8/7/2021 Creating an Active Directory Group Policy - NetIQ SecureLogin Administration Guide

13.7 Creating an Active Directory

Group Policy
Group Policy Object Support

Group Policy Management Console Support

Definition of a Group Policy Object

Adding or Editing a Group Policy Object

Installing the GPMC Plug-In

Retrieving a Policy Applied to the User Object in GPMC

Retrieving a Policy Applied to the User Object in SLManager

13.7.1 Group Policy Object Support

Prerequisites:
SecureLogin is installed with support for group policies.

The Active Directory Users and Computers snap-in or Group Policy Management
Console is open

Using Group Policy object support, you can manage SecureLogin users in Active Directory
users at the container, OU, and user object levels.

Group Policy object support is useful for organizations with flat directory structures where
a more granular approach is required when applying settings, policies, and application
definitions for users. For example, applying a group policy for a global marketing group in
a worldwide organization. Several group policies can be defined and applied to any user,
group, or container at the directory level. These different policies are then applied to a
specific user object or container or organizational unit through the inheritance process.

To limit network traffic during the Group Policy object synchronization, SecureLogin
leverages an existing Microsoft Windows feature to specify policy settings that are updated
when the group policy object changes.

Edit the WinLogon/GPextensions in the Windows Registry, and set the

NoGPOListChanges key to 1.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\G

For more information on Microsoft Windows Group Policy configuration, see the
Microsoft Web site.
https://www.netiq.com/documentation/securelogin-85/administration_guide/data/b9p43nt.html?view=print 1/5
8/7/2021 Creating an Active Directory Group Policy - NetIQ SecureLogin Administration Guide

For information on the Registry NoGPOListChanges setting, see the Microsoft Web site.

13.7.2 Group Policy Management Console Support

In SecureLogin 6.1, you can see the resultant set of single sign-on policy settings that apply
to a particular user object when multiple SecureLogin group policies and organizational
unit or user object setting are applied through the Microsoft’s Group Policy Management
Console (GPMC), which now includes support for Resultant Set of Policy (RSOP).

NOTE: The GPMC must be installed on the administrative workstation where you want to
see the resultant set of policies.

Resultant Set of Policy Settings

The Resultant Set of Policy (RSOP) is a feature of a group policy that makes the
implementation, troubleshooting, and planning of group policies easier and allows you to
plan how the group policy changes might affect a targeted user or computer or remotely
verify the policies under effect on a specific computer.

When multiple group policy objects are applied to a given user or computer, the policy can
often contain conflicting policy settings. For most policy settings, the final value of the
setting is set only by the highest precedent Group Policy object that contains that setting.

RSOP assists directory administrators to understand and identify the final set of policies
that are applied as well as settings that did not apply as a result of policy inheritance.

In this version of SecureLogin, you can see the final SecureLogin settings that apply to a
user when he or she starts SecureLogin. You have the ability to do the following:

Retrieve the policy applied to the user object in the Microsoft Management Console.

Retrieve the policy applied to the user object in the SLManager.

Define from which policy the setting is inherited.

13.7.3 Definition of a Group Policy Object

IMPORTANT: Group policy functionality is enabled only if it was selected during the
installation of SecureLogin in Microsoft Active Directory mode. For more information, see
the “Installing and Configuring in Active Directory Environment”.

For more information about Group Policy Objects (GPOs), go to the Microsoft Web site.

Policy settings are stored in Group Policy Objects (GPOs). Settings for each GPO can be
edited using the GPO Editor from within Microsoft’s Group Policy Management Console
(GPMC).

When an administrator defines a SecureLogin GPO, they can now use the GPMC to add
this group policy or edit and configure the SecureLogin settings.

https://www.netiq.com/documentation/securelogin-85/administration_guide/data/b9p43nt.html?view=print 2/5
8/7/2021 Creating an Active Directory Group Policy - NetIQ SecureLogin Administration Guide

13.7.4 Adding or Editing a Group Policy Object

Policy settings are stored in Group Policy object settings for each Group Policy object and
can be edited using the Group Policy object editor from Microsoft (GPMC).

The group policy functionality is enabled during the installation of SecureLogin in

Microsoft Active Directory mode. For more information see, “Installing and Configuring in
Active Directory Environment”in the NetIQ SecureLogin Installation Guide.

When you define a SecureLogin Group Policy Object, administrative users can use the
GPMC tool to add this group policy or edit and configure the SecureLogin settings.

13.7.5 Installing the GPMC Plug-In

With the Microsoft’s GPMC plug-in, you can manage core aspects of Group Policy object
across enterprises.

For Microsoft Vista (or higher) customers, the GPMC snap-in is already integrated in to the
operating system.

Existing Windows XP and Server customers can download the gpmc.msi installer package
at the Microsoft Web site.Installing the Microsoft GPMC plug-in simply involves running
the gpmc.msi installer package.

NOTE: After installation, the Group Policy tab that previously appeared on the Property
pages of sites, domains, and organizational units in the Active Directory plug-in is updated
to provide a direct link to GPMC. The functionality that previously existed on the original
Group Policy tab is no longer available because all functionality for managing a Group
Policy is available through the GPMC plug-in.

Managing Group Policy Objects through the GPMC

Use any of the following methods to open the GPMC plug-in directly:

Click Start > Programs > Administrative Tools > Active Directory Users and Computers.
The Active Directory Users and Computers page is displayed.

In the navigation tree, right-click the appropriate organizational unit, then click
Properties. The selected organizational unit page is displayed.

Click Group Policy, then click Open.

Click Start > Programs > Administrative Tools > Group Policy Management.

Click Start > Run. The Run page is displayed.

1. At Open, type mmc.

2. Click OK. The Management Console is displayed.

https://www.netiq.com/documentation/securelogin-85/administration_guide/data/b9p43nt.html?view=print 3/5
8/7/2021 Creating an Active Directory Group Policy - NetIQ SecureLogin Administration Guide

3. Click File.

4. Click Add/Remove Snap-in. The Add/Remove page is displayed.

5. Click Add. The Add Standalone Snap-in page is displayed.

6. Select Group Policy Management and then, click Add.

7. Click Close. The Add Standalone Snap-in page is displayed.

8. Click OK. The Group Policy Management page is displayed.

NOTE: When you launch the GPMC for the first time, it loads the forest and domain
containing the user object logged in to the computer. You can then specify the forest and
domain to be displayed.

When you close the GPMC, it automatically saves the last view and returns that view the
next a user opens the console.

13.7.6 Retrieving a Policy Applied to the User Object in GPMC

The definition of the Group Policy Objects are defined by the administrator at the directory
level, so changes can now be seen immediately at the OU, container or user object level,
depending on the level where the group policies have been applied and the SecureLogin
preferences applied.

These settings must follow the rules already defined of inheritance and precedence:

The Stop walking here preference

The Corporate Redirection setting

The Group Policy object settings and their priorities

The directory hierarchy settings

The precedence rules are respected and follow the rules already defined:

The deepest object in the tree has the precedence over any other higher-level object

The group policies have the lower precedence than all OUs and User objects.

As a consequence of all these processes, the administrator can now see the resultant set of
the policies in the user object either through MMC interface or administrative management
utilities.

The resultant set of policies are displayed in the bottom left hand corner of the SecureLogin
Administration Management utility. They show from which Group Policy the current
setting has been inherited.

https://www.netiq.com/documentation/securelogin-85/administration_guide/data/b9p43nt.html?view=print 4/5
8/7/2021 Creating an Active Directory Group Policy - NetIQ SecureLogin Administration Guide

NOTE: The retrieval of all SecureLogin configuration information is subject to both

SecureLogin and native Directory access controls. In the unlikely circumstance that the
user has rights to read a Group Policy object but the administrator does not, this system
displays incorrect effective configuration information. This is because the administrator
simply cannot access the same information as the user, and any mechanism for allowing
this would introduce a security problem.

In this specific configuration, if SecureLogin has no way to retrieve the exact policy applied
to the user object, then a message is displayed indicating that the information displayed
does not correspond to the resultant set of policies applied to this user object. The message
RSOP not available is displayed in the bottom left side of the Administration Management
console.

13.7.7 Retrieving a Policy Applied to the User Object in

SLManager
Because the definition of the Group Policy objects are performed by you at the directory
level, any changes are now seen immediately at the OU, container, or the user object level.

https://www.netiq.com/documentation/securelogin-85/administration_guide/data/b9p43nt.html?view=print 5/5