Re: Force local policies
- From: "travisr" <travis@xxxxxxxxxxxxxxxxxxxxxxx>
- Date: 10 Oct 2006 10:45:35 -0700
Steves,
Thanks for the input. We're in the same boat as we are also working
with a medical device and trying to satisfy HIPAA. As I look at the
1000+ policies that might be enforced by a domain it's a bit daunting
to try and consider which will policies we need to account for in
specifying how our device behaves. What have you done to ensure that
joining the device to a domain does not have any unfavorable
consequences? Who's fault is it if a device is installed at a site and
a screensaver pops up 15 minutes into a monitoring session because the
domain specifies that it should? Even if we provide a set of policies
for our device on a domain, it seems like we can't guarantee that they
will be applied by the network admin and as such we can't guarantee a
pre-defined behavior for the system.
steves wrote:
Disclaimer: I too, am not an IT expert. However, i do have an opinion
;).
I believe all of the policies can be compiled into .pol or .adm files,
which could be distributed to the domain administrators involved.
Then, they create what is called an "organizational unit" in the domain
(Think 'department', like 'accounting', engineering', and 'embedded
whatzamajigs'.) This way, the domain can be set up to be sure that
your instrument has the appropriate required policies.
Philisophically I tried to use the minimum policy set that I could.
There is a very small set of policies that I don't want messed with,
such as disabling windows update, and disabling task manager.
However, I know that my customers have a fairly wide range of security
tolerance in their various organizations (we build a medical device).
Some customers have enforced password changes, password complexity
rules, restricted logins based on the scheduled work hours, and all
manner of very strict rules. Others set up the instrument to
automatically login and forget about it. So, it is really the domain
administrator that is in control of this situation.
So, to restate, I would recommend that you define the absolute minimum
policy settings that you need (saved as .pol files), and recommend that
during installation an organizational unit or user group be created for
the devices, which contains your required policy settings.
This is a drag, and complicates the installation process, but I'm
afraid that that is the nature of the beast. As for the option of NOT
joining the domain, that will work. However, if you are in an
environment that requires individual login (HIPAA, a medical records
law, requires this), then you have just complicated the domain admins'
job, because he now has to manage user accounts on your device
separately from the rest of the network. If your environment allows
the machine to auto log in as a single username, then not joining the
domain is probably an OK option.
Steves
StevesATeyeDASHimagingDOTcom.
KM wrote:
travisr,
I'm far from being an IT guy, so excuse me if it sounds like I don't
know what I'm talking about. Anyway, as I understand it, a computer on
a domain will always override local policies with domain policies, if
the policy exists on the domain. What I would like to achieve is to
allow users to add the XPe installation to a domain but still guarantee
enforcement of certain local policies. Does anybody know if there is
any way to achieve this?
I don't know any way how to force local policies over domain ones unless it is set up on the server side. Although I am not an IT
guy either and therefore not an expert in this.
It does make sense, however, that domain policies are always on top of the local ones. Otherwise, corporate (domain) users would be
able to set up thier workstation as they wish and easy break administring and maintating the network.
If not, perhaps this is something somebody
from Microsoft might want to take under consideration - it may not make
sense for a PC but for an embedded product it certainly does.
I disagree. If you connect your embedded product to a network (and, worse, your product runs *PC* software) it must obey to the
network rules set up by administrators of that network. You want to join a domain, you will have to use the domain rules. This is my
opinion.
Also, if it isn't possible to ensure local policies are retained, can
anybody tell me how to disable the ability to add a system to a domain
without sacrificing other networking capabilities. Thanks in advance.
Well, not quite sure what networking capabilities you are interested in?
After all, you can always remove Join Domain component from your config and that will break the device ability to login to a domain.
Networking would work as it did before you removed the component. Some domain related stuff, of course, wouldn't work.
--
=========
Regards,
KM
.
- References:
- Force local policies
- From: travisr
- Re: Force local policies
- From: KM
- Re: Force local policies
- From: steves
- Force local policies
- Prev by Date: Re: Force local policies
- Next by Date: Re: Problem with swap file size increasing with EWF RAM REG mode
- Previous by thread: Re: Force local policies
- Next by thread: Re: Force local policies
- Index(es):
Relevant Pages
|
