DisableExternalGroupCheck

In a multi-domain environment, Workspace Control can discover nested group membership across domains. This is also known as external group membership. For example DomainA\User is a member of DomainA\Group1, which in turn is a member of the local domain group DomainB\Group2.

To correctly establish a nested group strategy, Workspace Control reads the full membership from the configured trusted domain(s), including nested groups.

This is done regardless if the DisableExternalGroupCheck registry setting is configured or not.

Ivanti recommends defining your nested group strategy based on the following information, that contains the objects that can be members of each nested group scope:

Nested group scope

Members from the same domain

Members from another domain in the same forest

Members from a trusted external domain

Local

  • Users

  • Computers

  • Global groups

  • Universal groups

  • Domain local groups

  • Local users defined on the same computer as the local group

  • Users

  • Computers

  • Global groups

  • Universal groups

  • Users

  • Groups

  • Global groups

Domain local

  • Users

  • Computers

  • Global groups

  • Universal groups

  • Domain local groups

  • Users

  • Computers

  • Global groups

  • Universal groups

  • Users

  • Groups

  • Global groups

Universal

  • Users

  • Computers

  • Global groups

  • Universal groups

  • Users

  • Computers

  • Global groups

  • Universal groups

N/A

Global

  • Users

  • Global groups

N/A

N/A

Checking nested group membership can slow down the startup of the user session. In cases where the external group membership check is not needed, user session startup times can be improved by disabling this check.

Create the following string value to disable external group membership checks:

Key

  • HKEY_LOCAL_MACHINE\SOFTWARE\RES\Workspace Manager (32-bit)

  • HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\RES\Workspace Manager (64-bit)

Value

DisableExternalGroupCheck

Type

REG_SZ

Data

Yes