SecureLogin is installed with support for group policies.
The Active Directory Users and Computers snap-in or Group Policy Management Console is open
Using Group Policy object support, you can manage SecureLogin users in Active Directory users at the container, OU, and user object levels.
Group Policy object support is useful for organizations with flat directory structures where a more granular approach is required when applying settings, policies, and application definitions for users. For example, applying a group policy for a global marketing group in a worldwide organization. Several group policies can be defined and applied to any user, group, or container at the directory level. These different policies are then applied to a specific user object or container or organizational unit through the inheritance process.
To limit network traffic during the Group Policy object synchronization, SecureLogin leverages an existing Microsoft Windows feature to specify policy settings that are updated when the group policy object changes.
Edit the WinLogon/GPextensions in the Windows Registry, and set the NoGPOListChanges key to 1.
For more information on Microsoft Windows Group Policy configuration, see the Microsoft Web site.
For information on the Registry NoGPOListChanges setting, see the Microsoft Web site.
In SecureLogin 6.1, you can see the resultant set of single sign-on policy settings that apply to a particular user object when multiple SecureLogin group policies and organizational unit or user object setting are applied through the Microsoft’s Group Policy Management Console (GPMC), which now includes support for Resultant Set of Policy (RSOP).
NOTE:The GPMC must be installed on the administrative workstation where you want to see the resultant set of policies.
The Resultant Set of Policy (RSOP) is a feature of a group policy that makes the implementation, troubleshooting, and planning of group policies easier and allows you to plan how the group policy changes might affect a targeted user or computer or remotely verify the policies under effect on a specific computer.
When multiple group policy objects are applied to a given user or computer, the policy can often contain conflicting policy settings. For most policy settings, the final value of the setting is set only by the highest precedent Group Policy object that contains that setting.
RSOP assists directory administrators to understand and identify the final set of policies that are applied as well as settings that did not apply as a result of policy inheritance.
In this version of SecureLogin, you can see the final SecureLogin settings that apply to a user when he or she starts SecureLogin. You have the ability to do the following:
Retrieve the policy applied to the user object in the Microsoft Management Console.
Retrieve the policy applied to the user object in the SLManager.
Define from which policy the setting is inherited.
IMPORTANT:Group policy functionality is enabled only if it was selected during the installation of SecureLogin in Microsoft Active Directory mode. For more information, see the
For more information about Group Policy Objects (GPOs), go to the Microsoft Web site.
Policy settings are stored in Group Policy Objects (GPOs). Settings for each GPO can be edited using the GPO Editor from within Microsoft’s Group Policy Management Console (GPMC).
When an administrator defines a SecureLogin GPO, they can now use the GPMC to add this group policy or edit and configure the SecureLogin settings.
Policy settings are stored in Group Policy object settings for each Group Policy object and can be edited using the Group Policy object editor from Microsoft (GPMC).
The group policy functionality is enabled during the installation of SecureLogin in Microsoft Active Directory mode. For more information see, NetIQ SecureLogin Installation Guide.
When you define a SecureLogin Group Policy Object, administrative users can use the GPMC tool to add this group policy or edit and configure the SecureLogin settings.
With the Microsoft’s GPMC plug-in, you can manage core aspects of Group Policy object across enterprises.
For Microsoft Vista (or higher) customers, the GPMC snap-in is already integrated in to the operating system.
Existing Windows XP and Server customers can download the gpmc.msi installer package at the Microsoft Web site.Installing the Microsoft GPMC plug-in simply involves running the gpmc.msi installer package.
NOTE:After installation, thetab that previously appeared on the Property pages of sites, domains, and organizational units in the Active Directory plug-in is updated to provide a direct link to GPMC. The functionality that previously existed on the original tab is no longer available because all functionality for managing a Group Policy is available through the GPMC plug-in.
Use any of the following methods to open the GPMC plug-in directly:
Click> > > . The Active Directory Users and Computers page is displayed.
In the navigation tree, right-click the appropriate organizational unit, then click. The selected organizational unit page is displayed.
Click, then click .
Click> > > .
Click> . The Run page is displayed.
At mmc., type
Click. The Management Console is displayed.
Click. The page is displayed.
Click. The Add Standalone Snap-in page is displayed.
Selectand then, click .
Click. The Add Standalone Snap-in page is displayed.
Click. The Group Policy Management page is displayed.
NOTE:When you launch the GPMC for the first time, it loads the forest and domain containing the user object logged in to the computer. You can then specify the forest and domain to be displayed.
When you close the GPMC, it automatically saves the last view and returns that view the next a user opens the console.
The definition of the Group Policy Objects are defined by the administrator at the directory level, so changes can now be seen immediately at the OU, container or user object level, depending on the level where the group policies have been applied and the SecureLogin preferences applied.
These settings must follow the rules already defined of inheritance and precedence:
The Group Policy object settings and their priorities
The directory hierarchy settings
The precedence rules are respected and follow the rules already defined:
The deepest object in the tree has the precedence over any other higher-level object
The group policies have the lower precedence than all OUs and User objects.
As a consequence of all these processes, the administrator can now see the resultant set of the policies in the user object either through MMC interface or administrative management utilities.
The resultant set of policies are displayed in the bottom left hand corner of the SecureLogin Administration Management utility. They show from which Group Policy the current setting has been inherited.
NOTE:The retrieval of all SecureLogin configuration information is subject to both SecureLogin and native Directory access controls. In the unlikely circumstance that the user has rights to read a Group Policy object but the administrator does not, this system displays incorrect effective configuration information. This is because the administrator simply cannot access the same information as the user, and any mechanism for allowing this would introduce a security problem.
In this specific configuration, if SecureLogin has no way to retrieve the exact policy applied to the user object, then a message is displayed indicating that the information displayed does not correspond to the resultant set of policies applied to this user object. The messageis displayed in the bottom left side of the Administration Management console.
Because the definition of the Group Policy objects are performed by you at the directory level, any changes are now seen immediately at the OU, container, or the user object level.