Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 1 subscriber
  • Views 7986 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Device Control Policies and AD Containers

Nansterz

We currently have an AD structure that organizes PCs by department and then has a subcontainer for USB exception. We currently control USB policies by group policy, but would like to switch over to Sophos Device Control to get more granular with device type/SN. If we have a device control policy to block at the department level, does the device control policy to allow (the subcontainer level) get superceded by the one to block?

:51584


This thread was automatically locked due to age.
  • 0

    Hello Nansterz,

    each console group (no matter how it has been created, whether it is synched or not) has its own set of policies policy assignments. At subgroup creation time these are set to the parent's.

    Please note that changes to a policy apply to all groups using this policy while applying a different policy does not propagate to subgroups.

    HTH

    Christian

    :51626
  • 0

    So if I understand you correctly, you're saying it would be better for me to re-structure the AD groups.

    :51728
  • 0

    Hello Nansterz,

    re-structure the AD groups {and in the first post} AD structure that organizes PCs by department and then has a subcontainer for USB exception

    hm, I'm not sure if I understand you correctly (and apart from this there are some details to be filled out):

    You current AD structure groups the computers by department and each department (at least where required) has a subgroup for exceptions - is that so? Not explicitly stated but to me it sounds like the SEC groups mirror the AD structure - do they? If so, then you should be fine. The "common" computers from the Department X OU would be in SEC group DeptX to which you assign a block policy. The computers in the subcontainer would go to DeptX-Ex which has a policy with exceptions. Please note that the policies are completely independent - policies are neither merged nor is more than one policy (of the same type) applied to a computer.

    Christian 

    :51760