For certain rule types, you can create a rule that applies only when specific users or users in specific groups attempt an action.
The choices for User or Group on the Add/Edit Custom Rule page are:
- Any Users – applies the rule to all users.
-
Specific User or Group... – opens a text box below the menu, in which you can enter AD users or groups in the format userorgroupname@domain or domain\userorgroupname
Note: Platform Note: To specify a MacOS or Linux group, you must precede it with the word group and a colon. For example, you must enter group:consoleusers for the consoleusers group. Without the prefix, group names are considered user names. - For Windows rules only, there are other menu choices that are built-in Windows groups, such as Authenticated Users and Local Administrators.
Note:
- When running on Windows Vista and later, membership in pre-defined security groups like Administrators requires that the application run as an administrator. If a group definition is necessary for a rule, consider using security groups you have defined rather than the pre-defined groups.
- There is a brief delay after a user logs in before group membership is established and group-based rules become effective. This delay may be longer if you have a large number of rules. If a rule must be effective as soon as possible after a user logs on, do not specify a user group in the rule. Rules that specify a username or SID are always active and won't be affected by this delay.
- Specifying a user or group also determines whether macros in a path are expanded. Only paths whose macros match the specified user or group are expanded, and so even if the user or group is attempting the action, if the path includes a user-related macro, paths that would evaluate to a user other than those specified are not expanded and the rule is not effective.