23.5 Assigning SecureLogin Client Settings for Administrators and Help Desk Groups

Now that you have assigned the correct Directory permissions to allow members of the administrators and help desk groups to read and write the protocom attributes, you need to assign the SecureLogin client settings (SecureLogin preferences) to allow them to see what they have permissions to access. This is required to override the more restrictive settings the user will inherit from their parent container.

To accomplish this, you can either directly modify the users individual settings. A viable approach if you have a few users who will be granted the elevated permissions. This said, many customers still choose the direct assignment approach, as it can reduce the steps when troubleshooting where someone is getting a specific client setting from. Alternatively, you might utilize SecureLogin’s support for group policies. In either case, please see step 8 in this section of the document for the recommended settings.

For the sake of this document, it will be assumed you know how to assign individual user’s settings, and thus this document will focus on the use of group policies (assuming the feature was enabled during the product installation). As stated previously, both methods have their merits and should be evaluated before deciding on an approach.

23.5.1 Creating the Group Policy

  1. Login to the Active Directory domain as a administrative level user.

  2. On a workstation or server open Active Directory User and Computers, and browse to the OU that contains the groups that you created earlier. Right click it, select Properties.

  3. In the properties dialog that opens up, select the Group Policy Tab.

    NOTE:In this example the Group Policy Management snap-in has been installed. It can be downloaded from Microsoft

  4. Click the Open button, the Group Policy Management (GPM) interface will open. Select the Group Policy Objects container and right click it. Select New.

  5. Enter a name for the GPO.

  6. Right click the new GPO and select Edit.

  7. Browse to the User Configuration > Software Settings. In the right hand pane, double click SecureLogin. The SecureLogin management interface will open up.

  8. In the SecureLogin management interface, select the Preferences tab. Set each setting in accordance with what you want the users to do.

    NOTE:The users referred in this document are administrators and help desk staff. They have full access to the SecureLogin client. Your configuration might differ slightly.

    The preferences highlighted are the ones that are critical to ensure users are able to mange SecureLogin. Ensure that they are set as shown in the following figure.

  9. Click Ok on the SecureLogin management interface. This might take a minute to save.

  10. Close the GPO editor.

  11. In the GPM, select the new GPO you created, remove the Authenticated Users group, and add the admin and help desk groups you created in the previous two sections.

  12. Link this policy to the OU where the users are located. Right click and select Link to an existing GPO.

  13. Select the GPO you created, click OK.

  14. Close the GPM. Click OK on the group policy tab.

  15. Close Active Directory Users and Computers.

23.5.2 Testing your configuration

If you chose to use individual assignment or GPO assignment, proceed with the following tests to confirm your updated configuration

  1. On a workstation with SecureLogin and the Active Directory Admin Pack, login as a user who is a member of one of the groups you have configured as SecureLogin administrators or help desk.

  2. If your GPO refresh has not occurred, you can manually force the update by going to a command line and issuing the gpupdate /force command (Windows XP). You should see results similar to the following:

  3. Launch Active Directory Users and Computers. Navigate to the container where you delegated control. As a member of the Admins group you should be able to manage the OU’s, and subordinate objects, applications and preferences.

    As a member of the Help Desk group you should be able to only make changes to the users in the OU. It might appear that as a help desk user you can save changes to the OU, but that is not the case. And if you close the Single Sign-On properties and then open it back up, you will see the changes were not saved.