Jump to content

Device control with AD group exception


Recommended Posts

I have created a policy for Windows endpoint products to block external USB devices. In the policy there 2 rules in order (top to bottom):

  1. allows RW to USB storage device for a specific AD group
  2. Second - block access to USB storage devices outright

The AD group has been added via the the synced groups from AD into ESMC

The questions (TL;DR):

  1. what resolved security context for a user belonging to an AD group for ESET Device management?
  2. What actions does an admin need to perform after adding a user to the AD exceptions group to force the workstation to allow the user to access USB?


There are seemingly 3 options:

1. ESMC server - after a a server task of syncing that group (i.e. there is a cache as to who belongs to that group).

2. ESMC server - by request of Endpoint Product (unlikely IMO),

3. ESET Endpoint product (or Agent) - via currently loaded security context

After some tests it seems like option 3 is most likely.

I definitely did not touch the server sync task in ESMC, which triggers every day only. After a combination of logging off/logging in and sending wake up calls to the workstation via ESMC the USB storage permissions were updated per the changes in the AD group. I just can't seem to narrow down exactly what forces the security context update for ESET Endpoint Antivirus's Device Control.



All testing done applying policy to a single domain joined workstation and using the same domain account.

ESMC server version: 7.0.577.0

Endpoint product version: 7.1.2053.0

ESET management agent version: 7.0.577.0

Edited by leviu
Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...