After the AD-based Policy interface is enabled, a new tab, “Mappings,” is visible on the Policies page. Clicking on this tab opens the Active Directory Policy Mappings page. This is where you create rules to map computers with specified AD data to certain policies.
Before you begin setting up mapping rules, be sure you have created all of the policies to which you want computers mapped.
You can create mapping rules that test for matching AD data including organizational units, domains, security groups, computer names, and user names. Keep the following in mind when creating mapping rules:
- Although you can choose to match AD Security Group data for either users or computers, computer-based rules are recommended. With multiple users on a computer, sometimes simultaneously logged on, AD Mapping rules based on users could lead to unexpected results.
- App Control does not support policy mapping for AD object names that contain double quotes. Object names with double quotes cannot be handled properly by the directory object browser you use to create a mapping rule.
- Try to create as few rules as possible and test for groups rather than individual objects.
The following table shows the rule parameters you provide for a mapping rule.
Parameter |
Description |
---|---|
Computer Object to Test |
The object that will be tested to see whether it matches the rule. The choices are Computer, User, and User or Computer. |
Relationship |
The relationship being evaluated between the Directory Object specified in the rule and the AD data from the computer being assigned a policy. The choices are:
|
Directory Object |
The object in AD that the data from the tested object must match. Clicking the right end of this field opens an browser from which you can search for an object in your AD environment. The choices for the Directory object field change depending upon which Relationship you choose. If you choose “is not in any domain,” no Directory object is necessary. |
Policy to Apply |
The policy to apply to a computer if its tested object matches the rule. The dropdown menu shows all available policies. For policies created before implementation of Active Directory policy mapping, "Automatic policy assignment" is off by default. If you implement AD policy mapping and set up new mapping rules that apply to a pre-existing policy, you will need to change the setting on the policy itself for automatic mapping to take place. See Creating Policies for more on automatic assignment choices. |
The result of providing these parameters is a rule that can be read like a sentence. The following is how you might set up one rule.
Parameter |
Example (value in bold) |
---|---|
Computer Object to Test |
If a Computer… |
Relationship |
… is in OU or domain … |
Directory Object |
…matching OU = Marketing,DC=hq,DC=xyzcorp,DC=local … |
Policy to Apply |
… assign that computer to the Standard Protection policy. |
Create AD Mapping Rules
The procedure below shows how to configure a mapping rule. Although entry of most of the parameters are reasonably straightforward, pay particular attention to the Directory Object field, which requires use of a special AD browser.