Configuring Group Policies

NOTE   In Active Directory, users included in policies must have a first name, last name, username,.password and email address.

  1. Click the Discovery > Domains > Domain Watch > Policies > Groups tab.
    • Discovery user policies enables domain logons to be used by the VSA in two ways:
      • VSA user logons - These logons are used by VSA administrators.
      • Portal Access logons - These logons are used by machine users who want to access their own machines remotely.
    • User groups are called "security groups" or simply "groups" in an Active Directory domain. Each group in this tab is identified by its canonical name.
    • An additional column shows a count for the number of users in each group.
  2. Select a group that shows a count for one or more users.
    • The same member can be a member of multiple groups in an Active Directory domain.

      NOTE   Sort this tab by clicking the Sort Descending option in the Total Users column heading. This ensures any groups with user counts greater than zero that don't yet have policies assigned are listed near the top of the tab.

  3. Select the Configure Group Policy button.
    • The Group Policy dialog displays, listing the Member Users in this group.
  4. Select a Member Group Policy.
    • Each user group in Discovery can be assigned one of three different VSA logon policies. These policies are applied to all users belonging to the group.
      • Do Not Include Users - Do nothing with the domain users listed in this user group.
      • Create Staff Members - Creates a staff member record. These users can be assigned Portal Access to a machine manually.
      • Create Staff and make Auto Portal Candidates - Designates domain users in this user group for Auto Portal Access assignment. See Making Portal Access Candidates for details.
      • Create VSA Users - Creates VSA user logons for domain users listed in this user group.
    • Since each domain user can belong to multiple domain user groups, a domain user is assigned the highest ranking VSA logon policy assigned to any user group the domain user is a member of. Logon policies are ranked from highest to lowest in this order:
      • Create VSA Users
      • Create Staff and make Auto Portal Candidates
      • Create Staff Members
      • Do Not Include Users
  5. If Create VSA Users is selected:
    • Role Lookup - Select the role these users will use.
    • Scope Lookup - Select the scope these users will use.
      • If a scope with the same name as the organization does not already exist, a Word 60% / HTML 100% displays to the right of the Scope Lookup drop-down list of the User Policy dialog. Clicking the Word 60% / HTML 100% icon enables you to create a new scope that has the same name as the organization associated with the domain. Once the scope is created the Word 60% / HTML 100% no longer displays to the right of the Scope Lookup drop-down list and text at the top of the dialog indicates the default scope already exists.
      • If the same user is assigned to multiple groups, and different roles and scopes are assigned to each group, then when the user logs on to the VSA, these roles and scopes will be available in the roles/scope selector in the upper-right corner of the VSA window.
      • Roles/scope assignments using the Groups tab and Users tab can be modified and reapplied multiple times. Successive changes will cause roles and scopes to accumulate, rather than be replaced. Discovery never removes records in the VSA.
      • You can assign a VSA user to a scope outside of the organization associated with the domain network. This enables a VSA user to use a single scope to have visibility of all machine groups in multiple organizations. You must ensure the scope selected provides access to each domain organization.
  6. Select a Department to assign staff records created by this policy.
    • Select a fixed department, or
    • Use Directory Default - Administrators can automatically map the departments used to organize staff records inside the VSA using the OU hierarchy that already exists in Active Directory. This occurs when a Group or User policy selects the Use Directory Default value. When this occurs, a staff record created by policy is assigned to the department that matches its current OU location. If an Active Directory administrator renames the OU or moves the user to a different OU location, the staff record is changed in the VSA to match it. Tracking moves fully requires policies be set in both the source and target OUs. Parent departments are created as necessary, to match the OU hierarchy. Alternatively, a staff record can be assigned a policy that assigns it to a fixed department.
  7. Click Save to close this dialog.
    • The dialog closes and the policy you selected displays in the Users Policy column.
    • The Policy Status displays Word 80% / HTML 100% Modified.
    • Do not Apply Changes yet.