Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 0 subscribers
  • Views 16043 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web appliance - Additional policy still applies after user removed from AD group

ComputerTester

I am testing the VM appliance. 

The organisation requires that Facebook be blocked for all users, except members of the online communications team. 

The default policy blocks the "Personals and Dating category.

Facebook is classified as "Personals and Dating"

An AD group has been created called "Allow Facebook"

I have added the site to the local site list and tagged it as "Social Networking"

I have created an additional policy to allow members of the AD group to allow sites tagged as "Social Networking" 

Users in the group are able to access Facebook.com

I remove the user from the group, and log them off and back on, they can still access Facebook.com

If I run the Policy Test with the user removed from the group, the site is still allowed.

If I run the Policy Test with a user who has never been in the group, the site is blocked.  

Why could this be? Something to do with groups not syncronising in good time? Can anyone help please?

Thanks.

:34653


This thread was automatically locked due to age.
Parents
  • 0

    Thank you. Synchronising has solved the problem. 

    Does anyone know how frequently this is done automatically?

    I have a number of sites that I need to block which are part of categories which by default are allowed. 

    I have tested with a newly created account and it does not apply those block policies until a sync has been done. It looks like for the duration of the first login, if done before a sync, none of the policies will apply. I had also hoped for support staff to be able to just add a user to a group to allow a site, and not also have to tell them to wait X minutes. 

    Other web filtering products I have used monitored the DCs for logon events and updated the group membership accordingly. Does anyone know if using this along with the Endpoint client will make any difference?

    Thanks again. 

    :34657
Reply
  • 0

    Thank you. Synchronising has solved the problem. 

    Does anyone know how frequently this is done automatically?

    I have a number of sites that I need to block which are part of categories which by default are allowed. 

    I have tested with a newly created account and it does not apply those block policies until a sync has been done. It looks like for the duration of the first login, if done before a sync, none of the policies will apply. I had also hoped for support staff to be able to just add a user to a group to allow a site, and not also have to tell them to wait X minutes. 

    Other web filtering products I have used monitored the DCs for logon events and updated the group membership accordingly. Does anyone know if using this along with the Endpoint client will make any difference?

    Thanks again. 

    :34657
Children
No Data