After the AD-based Policy interface is enabled, a new tab, “Mappings,” is visible on the Policies page. Clicking on this tab opens the Active Directory Policy Mappings page. This is where you create rules to map computers with specified AD data to certain policies.

Before you begin setting up mapping rules, be sure you have created all of the policies to which you want computers mapped.

You can create mapping rules that test for matching AD data including organizational units, domains, security groups, computer names, and user names. Keep the following in mind when creating mapping rules:

  • Although you can choose to match AD Security Group data for either users or computers, computer-based rules are recommended. With multiple users on a computer, sometimes simultaneously logged on, AD Mapping rules based on users could lead to unexpected results.
  • App Control does not support policy mapping for AD object names that contain double quotes. Object names with double quotes cannot be handled properly by the directory object browser you use to create a mapping rule.
  • Try to create as few rules as possible and test for groups rather than individual objects.

The following table shows the rule parameters you provide for a mapping rule.

Table 1. AD Mapping Rule Parameters



Computer Object to Test

The object that will be tested to see whether it matches the rule. The choices are Computer, User, and User or Computer.


The relationship being evaluated between the Directory Object specified in the rule and the AD data from the computer being assigned a policy. The choices are:

  • is member of group
  • is in OU or domain
  • is
  • is not in any domain

Directory Object

The object in AD that the data from the tested object must match. Clicking the right end of this field opens an browser from which you can search for an object in your AD environment.

The choices for the Directory object field change depending upon which Relationship you choose. If you choose “is not in any domain,” no Directory object is necessary.

Policy to Apply

The policy to apply to a computer if its tested object matches the rule. The dropdown menu shows all available policies.

For policies created before implementation of Active Directory policy mapping, "Automatic policy assignment" is off by default. If you implement AD policy mapping and set up new mapping rules that apply to a pre-existing policy, you will need to change the setting on the policy itself for automatic mapping to take place. See Creating Policies for more on automatic assignment choices.

The result of providing these parameters is a rule that can be read like a sentence. The following is how you might set up one rule.

Table 2. Example AD Mapping Rule


Example (value in bold)

Computer Object to Test

If a Computer


is in OU or domain

Directory Object

…matching OU = Marketing,DC=hq,DC=xyzcorp,DC=local

Policy to Apply

… assign that computer to the Standard Protection policy.

Create AD Mapping Rules

The procedure below shows how to configure a mapping rule. Although entry of most of the parameters are reasonably straightforward, pay particular attention to the Directory Object field, which requires use of a special AD browser.


  1. In the console menu, choose Rules > Policies.
    The Policies page opens showing a list of all available policies.
  2. Click the Mappings tab.
    The Active Directory Policy Mappings page appears with the Policy Mappings table, initially showing only the default rule. The Mappings tab for the Active Directory Policy Mappings page
    Note: If no Mapping tab appears, the AD mapping interface has not been enabled. Go to the General tab of the System Administration page and enable the feature
  3. On the Active Directory Policy Mappings page, click Add Rule.
    This displays the Active Directory Policy Mapping Rule panel in which you enter the rule parameters. The Policy Mapping Rule page showing the rule parameters
  4. Choose the Computer Object to Test (Computer, User, or Computer and User) from the dropdown menu.
    In most cases, Computer is the best choice.
  5. Choose the Relationship between the data of the object tested and the Directory Object specified in the rule.

    The choice for this field changes the choices available in the other fields.

    In this field, you can specify that objects must be in a OU or domain, a security group, in no domain, or that they exactly match the directory object you choose (the “is” choice on the Relationship menu). Generally it is best to choose a relationship that maps multiple computers to a policy rather than one that singles out an individual computer or user.

    The Relationship field menu
  6. Choose the Directory Object that the data from the tested computer must match.
    1. Click in the Directory Object field to open the AD browser.

      The browser opens immediately below the Directory Object field. The left panel is labeled “Search in,” and shows a tree of your AD domains.

      The AD browser view below the Directory Object field showing a tree of your AD domains

      • To expand the AD tree in the left panel, click on the plus button, next to the node you want to expand.
      • To collapse the view on the left, click the minus button next to the node you want to collapse.
      Note: If the Search Level field is set to Global Catalog in the System Configuration page, all AD domains are available in the AD browser. Otherwise, if the field is set to LDAP, a restricted list of domains is available.
    2. Click on the object in the left pane that defines the scope of your search.


      EXAMPLE: If you have two domains, you might click on one of them, such as “DC=hq,DC=xycorp,DC=Local”.

      The AD browser view with a tree of your AD domains showing the AD domain you selected

    3. If you see the object in the right panel that you want to use for this rule, double-click on it. The object, including full information about its location in the AD object tree, appears in the Directory Object field of the Rule Parameters panel and the browser will close.

      The Directory Object field populated with the object you selected selected

    4. If your actions did not automatically close the browser, click the ‘X’ button in the top right corner to close it.

      Note: There are additional options for using the directory object browser. See AD Object Browser Options for more information.
  7. From the Policy to Apply dropdown menu, choose the policy you want assigned to computers that meet the requirements of this rule. Only existing policies appear on the dropdown – if the policy for this rule has not been created yet, cancel the creation of this rule and go to the Policies page to create the new policy.
    The Policy to Apply field populated with the policy you selected
  8. When you have entered all of the parameters for the rule, click Save. A newly created rule goes to the bottom of the table of AD rules, just above the default rule, and all rules above it take precedence. In the example, the rule instructs the App Control Server to assign any computer belonging to the Engineering OU in the domain hq.xyzcorp.local to the Research Group policy.
    The Mappings tab of the Active Directory Policy Mappings page showing the new rule listed above the default policy
  9. Rolling the mouse cursor over the i button next to an object in the Match column provides a description of the object.
  10. Once you have addition rules, if necessary, use the up- and down-arrow buttons on the left side of each rule (or the drag-and-drop method) to change the order in which the rules are evaluated against a computer. Remember that the [all others] rule always is the last one in the table.
  11. Repeat this procedure beginning with step 3 for any other rules you need to create.