Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 3105 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Propogate Policies down AD tree

kenclarke

Hello

We have Enterprise Console syncronized with Active Direcotory and just like Group Policy in AD we would like to apply certain policies high up in the tree and propogate these down into the different OUs.

There doesn't seem to be an option when editing the group policy details in Enterprise Console to apply the policy on all sub groups. Is there a way to do this?

:14127


This thread was automatically locked due to age.
  • 0

    Hello kenclarke,

    as you noticed there isn't. A newly created group (whether created manually or "by sync") inherits gets copied its policy settings from the parent. This is on the wish-list for a long time but if you think about it it can be rather complicated. You might have one or more groups "down the tree" which you don't want to receive a different policy.    

    You could consider creating several syncpoints "lower down". Note that you can usually break and reinstate sync without adverse effects on the clients.

    Christian 

    :14129
  • 0

    Hi Christain,

    Yes you're quite right, if you want a complex tree then different policies may be necessary but it would be nice to have a "force all below to have the same policy" button there.

    What do you mean by syncpoints?

    :14139
  • 0

    What do you mean by syncpoints ?

    I assumed you're using Synchronize with AD. I get it that you just used Import from AD. Now depending on your structure and the number of different policies you intend to use it might be easier to set up a new structure and (re-)import from AD.

    OldTree 
- OU1 (Policy A)
-- OU1.1 
--- OU1.1.1
-- OU1.2
- OU2 (Policy B)
-- OU2.1
-- OU2.2

NewTree
- OU1.A
- OU2.B

     Assuming you imported your structure at OldTree. Now you want to use Policy A for all OUs under OU1 and Policy B for OU2. So instead of setting the policy for each sub-OU create NewTree with two subgroups, assign the desired policies and then import the OU1 subtree to OU1.A and the OU2 to OU2.B.

    HTH

    Christian

    :14147
  • 0

    We are using Sychronize with AD... but I don't know what these syncpoints are?

    :14275
  • 0

    You can synchronize with multiple OU's within the AD strucutre.  This is how we're doing it. 

    With respect to the OP, to get around the limitation in the software I have had to create new polices, and then destroy my group (and sync point) and then recreate them from scratch.  This has the effect of propogating a new policy through the AD syncpoint and below but it is cumbersome.  This should be a prioirty for Sophos to fix.

    :14303
  • 0

    If you are using Synchronize with AD the "syncpoints" are the groups (one or more) with the "green folder with clock" symbol (the "green folder with lock" are the subgroups which you can assign different policies to but otherwise not modify). Right clicking you can view the synchronized AD container and view/change interval and automatic protection.

    Modifying my example let's assume OU1 and OU2 are under TopOU and right now this is the one sync'ed at the OldTree syncpoint. I suggest you remove the synchronization in OldTree, create the group NewTree with subgroups OU1.A and OU2.B and sync these with OU1 and OU2 respectively. The other option is to re-use the structure left behind after removing the syncpoint. Delete all groups under OU1 and OU2 (this is important), apply the desired policies to OU1 and OU2 and re-sync group OU1 with OU=OU1,OU=TopOU,.... and OU2 with OU=OU2,....

    Christian

    :14345