New to DA

Hey Terry, welcome to Desktop Authority. Its a great product and you can do a ton with it, especially if you have some scrpting skills. For example, we use it to push software and then check via a log file if it went ok, sending us an email if the software did not install correctly (simple rule checking for file existence)

For this type of situation we typically set up a Active Directory group. Then the rule uses the group membership. One rule checks to see if the user is a member of the group, the other rule checks to see if the user is NOT a member of the group. That way you can easily add/remove people without having to change anything in DA itself.

if the USB lockdown will be by sets of people (such as students and staff, or admins and everyone else) then the rule can be by OU also. You could set the validation logic to: if the user is in the Admin OU then they get no lockdown. If the user is NOT in the Admin OU then they get a lockdown. For large numbers, managing OU's can be easier than group memberships.

This is great thank you very much for your reply! I did finally figure out it was AD groups I was missing out on now I've got that part sorted I've started setting up different sets of rules for different groups.

However the validation logic does sound like a much simpler way of doing this. Just so i've got this worked out in my head:

4 IT admins logging onto a PC will have everything open as they are part of the admin OU
rest of the company gets the lockdown rules as they are not part of the admin OU?

if that is the case id love to try this out. is it in the: Validation logic tab > validation logic rules?

Sounds like you have it! Just remember to keep track of computer versus user when thinking of the OU. In this case you would want the "Organizational Unit (User)" as shown.

When doing computer functions (like auto-install java updates) you want it to happen without a login, so you use the Computer profiles. That way you can do things in the middle of the night.

 

Thanks! your answers have been really informative and i appreciate you taking the time to reply to me.

I'm still having a bit of difficulty having more then 1 USB profile. here is what i mean:

I have USB profile one, in this i have a test group with certain USB limits and my own user with everything allowed. It works fine.

But I want to set up another USB settings option so that our guest user can only read USBs when logged into certain computers. I know for this i'll have to put in some validation logic however no matter what I try it only will let one of these sub profiles be active at a time.

Even if i create a whole new top level profile it seems that they just conflict and only 1 is allowed to run.

Terry, you are running up against one of the tricky parts of DA validation logic - combining ANDs and ORs in rules. Since it doesn't allow traditional nesting of logic, it can be tricky to get it the way you want it.

In a situation like this you can attack it a couple of different ways:
You can create a group for users and a group for computers. Then the various rules can do things like: if user is member of group AND computer is member of group then use USB profile 1

Alternatively you can nest the rules. Create a Profile at the User level that has part of the logic - such as "user is member of group" then anything inside of that will only be looked at if the outer validation logic is true (we use it to reduce the amount of logic happening at logins, i.e. "computer is in facility 1 so ignore the 200 rules for other facilities")

So inside of that profile once you know that the element will only be looked at if the outer validation is true, then the inside validation such as different rules on different computers becomes much easier.

I hope that helps, its kind of hard to explain in text-only!

just as an FYI - you are correct, only 1 can be active at a time so you need to design the rule logic so the only the one profile gets to the right set of users and computers.

A good example is extra software used by our Office staff. The rule creates a desktop icon when they log in, but I don't want the icon to be created if the software isn't actually on the computer (i.e. if they log in on someone elses computer) so they have a AND rule that checks if the file exists AND if the user is a member of the Office Staff group.

About 30 mins after I asked the question I found the validation logic for ANDs and ORs I managed to get what I wanted to test working but it does seem very fiddly as you've mentioned! I guess something like this will just take some getting used to.

thank you so much for all your help I really appreciate it! you've been a great help!