New to DA

Question

Hi I've just started a new job and my first project is to get desktop authority up and running efficiently. We have a training session booked in next week but ideally id like to have my issues resolved before then. 
 Basically what I'm trying to do is set up USB rules for certain users, so far i've got it working in the sense that if i log on or my test user logs on we both get a different set of permissions. but if i try and add "everyone" and set their permissions as different from the other 2 it forces "everyones" permissions on myself and my test user overriding any other settings. 
 Also it only upgrades the agent on the PC's when I log on. Could that be due to the fact that the profile created is called "user-myloginname"? 
 Thanks

butlerm · Accepted Answer

Hey Terry, welcome to Desktop Authority. Its a great product and you can do a ton with it, especially if you have some scrpting skills. For example, we use it to push software and then check via a log file if it went ok, sending us an email if the software did not install correctly (simple rule checking for file existence) 
 
For this type of situation we typically set up a Active Directory group. Then the rule uses the group membership. One rule checks to see if the user is a member of the group, the other rule checks to see if the user is NOT a member of the group. That way you can easily add/remove people without having to change anything in DA itself.

butlerm · Answer

if the USB lockdown will be by sets of people (such as students and staff, or admins and everyone else) then the rule can be by OU also. You could set the validation logic to: if the user is in the Admin OU then they get no lockdown. If the user is NOT in the Admin OU then they get a lockdown. For large numbers, managing OU's can be easier than group memberships.

butlerm · Answer

Sounds like you have it! Just remember to keep track of computer versus user when thinking of the OU. In this case you would want the "Organizational Unit (User)" as shown. 
 When doing computer functions (like auto-install java updates) you want it to happen without a login, so you use the Computer profiles. That way you can do things in the middle of the night.

butlerm · Answer

Terry, you are running up against one of the tricky parts of DA validation logic - combining ANDs and ORs in rules. Since it doesn't allow traditional nesting of logic, it can be tricky to get it the way you want it. 
 
In a situation like this you can attack it a couple of different ways: 
You can create a group for users and a group for computers. Then the various rules can do things like: if user is member of group AND computer is member of group then use USB profile 1 
 
Alternatively you can nest the rules. Create a Profile at the User level that has part of the logic - such as "user is member of group" then anything inside of that will only be looked at if the outer validation logic is true (we use it to reduce the amount of logic happening at logins, i.e. "computer is in facility 1 so ignore the 200 rules for other facilities") 
 
So inside of that profile once you know that the element will only be looked at if the outer validation is true, then the inside validation such as different rules on different computers becomes much easier. 
 
I hope that helps, its kind of hard to explain in text-only!

butlerm · Answer

just as an FYI - you are correct, only 1 can be active at a time so you need to design the rule logic so the only the one profile gets to the right set of users and computers. 
 
A good example is extra software used by our Office staff. The rule creates a desktop icon when they log in, but I don't want the icon to be created if the software isn't actually on the computer (i.e. if they log in on someone elses computer) so they have a AND rule that checks if the file exists AND if the user is a member of the Office Staff group.