Overview
Policy deployment differs according to the type of policy that you are deploying.
Deployment of Active Directory policies is discussed in the next section.
Deployment of native policies is discussed in “Native Policies” on page 36.
Active Directory Policies
Basics
Active Directory policies are deployed using the Group Policy Management Console (GPMC) snap-in of the Manager Console.
Order of Precedence
When a single computer or user object has two or more policies assigned to it, the Local, Site, Domain, OU (LSDOU) order of precedence and link order will be considered. Policies specific to a single computer or user object are considered local and have the highest order of precedence in the LSDOU chain.
If the policies are at the same LSDOU level, they will then be applied according to their link order. Those lowest in the link order will have the highest order of precedence.
Forcing a Policy Update
Basics
Active Directory policy changes take approximately 90 minutes and no more than 120 minutes to push out to Client Computers. To accelerate this, you can force an immediate policy update.
Windows XP Clients
1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER.
A command prompt will open.
2. Type the following command at the command prompt:
gpupdate /force and press ENTER.
3. A message will appear in the command prompt window after a few seconds indicating that the update has taken place. The message will prompt you to confirm a restart. Type Y and press ENTER to restart the Client Computer.
Windows 2000 Clients
1. On the Client Computer, open a command prompt. Click Start, then Run. Type cmd and press ENTER.
A command prompt will open.
2. Type the following command at the command prompt:
secedit /refreshpolicy machine_policy /enforce and press ENTER.
3. The secedit command will not prompt you to restart. If the policy you are updating includes any computer policies, you will have to restart the computer manually to complete the update.
Native Policies
Basics
Native policies are applied at the computer level: they cannot be assigned on a per user basis.
Each policy will be comprehensive and contain all of the possible configurable settings.
Only one policy can be applied to a computer at a time. If no policy is assigned to a computer, it will revert to the settings specified in its original installation package.
Native policies are applied at the time that the Client Computer checks in with the Management Server. An immediate check-in can be performed by the user from the User Client Console on the endpoint computer.
If synchronization with Novell is enabled, the Novell computers will already be organized within the Novell eDirectory Computers container, just as they are organized within the Novell eDirectory tree. Native policies can be assigned to Novell computers, even if they have not checked in.
Clients in the Symantec Endpoint Encryption Managed Computers container cannot be assigned policies until they have checked in with the Management Server.
The following section discusses the process of creating groups and placing Client Computers inside of them.
Symantec Endpoint Encryption Managed Computer Groups
Basics
Before you can assign policies to your Symantec Endpoint Encryption–managed computers, they need to be organized into groups. This can be done from any Manager Computer. The structure will be saved in the Symantec Endpoint Encryption database and available to all other Manager Computers.
The Symantec Endpoint Encryption Managed Computers container will only have two groups in by default: SEE Unassigned and Deleted Computers.
Clients located within the SEE Unassigned group do not have any policies assigned to them. Clients will be placed in the SEE Unassigned group if:
Synchronization with its directory service is not enabled.
The computer does not reside within the Active Directory forest/domain or Novell tree that you are synchronizing with.
In general, the Client Computer will appear in SEE Unassigned at the time that it checks in. However, if the Client Computer is manually deleted from the Active Directory domain or Novell tree, it will not appear in SEE Unassigned until the time of the next synchronization.
Client Computers within the SEE Unassigned group do not have any policies assigned to them. Such Client Computers are enforcing the settings specified within their original installation package.
Policy Administrator Guide Policy Deployment
Group Creation
The first step in organizing your Symantec Endpoint Encryption–managed computers is to create the groups that they will reside in. To add a group, right-click Symantec Endpoint Encryption Managed Computers.
Figure 4.1—Symantec Endpoint Encryption Managed Computers, Add New Group
Select Add New Group.
Figure 4.2—Name New Group Dialog
Enter the name of the new group. This name must be unique within its group. For example, the Finance group can have two subgroups named Laptops and Desktops and the Human Resources group can also have two subgroups named Laptops and Desktops. But there cannot be two top-level groups just below Symantec Endpoint Encryption Managed Computers named Human Resources.
Each name must be at least one character. Leading and trailing spaces will be deleted. Enter the desired name of the group and click OK.
Continue to add groups and subgroups until you have the desired structure.
Move Computers
Client Computers can be moved from any Symantec Endpoint Encryption Managed Computers group to another Symantec Endpoint Encryption Managed Computers group. This section will discuss the process of moving a Client Computer out of the SEE Unassigned group and into one of the manually created groups.
Highlight SEE Unassigned. Locate the computer that you want to move and highlight it.
Figure 4.3—SEE Unassigned, Computer Highlighted
Click Move.
Figure 4.4—Symantec Endpoint Encryption Managed Computers Groups Dialog
Navigate to the desired destination group of the Client Computer. Highlight it and click OK.
Each Client Computer can only reside in one group at a time.
Policy Assignment
Native policies can be assigned to individual computers, subgroups, or groups located within either the Symantec Endpoint Encryption Managed Computers container or the Novell eDirectory Computers container.
This section describes how to assign a policy to a group within the Symantec Endpoint Encryption Managed Computers container, but the instructions are fully extensible to your individual circumstance.
Policy Administrator Guide Policy Deployment
Begin by locating the recipient computer, subgroup, or group of the policy. Highlight the name of the recipient.
Figure 4.5—Symantec Endpoint Encryption Managed Computers Group Selected
Click Policy.
Figure 4.6—Policy Selection Dialog
Locate the native policy to be assigned to this group within the dialog and highlight it. Click OK.
Figure 4.7—Native Policy Assignment Confirmation
A confirmation message will be displayed. Click OK.
Figure 4.8—Symantec Endpoint Encryption Managed Computers Policy Assigned
Following the successful assignment of the policy, the Manager Console will display the name of the policy now assigned to the group. The next time the Client Computers in this group check in with the Management Server, they will download this policy and apply it.
Order of Precedence
Each computer can only have one policy assigned to it at any given time. Policies can be assigned to individual computers, subgroups, or entire groups. The rules of precedence are as follows: (1) Computer, (2) Subgroup, and (3) Group. Computer policies have the highest precedence.
For example, if a policy is applied to computer D9HCPD3, and another policy is applied to the Laptops subgroup in which it resides, the policy applied to the computer will take precedence over the policy that was applied to the Laptops subgroup.
Forcing a Policy Update
Registered users can force an immediate policy update by launching the User Client Console, opening the Check-In panel, and clicking Check in Now.
Policy Administrator Guide Endpoint Support