclusion. I separated all of my cd writing users from my non cd writing users by AD groups.  So one user assignment is for non-writers, all protection rules are applied to the group.  The second user assignment is for CD/DVD writers, all protection rules are applied, except for the CD/DVD read only rule. So I am not using the exclusion to actively exclude users from the rule, I just chose not to select that rule for users in this group.

       

      So active, passive or a different approach altogether?  How are you all applying rules to user assignments?  Message was edited by: cweatherall on 2/2/11 6:34:22 PM CST

       

       

      Message was edited by: cweatherall on 2/2/11 6:35:09 PM CST