4 Replies Latest reply on Jul 14, 2014 1:19 PM by BChriscoli

    Trusted Owners and nested groups

    RalJans Rookie
      Hi all,

      How do you configure Trusted Owners when nested groups are not supported?

      Situation: the BUILTIN\Administrators group is added to Trusted Owners. In the BUILTIN\Administrators the group DOMAIN\Admins is added.
      AppSense AM does not support nested groups so files owned by someone member of DOMAIN\Admins is not trusted.
        • 1. Re: Trusted Owners and nested groups
          Landon Winburn ITSMMVPGroup
          Nested groups and domain groups are not supported in TO. If the user is in the buitlin\administrators group directly then execution is allowed. In fact on a base config administrators are not restricted and this would include any administrator not just ones directly added as group rules support nesting. If your going to use TO then each user that is to be a TO needs to be explicitly added.

          • 2. Re: Trusted Owners and nested groups
            RalJans Rookie
            That means that the TO feature doesn't offer the flexibility many customers want, too bad that this feature is almost useless without nested groups.

            This, in combination with Accessible Items that do not support DFS, AppSense AM is almost useless. (Accessible Items and DFS)
            • 3. Re: Trusted Owners and nested groups
              Landon Winburn ITSMMVPGroup
              Sorry you feel that way. TO works beautifully in non-persistent environments, so much to the point that many people actually remove AV. In these environments there is only a handful of people that may update "golden" images and these names are easily added to the TO list.

              You have to think about how this works from a technical perspective. If AM had to take the users name that owns a file and then do a reverse query in AD for each group that the user may be a member of to compare to the TO list, the performance of the box would just crater from the AD queries.

              You never mentioned what environment you are trying to install into but TO is usually used in non-persistent environments or physical environments that are somewhat controlled (all apps packed and pushed via SCCM for example) which most enterprise organizations do now days. This ensures the trusted apps are owned by trusted accounts and not by 1 of 200 desktop technicians in the organization for example. We also have scripts that will reset the file ownership on a box to SYSTEM or Trusted Installer if your interested in that.

              • 4. Re: Trusted Owners and nested groups
                Nested Groups in Trusted Ownership is an existing feature request. Was submitted by me in 2012 sometime