Re: Enterprise and User security...
From: Eugene V. Bobukh [MS] (eugenebo_at_online.microsoft.com)
Date: Mon, 10 May 2004 15:18:37 -0700
If you are an Administrator on the machine, you can configure all the three levels. However, the original idea behind this is that normally machine users don't touch Enterprise level, just for the reasons that you've described: their settings will be overwtitten when Enterprise Admin will be pushing his/her own settings.
As per "how that technically happens" -- there are several mechanisms of policy deployment across many machines, such as:
* Deployment thourh SMS package. You configure the policy on one of the machines, create an MSI package [.NET Framework Configuration tool supports that], then drop that MSI to the SMS Server that controls the machines in your organization. There are many technical details behind this, but eventually the package gets distributed and installed on all the client machines.
* Deployment via Group Policy, of which I have weaker idea, but this is some kind of mechanism that lets you to run the installation/configuration code on client machines.
Each deployment mechanism completely overwrites the policy of the level being configured, but does not touch other levels. That's why they are separated: Machine for machine Admin games, and Enterprise for corporation Admin.
-- Eugene V. Bobukh This message is provided "AS IS" with no warranties, and confers no rights. Any opinions or policies stated within it are my own and do not necessarily constitute those of my employer. ---- "Klaus Salchner" <email@example.com> wrote in message news:uOUINcVNEHA.1312@TK2MSFTNGP12.phx.gbl... > When you configure the security policy from .NET you have three levels: > > Enterprise > Machine > User > > How does the user and enterprise security level get populated throughout the > enterprise? So I can configure it for the enterprise and then also for > certain individuals but how does it get populated to all other machines in > the enterprise? Because I don't want to configure it per machine and I also > don't want to copy the .CONFIG file because then I may over-write machine > specific security settings. > > Any insight is greatly appreciated! > > Regards, Klaus > ----------------------------------------------- > Klaus Salchner > Sr. Enterprise Architect > email: firstname.lastname@example.org > > Proud member of > http://linkedin.com - become part of my professional network; it's a free > 3rd party tool > http://gotdotnet.com > http://theserverside.net > >