Silverss05, you would need 2 user groups and 2 rules to perform this.
Assume you want to make all users read only except the IT admins group.
Include Everyone, exclude IT Admins
Include IT Admins
Your 2 rules are:
Include CD/DVD, Action - read only, Action - monitor, include Group 1
Include CD/DVD, Action - monitor, include Group 2
copied from tonyw
I want to allow "domain users" read only access, and allow another group "MediaBurners" the ability to burn.
Group 1: Domain Users
Include Domain Users, exclude MediaBurners
Group 2: MediaBurners
Read-Only CD/DVD, Action - read only & monitor, include Group 1
Allow CD/DVD Burning, Action - monitor, include group 2 (MediaBurners)
Does this sound correct?
That is correct.
Yes that does sound correct. And you have your device definition for the rule set to DVD/CD ?
FYI there was one thing I noticed lately and haven't had time to look it up to see if its just me or not.
I had a security group that was domain local. When I put it into a UAG it didn't apply a policy agaisn't the people in the security group. I am not sure why. But if you want to see if the people you have in the UAG have the policy applied agaisn't them.
Find the system then click on the products tab then select DLP. Scroll down and see if you see the policy rule name applied against that system that has someone logged into it.
I was one of the people in this security group I was testing, then I added my username directly inside the same UAG, then it was being applied to my system.
I have a similar issue to this as well. I have set up Domain Admins group as a privileged user group and set to override all. The settings don't seem to be applying to the group, but if I add a user from within the domain admin group individually the settings apply...
You might want to check to see if the end user's machine is showing the correct SID for the domain admin group you've applied it to by using gpresult or whoami commands. KB75675 linked below provides some outlines for this.
tonyw I am not sure how the users system SID would matter when using UAG-User assignment groups ??
ooo wait, after reading your link, you mean if they where just added to the group they would need to log off then back in.....right following you there
silverss05 I will test more this week, but so far I have only noticed it if the security group is DOMAIN LOCAL.
The "gpresult" command will list the AD groups for the machine while the "whoami /groups" will list the AD groups and their corresponding SID.
Under the UAG definition, you are provided the option to Identify LDAP objects using either SID or Name. SID is the default. In some environments I've seen user groups in AD not assign properly so the assigned UAG will never enforce. Gpresult and whoami will show if the local machine has the AD assignment.