Group Rules

The Group rules node allows you to match security control rules with specific user groups within the enterprise.

The Group summary displays the group name, Textual Security Identifier (SID) and Security Level of the rule. Application Control allows you to assign four distinct security levels to the group rules. A SID is a data structure of variable length that identifies user, group, and computer accounts. Every account on a network is issued a unique SID when the account is first created. Internal processes in Windows refer to an accounts SID rather than the accounts user or group name. Likewise, Application Control also refers to a user or group SID unless the SID could not be found when added to the configuration.

There are two predefined Group rules:

  • BUILTIN\Administrators - Users in BUILTIN\Administrators are assigned the Unrestricted security level. The BUILTIN\Administrators group is for managing access to the applications for local administrators.
  • Everyone - The Everyone group rule and all additional group rules have a security level of Restricted, unless a user matches other group or user rules with higher priority settings. All users, including administrators are part of the Everyone group. This means administrators are part of two group rules: the BUILTIN\Administrators group, which is unrestricted, and the Everyone group, which is restricted. Application Control uses the least restrictive rules; therefore, all administrator requests are unrestricted.

    Typically, you specify all the files, folders, drives, signature items, network connection items, and groups to prohibit for Everyone. You can then create a new group or user and specify the items you want to be accessible for that group or user. This enables you to control what users have access to.

Manage group rules as follows:

  • To add a group rule, click the Add Rule on the Rules ribbon and select Group Rule.

    The Add Group Rule dialog displays. Enter or browse to select an account.

  • To remove a group rule, highlight a rule and click Remove Rule on the Rules ribbon.

    A confirmation message displays. Click Yes to confirm the removal.

You can also add items to the Allowed Items, Denied Items, Trusted Vendors, User Privileges, and Browser Control nodes in each group rule node