This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

New to DA

Hi I've just started a new job and my first project is to get desktop authority up and running efficiently. We have a training session booked in next week but ideally id like to have my issues resolved before then.

Basically what I'm trying to do is set up USB rules for certain users, so far i've got it working in the sense that if i log on or my test user logs on we both get a different set of permissions. but if i try and add "everyone" and set their permissions as different from the other 2 it forces "everyones" permissions on myself and my test user overriding any other settings.

Also it only upgrades the agent on the PC's when I log on. Could that be due to the fact that the profile created is called "user-myloginname"? 


  • Hey Terry, welcome to Desktop Authority. Its a great product and you can do a ton with it, especially if you have some scrpting skills. For example, we use it to push software and then check via a log file if it went ok, sending us an email if the software did not install correctly (simple rule checking for file existence)

    For this type of situation we typically set up a Active Directory group. Then the rule uses the group membership. One rule checks to see if the user is a member of the group, the other rule checks to see if the user is NOT a member of the group. That way you can easily add/remove people without having to change anything in DA itself.
  • if the USB lockdown will be by sets of people (such as students and staff, or admins and everyone else) then the rule can be by OU also. You could set the validation logic to: if the user is in the Admin OU then they get no lockdown. If the user is NOT in the Admin OU then they get a lockdown. For large numbers, managing OU's can be easier than group memberships.
  • This is great thank you very much for your reply! I did finally figure out it was AD groups I was missing out on now I've got that part sorted I've started setting up different sets of rules for different groups.

    However the validation logic does sound like a much simpler way of doing this. Just so i've got this worked out in my head:

    4 IT admins logging onto a PC will have everything open as they are part of the admin OU
    rest of the company gets the lockdown rules as they are not part of the admin OU?

    if that is the case id love to try this out. is it in the: Validation logic tab > validation logic rules?
  • Sounds like you have it! Just remember to keep track of computer versus user when thinking of the OU. In this case you would want the "Organizational Unit (User)" as shown.

    When doing computer functions (like auto-install java updates) you want it to happen without a login, so you use the Computer profiles. That way you can do things in the middle of the night.


  • Thanks! your answers have been really informative and i appreciate you taking the time to reply to me.

    I'm still having a bit of difficulty having more then 1 USB profile. here is what i mean:

    I have USB profile one, in this i have a test group with certain USB limits and my own user with everything allowed. It works fine.

    But I want to set up another USB settings option so that our guest user can only read USBs when logged into certain computers. I know for this i'll have to put in some validation logic however no matter what I try it only will let one of these sub profiles be active at a time.

    Even if i create a whole new top level profile it seems that they just conflict and only 1 is allowed to run.
  • Terry, you are running up against one of the tricky parts of DA validation logic - combining ANDs and ORs in rules. Since it doesn't allow traditional nesting of logic, it can be tricky to get it the way you want it.

    In a situation like this you can attack it a couple of different ways:
    You can create a group for users and a group for computers. Then the various rules can do things like: if user is member of group AND computer is member of group then use USB profile 1

    Alternatively you can nest the rules. Create a Profile at the User level that has part of the logic - such as "user is member of group" then anything inside of that will only be looked at if the outer validation logic is true (we use it to reduce the amount of logic happening at logins, i.e. "computer is in facility 1 so ignore the 200 rules for other facilities")

    So inside of that profile once you know that the element will only be looked at if the outer validation is true, then the inside validation such as different rules on different computers becomes much easier.

    I hope that helps, its kind of hard to explain in text-only!
  • just as an FYI - you are correct, only 1 can be active at a time so you need to design the rule logic so the only the one profile gets to the right set of users and computers.

    A good example is extra software used by our Office staff. The rule creates a desktop icon when they log in, but I don't want the icon to be created if the software isn't actually on the computer (i.e. if they log in on someone elses computer) so they have a AND rule that checks if the file exists AND if the user is a member of the Office Staff group.
  • About 30 mins after I asked the question I found the validation logic for ANDs and ORs I managed to get what I wanted to test working but it does seem very fiddly as you've mentioned! I guess something like this will just take some getting used to.

    thank you so much for all your help I really appreciate it! you've been a great help!
  • terry.jeyes and butlerm,

    I’m glad to see our community members working together to get questions answered! 
    Just wanted to post some articles here that may help you and others who view this thread.

    These articles cover some of the basics of Validation Logic.
      How Validation Logic works and tips for configuration of Validation Logic
      How to use Validation Logic Operators (IF, OR, AND, NOT, etc…)