Using DeviceLock Group Policy Manager
There is almost no difference between the procedure of managing DeviceLock Service via DeviceLock Management Console and via DeviceLock Group Policy Manager. For more information, see
Managing DeviceLock Service for Windows.
It is impossible to manage DeviceLock Enterprise Server and view audit and shadow logs using DeviceLock Group Policy Manager. For such operations you should use
DeviceLock Consoles and Tools.
DeviceLock Service management via DeviceLock Group Policy Manager includes four additional features in comparison to DeviceLock Management Console:
1. Override Local Policy - If you want to prevent changes to settings, permissions and audit rules for individual computers that bypass Group Policy or
DeviceLock Enterprise Server Policies, enable
Override Local Policy in
Service Options. This enforces the Group Policy or Server Policy mode for all the computers in the Policy Object, so that the Local Policy mode cannot be enabled for these computers.
If Override Local Policy is enabled, the Use Group/Server Policy parameter in Service Options in the DeviceLock Management Console or DeviceLock Enterprise Manager cannot be disabled.
The following table shows how different settings of the Use Group/Server Policy parameter and the Override Local Policy parameter affect the policy application mode:
Use Group/Server Policy | Override Local Policy | Policy application mode |
Disabled | Disabled | Only Local Policy is applied. |
Enabled | Enabled | Only Group Policy or Server Policy is applied. |
Enabled | Disabled | Group Policy or Server Policy is applied. Local Policy may be in effect until a subsequent replication of the Group Policy or Server Policy settings. |
When setting the Override Local Policy parameter, consider the following:
•When Override Local Policy is disabled while Use Group/Server Policy is enabled, DeviceLock Service settings can be changed via DeviceLock Management Console or DeviceLock Enterprise Manager. However, Group Policy or Server Policy settings will eventually override these changes.
•When Override Local Policy is disabled, all changes to DeviceLock Service settings made via DeviceLock Management Console or DeviceLock Enterprise Manager take effect immediately.
2. Undefine - You can reset any parameter to the unconfigured state. All undefined parameters are ignored in this GPO. For more information, see
Standard GPO inheritance rules.
Use Undefine from the shortcut menu of any parameter to reset this parameter to the unconfigured state. Also, for some parameters, you can use the intermediate state of the check box to make it unconfigured.
3. Undefine Entire Policy - You can reset all parameters to the unconfigured state in one click. Selecting this has the same effect as resetting each parameter one by one (see above).
Use Undefine entire policy from the shortcut menu of DeviceLock to reset all parameters to the unconfigured state. A message that asks you to confirm the operation will appear: “Undefining the entire DeviceLock policy is an irreversible action. All DeviceLock settings will be lost. Are you sure you want to continue?”
4. Remove Offline - You can remove any offline policy settings (permissions, audit, shadowing rules and alerts, white lists, etc.) for both devices and protocols in order to enforce regular ones in this GPO. To do so, right-click any policy setting, and then click Remove Offline.
Note: In order to manage DeviceLock Service settings via Group Policy, DeviceLock Service must be installed and started on all the computers belonging to the GPO. For more information about the service installation, see
Deploying DeviceLock Service for Windows. Also, do not forget that Group Policy is reapplied on a periodic basis (by default, every 90 minutes) so your changes do not take effect immediately. For more information, see
How Group Policy is applied. |