US20060167858A1 - System and method for implementing group policy - Google Patents

System and method for implementing group policy Download PDF

Info

Publication number
US20060167858A1
US20060167858A1 US11234887 US23488705A US2006167858A1 US 20060167858 A1 US20060167858 A1 US 20060167858A1 US 11234887 US11234887 US 11234887 US 23488705 A US23488705 A US 23488705A US 2006167858 A1 US2006167858 A1 US 2006167858A1
Authority
US
Grant status
Application
Patent type
Prior art keywords
policy
group
settings
computer
objects
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Abandoned
Application number
US11234887
Inventor
Michael Dennis
Michele Freed
Daniel Plastina
Eric Flo
David Kays
Robert Corrington
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Microsoft Technology Licensing LLC
Original Assignee
Microsoft Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/102Entity profiles
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • GPHYSICS
    • G06COMPUTING; CALCULATING; COUNTING
    • G06QDATA PROCESSING SYSTEMS OR METHODS, SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES; SYSTEMS OR METHODS SPECIALLY ADAPTED FOR ADMINISTRATIVE, COMMERCIAL, FINANCIAL, MANAGERIAL, SUPERVISORY OR FORECASTING PURPOSES, NOT OTHERWISE PROVIDED FOR
    • G06Q10/00Administration; Management
    • G06Q10/10Office automation, e.g. computer aided management of electronic mail or groupware; Time management, e.g. calendars, reminders, meetings or time accounting
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to network resources
    • H04L63/104Grouping of entities
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99931Database or file accessing
    • Y10S707/99933Query processing, i.e. searching
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99931Database or file accessing
    • Y10S707/99939Privileged access
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99941Database schema or data structure
    • Y10S707/99942Manipulating data structure, e.g. compression, compaction, compilation
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99941Database schema or data structure
    • Y10S707/99944Object-oriented database structure
    • Y10S707/99945Object-oriented database structure processing
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10TECHNICAL SUBJECTS COVERED BY FORMER USPC
    • Y10STECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y10S707/00Data processing: database and file management or data structures
    • Y10S707/99951File or database maintenance
    • Y10S707/99952Coherency, e.g. same view to multiple users
    • Y10S707/99953Recoverability

Abstract

A method and system for implementing policy by accumulating policies for a policy recipient from policy objects associated with a hierarchically organized structure of containers, such as directory containers (sites, domains and organizational units) that includes the policy recipient. Based on administrator input, policy settings for the policy recipient may be accumulated into a specific order by inheriting policy from higher containers, which may enforce their policy settings over those of lower containers. Policy that is not enforced may be blocked at a container. The result is an accumulated set of group policy objects that are ordered by relative strength to resolve any policy conflicts. Policy may be applied to a policy recipient by calling extensions, such as an extension that layers the policy settings into the registry or an extension that uses policy information from the objects according to the ordering thereof. Linking of group policy objects to one or more containers (e.g., sites, domains and organizational units) is provided, as is exception management. The effects of group policy may be filtered based on users' or computers' membership in security groups.

Description

  • The present application is a continuation of copending U.S. patent application Ser. No. 10/254,155, filed Sep. 24, 2002, which is a continuation of U.S. patent application Ser. No. 09/268,455, filed Mar. 16, 1999, now U.S. Pat. No. 6,466,932, which is a continuation-in-part of U.S. patent application Ser. No. 09/134,805 entitled “System and Method for Implementing Group Policy,” filed on Aug. 14, 1998, now abandoned; all of the related applications are hereby incorporated by reference in their entireties.
  • FIELD OF THE INVENTION
  • The invention relates generally to computer systems and networks, and more particularly to an improved method and system for implementing policy for users and computers.
  • BACKGROUND OF THE INVENTION
  • Lost productivity at employees' computer desktops is a major cost for corporations, often resulting from user errors such as modifying system configuration files in ways that render the computer unworkable. Productivity is also lost when a computer desktop is too complex, such as when the desktop has too many non-essential applications and features thereon. At the same time, much of the expense of administering distributed personal computer networks is spent at the desktop, performing tasks such as fixing the settings that the user has incorrectly or inadvertently modified.
  • As a result, enterprises such as corporations have established policies seeking to define settings for computer users. For example, a corporation may wish to have the same e-mail and word processing program on all their users' desktops, while certain users such as those in the engineering group have a common CAD program not available to users in the finance group. Another policy may selectively prevent a user from connecting to the Internet by writing information into the user's machine registry to prevent access. Centralized policy systems exist to allow an administrator some control over the settings that institute such policies, and provide benefits in scalability to assist in the administration of larger networks. For example, in networks organized into domains, (such as with Microsoft® Windows NT®4.0), such policies may be applied per domain, based on each domain user's membership in a security group.
  • However, there are a number of drawbacks present with existing policy systems. One such drawback is that the policies are essentially static, whereby a user can change the settings and simply avoid the policy. It is cost prohibitive to have an administrator or the like go from machine to machine to check the settings on a regular basis. It is possible to force mandatory profiles on a user at each log-on based on the user's group membership. However such mandatory profiles are too inflexible, in that essentially all settings made by an individual user are lost whenever the user logs off. For example, with mandatory profiles, customizations to a desktop, such as window placement, adding words to a user's spell checker and the like, which most enterprises would consider permissible and even desirable because they tend to increase an employee's efficiency, are lost when the user logs off.
  • Another significant drawback results from relying on a security group membership to determine the settings, particularly in that one group (the first group found for a user) determines that user's settings. Thus, if a user is a member of both the engineering and financial groups, the user will get only one set of policy settings. Present policy-determination systems, such as those basing policy on the domain plus membership in a security group, essentially follow a flat model, which does not fit well with a typical enterprise having a hierarchical organizational structure.
  • SUMMARY OF THE INVENTION
  • Briefly, the present invention provides a system and method for implementing policy for users and computers. Policy settings are placed into group policy objects, and each of the policy objects may be associated with one or more containers, such as hierarchically-organized directory objects (containers). e.g. a domain, site or organizational unit. Based upon administrator input, settings from policy objects are accumulated and associated with a policy recipient, whereby users' computers and the like receive the accumulated policy. To accumulate policy, the settings may be inherited from directory containers hierarchically above a policy recipient. The associated with other containers. The administrator's input also orders the group policy objects, whereby any conflicts are resolved by the ordering precedence, i.e., the policy's relative strength. Policy may be applied to a recipient by layering the policy settings, based on the ordering, weakest first such that strongest settings overwrite weaker settings, or by seeking policy information from the strongest to weakest policy until the desired policy is located.
  • A number of very flexible conditions based on an Active Directory hierarchy may be included. By default, an object's parent container in the hierarchy is the strongest factor, but other containers to the parent may affect an object's policy, and by default, group policy affects each of the computers and users in a selected active directory container. A default inheritance evaluates group policy starting with the active directory container that is furthest away whereby the Active Directory container closest to the computer or user has the ability to override policy set in a higher level container, in the order of Site, Domain, Organizational Unit or Units (SDOU). Moreover, there is provided an option to block inheritance of policy from higher parent containers, however there are also options that allow policy of a specific group policy object to be enforced so that group policy objects in lower level containers cannot override the policy settings of higher level containers, i.e., an enforced option takes precedence. In addition, the effects of group policy may be filtered based on users or computers membership in a security group.
  • Other advantages will become apparent from the following detailed description when taken in conjunction with the drawings, in which:
  • BRIEF DESCRIPTION OF THE DRAWINGS
  • FIG. 1 is a block diagram representing a computer system into which the present invention may be incorporated;
  • FIG. 2 is a block diagram generally representing exemplary components for implementing policy in accordance with various aspects of the present invention;
  • FIG. 3 is a block diagram generally illustrating hierarchical relationships between sites, domains organizational units and group policy objects of a network in accordance with one aspect of the present invention;
  • FIG. 4 is a block diagram representing how a user may fit under a number of hierarchically organized directory containers associated with group policy objects;
  • FIG. 5 is a representation of an exemplary user interface via which an administrator may associate group policy objects within the current Active Directory scoping;
  • FIG. 6 is a block diagram representing a user under hierarchically organized directory containers associated with group policy objects;
  • FIGS. 7A-7B comprise a flow diagram generally representing the steps taken to construct an ordered list of group policy objects for the user represented in FIG. 6 in accordance with one aspect of the present invention;
  • FIGS. 8A-8M are representations of lists of group policy objects being used to construct the ordered list of group policy objects in accordance with one aspect of the present invention;
  • FIG. 9 is the ordered list of group policy objects constructed for the user represented in FIG. 6 in accordance with one aspect of the present invention;
  • FIG. 10 is a flow diagram generally representing the steps taken to apply policy to a registry during policy update events (e.g. machine boot or user logon) based on an ordered list;
  • FIG. 11 is a block diagram representing how users may fit under hierarchically organized directory containers associated with group policy objects wherein one of the organizational units is linked to another;
  • FIG. 12 is a block diagram representing how domains may receive enterprise policy;
  • FIGS. 13A-13C represent some of the ways in which an ordered list of group policy object may be changed and an extension notified of change information;
  • FIGS. 14A-14B comprise a flow diagram for determining a slow or fast link, including determining a data transfer rate, for changing how group policy may be applied; and
  • FIG. 15 is a block diagram representing how a user and a machine may fit under a number of hierarchically organized directory containers associated with group policy objects, and how those policy objects may be applied depending on a mode setting.
  • DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT
  • Exemplary Operating Environment
  • FIG. 1 and the following discussion are intended to provide a brief general description of a suitable computing environment in which the invention may be implemented. Although not required, the invention will be described in the general context of computer-executable instructions, such as program modules, being executed by a personal computer. Generally, program modules include routines, programs, objects, components, data structures and the like that perform particular tasks or implement particular abstract data types. Moreover, those skilled in the art will appreciate that the invention may be practiced with other computer system configurations, including hand-held devices, multi-processor systems, microprocessor-based or programmable consumer electronics, network PCs, minicomputers, mainframe computers and the like. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network, including for example, computers, network devices, and printers. In a distributed computing environment, program modules manly be located in both local and remote memory storage devices.
  • With reference to FIG. 1, an exemplary system for implementing the invention includes a general purpose computing device in the form of a conventional personal computer 20 or the like, including a processing unit 21, a system memory 22, and a system bus 23 that couples various system components including the system memory to the processing unit 21. The system bus 23 may be any of several types of bus structures including a memory bus or memory controller, a peripheral bus, and a local bus using any of a variety of bus architectures. The system memory includes read-only memory (ROM) 24 and random access memory (RAM) 25. A basic input/output system 26 (BIOS), containing the basic routines that help to transfer information between elements within the personal computer 1, such as during start-up, is stored in ROM 24, The personal computer 20 may further include a hard disk drive 27 for reading from and writing to a hard disk, not shown, a magnetic disk drive 28 for reading from or writing to a removable magnetic disk 29, and an optical disk drive 30 for reading from or writing to a removable optical disk 31 such as a CD-ROM or other optical media. The hard disk drive 27, magnetic disk drive 28, and optical disk drive 30 are connected to the system bus 23 by a hard disk drive interface 32, a magnetic disk drive interface 33, and an optical drive interface 34, respectively. The drives and their associated computer-readable media provide non-volatile storage of computer readable instructions, data structures, program modules and other data for the personal computer 20. Although the exemplary environment described herein employs a hard disk, a removable magnetic disk 29 and a removable optical disk 31, it should be appreciated by those skilled in the art that other types of computer readable media which can store data that is accessible by a computer, such as magnetic cassettes, flash memory cards, digital video disks, Bernoulli cartridges, random access memories (RAMs), read-only memories (ROMs) and the like may also be used in the exemplary operation environment.
  • A number of program modules may be stored on the hard disk, magnetic disk 29, optical disk 31, ROM 24 or RAM 25, including an operating system 35 (preferably Windows® 2000), one or more application program 36, other program modules 37 and program data 38. A user may enter commands and information into the personal computer 20 through input devices such as a keyboard 40 and pointing device 42. Other input devices (not shown) may include a microphone, joystick, game pad, satellite dish, scanner or the like. These and other input devices are often connected to the processing unit 21 through a serial port interface 46 that is coupled to the system bus, but may be connected by other interfaces, such as a parallel port, game port or universal serial bus (USB). A monitor 47 or other type of display device is also connected to the system bus 23 via an interface, such as a video adapter 48. In addition to the monitor 47, personal computers typically include other peripheral output devices (not shown), such as speakers and printers.
  • The personal computer 20 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computer 49. The remote computer 49 may be another personal computer, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the personal computer 20, although only a memory storage device 50 has been illustrated in FIG. 1. The logical connections depicted in FIG. 1 include a local area network (LAN) 51 and a wide area network (WAN) 52. Such networking environments are commonplace in offices, enterprise-wide computer networks, Intranets and the Internet.
  • When used in a LAN networking environment, the personal computer 20 is connected to the local network 51 through a network interface or adapter 53. When used in a WAN networking environment, the personal computer 20 typically includes a modem 54 or other means for establishing communications over which may be internal or external, is connected to the system bus 23 via the serial port interface 46. In a networked environment, program modules depicted relative to the personal computer 20, or portions thereof, may be stored in the remote memory storage device. It will be appreciated that the network connections shown are exemplary and other means of establishing a communications link between the computers may be used. For purposes of the following description, a network administrator may be using the computer system 20 to establish and implement group policies in accordance with the present invention, while users subject to the group policies connect to the network via the remote computers 49.
  • Group Policy
  • In general, the present invention provides a method and system for implementing policies throughout a network in a highly flexible, scalable, extensible and efficient manner. To this end, any container capable of having attributes may have a group policy object attached thereto, and the group policy object may be evaluated to apply policy to policy recipients related to that container. For example, policy may be applied by specifying policy settings in the group policy objects, including registry-based settings, scripts, (computer startup and shutdown scripts, and user logon and logoff scripts), user documents and settings, application deployment, software installation, security settings and IP security. Indeed, policy objects may be extended to include virtually any desired information, as long as a client-side (or other) extension that uses the policy object is capable of interpreting and/or handling the information therein. Note that a server-side process may act as the client and interpret the policy, and pass the results to another client, e.g., a server-side extension may receive and process one or more policy objects and transmit the results of its processing to a router which then performs according to that policy.
  • In a preferred implementation described herein, the system and method utilize a highly flexible architecture of the Windows® 2000 operating system, in which an administrator can link policies to containers which are hierarchically organized directory objects representing sites, domains, organizational units and policy recipients (e.g., groups of users and computers) thereunder. Thus, although not necessary to the present invention, the group policy system and method preferably utilize a Windows® 2000 directory service, known as Active Directory 60 (of a domain controller 62, FIG. 2), that stores information about the objects of a domain, and makes this information easy for administrators to access, find and apply via a single, consistent and open set of interfaces. For example with Active Directory, administrators can access resources anywhere on the network. Similarly, administrators have a single point of administration for the objects on the network, which can be viewed in a hierarchical structure. A core unit in the Active Directory is the domain, and many of the objects of a network exist within a domain. A single domain can span multiple physical locations or sites. Notwithstanding, although described herein with reference to Windows®2000, the Active Directory, sites, domains, organizational units, and so forth, the present invention is not limited thereto, nor even to directory containers in general, but rather is applicable to any containers capable of being linked to a policy object and having policy accumulated therefor.
  • Group policy settings may be created via a group policy editor 64 (a Microsoft Management Console snap-in or similar user interface), and these settings are ordinarily maintained in a group policy object (GPO) such as 66 1. Group policy objects 66 1-66n may store group policy information in locations including a group policy container and a group policy template. A group policy container is an Active Directory object that stores group policy object properties, and may include sub-containers for machine and user group policy information. Properties of a group policy container may include version information, which is used to ensure that the information is synchronized with the group policy template information, status information. e.g., whether the group policy object is enabled or disabled, and a list of components (e.g., extensions) that have settings in the group policy object. The group policy template is a folder structure preferably located in a system volume folder of the domain controller 62, and serves as the container primarily for file-based information, (e.g., scripts). The policy information may include one or more pointers to another location (e.g., a data file on a SOL server) where some or all of the actual policy information (or a further pointer thereto) is maintained. Policy information also may be stored in a virtual registry (e.g., a copy of some or all of a client machine's registry maintained in a file on the server, specifically in the group policy template), that may be used by an extension to put information into the client-machine's registry.
  • The group policy editor 64 or similar user interface tool (e.g., user interface 82) further allows an administrator to selectively associate the group policy objects with directory container objects 68 1-68p (FIG. 2) such as those shown in FIG. 3, i.e., domains 70 A and 70B, sites (e.g., site 72), and/or organizational units 76 1-76j. A site comprises one or more ranges of IP addresses of which computers can be a member. Organizational units are a type of directory object included within domains that are logical containers into which users, groups, computers, and even other organizational units may be placed and hierarchically organized.
  • In accordance with aspects of the present invention, for each user of an organizational unit, the policy settings maintained in the policy objects 66 1-66n may be selectively accumulated in an order of precedence, inherited from the group policy objects associated with one or more higher-up organizational units 76 1-76j, the site 72 and/or the domain (e.g., 70 A), and/or blocked from being inherited. In general, in typical networks, the closer an organizational unit is to a user, the more likely that the administrator of that organizational unit will have a fair number of policies for that user. Mid-level policies are less likely to be present, and if present, are more likely to be suggested policy that may be blocked, as described below. Near the top of the hierarchy, very few policies are likely, but those that are present will be most likely important and thus enforced. Thus, to accumulate policy in a preferred implementation, policies are applied in a reverse hierarchical order, and higher non-enforced policies may be blocked, however higher policies that are enforced take precedence by hierarchical order.
  • FIG. 4 generally shows the concept of accumulating policies, including ordering (within a directory container), inheritance and the blocking of inheritance. In FIG. 4, users 80 1 that are members of organizational unit D (76 D) have a hierarchical chain of A, B, C and D. Such users may have policies accumulated from the group policy objects 66 1-66 4 associated with containers as set by one or more administrators. In FIG. 4, the associations are shown by arrows from the directory containers A. B, C and/or D (70 A, 76 B-76 D) to the group policy objects 66 1-66 4. For example, a domain administrator may set properties such that the users will, by enforcement, inherit the policies from the group policy object or objects (66 1) associated with domain A (70 A). One or more administrators of the organizational units may set properties such that the users receive policies from group policy objects GPO3 (twice) and GPO4 (663, 66 3, 66 4), and have inheritance blocked from the non-enforced group policy objects above, e.g., group policy object 66 B associated with organizational unit B (76 B). The ability to order the group policy objects 66 3 and 66 4 within the directory container object (organizational unit D 76 D) provides the administrator with a mechanism for handling conflicting policies, if any, within a directory container. At the same time, the hierarchy, in conjunction with enforcement and blocking options set by appropriate administrators, determine the final order among group policies applied to a user.
  • To this end, as shown in FIG. 5, the administrator of a site, domain or organizational unit, is provided with a user interface 82 that essentially allows the administrator to configure the ordering of the group policy objects within the directory container, enforce selected policies (or not), and block inheritance (or not) of non-enforced policy objects above. The administrator at each level intuitively sets these rankings such as by clicking buttons, checkboxes or the like, within Active Directory and site management tools, (e.g., Active Directory Sites And Services and/or Active Directory Users and Computers). For example, in FIG. 5, the administrator may reorder the associated group policy objects, select “No Override,” (i.e. “Enforce”) for each of the group policy objects, and “Block” (via the blocking checkbox) those policy objects above that are not enforced. Policy objects that are not enforced may be considered suggested policy, in that suggested policy can be blocked by settings in lower-level directory container objects and the suggested policy settings essentially discarded. Where there is more than one group policy object associated with a directory container, the administrator of that directory container (SDOU) may order the group policy objects therein to determine relative strengths of each. Thus, for example, (not shown), domain A may have associated policies ordered A1, A2, A3 and A4, although such internal rankings are not known to administrators of the lower units, which see only a unified “A” policy.
  • With respect to FIG. 4, consider by way of example the chain A, B, C, D from highest directory container (object) to lowest, wherein the users 80 1 under organizational unit D may receive policies from group policy objects associated with any or all of these containers. In the present example, for the users 80 1, assume an administrator wants to have the policy object GPO1 (associated with the domain A) be the strongest, (in case of any conflict). One or more lower-level administrators (possibly the same administrator as the domain administrator) want GPO1's policy to be followed by GPO3, followed by GPO3 again, then by GPO4, then by GPO2, and lastly by any policies associated with the local machine (which is also allowed).
  • The administrators can achieve the desired order by enforcing domain A's associated group Policy, ordering GPO3 above GPO4 within organizational unit D (76 D), and not selecting any blocking. The result, provided by an ordering mechanism 88 (FIG. 2) as described below, is essentially an ordered list of group policy objects (from weakest to strongest) of Local Machine, GPO2, GPO4, GPO3, GPO3 and GPO1 (strongest because enforced). The order determines how policy is applied during policy update events. e.g., machine boot or user logon, and in what priority policy is applied if there is a conflict. Note that the actual policy that results from applying one group policy object may depend on what occurred when a group policy object was previously applied. For example, a group policy object may act one way if a script has been previously run, and another way if the script was not previously run. As a result, the same group policy object may have different results for different users, depending on whether another group policy object which runs that script was previously applied to a given user. Further, note that a group policy object may influence its own actions if applied more than once to a user, e.g., GPO3 may be applied twice in the example shown in FIG. 4, and thus, for example, may do some action the first time that changes how GPO3 acts the second time.
  • FIGS. 5 through 9 provide an explanation of a suitable mechanism 88 (FIG. 2) and process therein for developing an ordered list 90 based on the choices selected by the administrator via the user interface 82 (such as the interface shown in FIG. 5). In FIG. 6, the user is under a Site S1 Domain A, and organizational units OU1 and OU2. In FIG. 6, arrows from the directory containers to the group policy objects show each of the associations, which are actually maintained as properties of the directory containers. Thus, the site S1 is associated with group policy object GPO1, the Domain A is associated with group policy objects GPO1, GPO2 and GPO3, while the organizational unit OU1 has no group policy objects associated therewith. The organizational unit OU2 has group policy objects GPO3, GPO4, GPO5 and GPO6 associated therewith. If more than one group policy object is associated with an organizational unit, a prioritized ordering of the group policy objects is also established. For purposes of simplicity, in FIG. 6, the higher a group policy object appears, the stronger it is relative to others associated with the same directory container. For example, with respect to organizational unit OU2, via the interface 82 (FIG. 5), the administrator has set GPO3 to be stronger than GPO4, which in turn is stronger than GPO5, and these are stronger than GPO6. Note, however, that the enforcement setting ultimately may change the relative strengths. Lastly, in FIG. 6, group policy objects that are to be enforced are shown with a Parenthetical “(e)” therein, while blocking of suggested policy is shown by an “X” [Blocked] in the chain, e.g., between Domain A and OU1.
  • Beginning at step 700 of FIG. 7A, the lowest (closest to the user) organizational unit in the hierarchy, organizational unit OU2 for the user represented in FIG. 6 is selected. Step 702 determines if there is at least one group policy object at OU2's level, i.e., associated with the organizational unit OU2. In the present example of FIG. 6, four group policy objects (GPO3, GPO4, GPO5 and GPO6) are associated with the organizational unit OU2, whereby step 702 branches to step 704 where the highest ordered group policy object of this set, GPO3, is selected. Step 706 tests whether the selected group policy object GPO3 is to be enforced, (i.e., has its “No Override” option checked in the user interface), denoted in FIG. 6 by a parenthetical “(e)” above the arrow representing the association. Since GPO3 is enforced at this level, step 708 is executed, which places an identifier of the selected group policy object GPO3 at the top of a temporary enforce list 92, as shown in FIG. 8A. As described below, the temporary enforce list will be used to construct the master (ordered) list 90 of group policy objects for the user or users under OU2.
  • Step 712 then tests if there is another group policy object at this level that has not yet been handled. As shown in FIG. 6, the group policy objects GPO4, GPO5 and GPO6 are also associated with OU2, and thus the step 714 selects the next-highest ordered group policy object, GPO4, before the process returns to step 706. The group policy object GPO4 is not enforced, and thus this time step 706 branches to step 710 wherein the selected group policy object, GPO4, has an identifier added therefor to the end of a temporary non-enforce list 94 (FIG. 8B). As can be understood by following the steps 706-714, the other two group policy objects, GPO5 (enforced) and GPO 6 (non-enforced) are placed into the temporary enforced list 92 and temporary non-enforced list 94, respectively, as shown in FIGS. 8C and 8D. Note that via step 708, the GPO5 identifier is entered above the GPO3 identifier in the temporary enforced list 92.
  • When there are no more group policy objects at the current level to place in the lists, step 712 branches to step 720 of FIG. 7B, where the group policy objects in the temporary enforce list 92 are moved to a master enforce list 96 as represented in FIG. 8E. The master enforce list 96 will accumulate the enforced group policy objects from the various levels, and will ultimately be merged with a master non-enforce list 98 to construct the master list 90. Step 722 then tests if blocking has been selected at any level below the current level. If blocked, non-enforced group policy objects will not be applied. However, in the present example, there is no blocking selected, and thus step 722 branches to step 724 where the group policy objects in the temporary non-enforce list 94 are moved to the front of a master non-enforce list 98 as represented in FIG. 8F. Step 728 then tests to determine if the current level is the uppermost level in the hierarchy of directory containers for the user, e.g. the site level. Since the current directory container is the organizational unit OU2, and not the site level, step 728 branches to step 730 which selects the next level up, i.e., the organizational unit OU1 in the present example of FIG. 6. The process then returns to step 702 of FIG. 7A.
  • At step 702, the properties of the organizational unit OU1 are examined to determine if there is a group policy object associated therewith. Since in the present example of FIG. 6 there is not, step 702 branches to step 728 of FIG. 7B where the site level is again tested for and found untrue. At step 730, the process then selects the next level up, the domain directory container, Domain A, and returns to step 702 of FIG. 7A to handle any group policy objects associated with the Domain A.
  • As shown in FIG. 6, Domain A has three group policy objects associated therewith, GPO1, GPO2 and GPO3. As understood from the above description, step 704 selects GPO1, step 706 determines that GPO1 is enforced, and thus step 708 inserts GPO1 into the temporary enforce list 92 (FIG. 8G). Steps 712-714 select the next strongest group policy object, GPO2 (non-enforced), after which steps 706 and 710 add a GPO2 identifier therefor to the temporary non-enforce list 94 (FIG. 8H). Next, steps 712 and 714 select GPO3 (enforced), and steps 706 and 708 insert it at the top of the temporary enforce list 92, as shown in FIG. 8I.
  • Step 720 of FIG. 7B next moves the GPO identifiers from the temporary enforce list 92 to the master enforce list 96. (FIG. 8J). Note that as shown in FIG. 8J, the master enforce list 96 is building (upwardly) the list of GPOs first by hierarchy and then by strength within the hierarchy. Non-enforced policy is handled in an inverse hierarchical order, although the strength within the hierarchy is still maintained. This is in accord with the overall concept of having enforced policy at higher levels win versus policy at lower levels, however lower-level policy wins over any higher level non-enforced (suggested) policy. In other words, a site-level administrator can thus enforce policy over a domain-level administrator, who can enforce policy over administrators of organizational units below (also hierarchically ranked). However, the lower-level administrators can discard any suggested policy from a higher level.
  • Step 722 then determines that the non-enforced policy settings are blocked below Domain A, (via OU1, e.g., there is a blocking flag set), as shown in FIG. 6 by the “X” between Domain A and OU1. Blocking is directed to preventing inheritance from non-enforced group policy objects associated with directory objects (sites, domains, and organizational units) above. As a result, there is no blocking on the same hierarchical level, i.e., GPO6 could not block GPO4. In general, this means that any non-enforced (suggested) policy above OU1 will be discarded. To accomplish this, step 722 branches to step 726 which clears the temporary non-enforced list 94, without adding any entries therein to the master non-enforced list 98, as shown in FIG. 8K. Note that had OU2 blocked inheritance from its parent containers, Domain A's non-enforced policy objects would similarly have been discarded, i.e., any blocking below a directory container blocks that directory container's associated group policy objects that are non-enforced, as well as any non-enforced group policy objects associated with higher-level directory containers. Step 728 again determines that the process has not yet handled the group policy objects (if any) at the site level, and moves up in the hierarchy, this time selecting the site directory container S1 at step 730.
  • As is understood from the above-described steps, the site's associated group policy object, GPO1 in the present example of FIG. 6, is enforced, and is thus added by step 708 to the temporary enforce list 92 (FIG. 8L), and then moved by step 720 to the master enforce list 96 (FIG. 8M). This time, step 728 determines that the process has handled the GPOs for this user, i.e., has finished building the master enforced list 96 and master non-enforced list 98. Step 732 then merges the lists into the master list 90 by writing the weakest GPO identifiers from the left to the right in order of strength. Lastly, step 734 adds any local machine policy, as the least strongest policy (because by rule it cannot be enforced) as shown in FIG. 9. To this extent, the local policy may be considered the top of the hierarchy, however it is not allowed to enforce, otherwise it would be the strongest policy, defeating the purpose of setting policy from a centralized location. Note that it is alternatively feasible to allow the local machine policy to be blocked, whereby in the present example the LGPO identifier would not be added to the master list 90 (FIG. 9). A higher policy setting may be used to control whether the local machine policy may be blocked or will be applied regardless of blocking. Further, note that it is also alternatively feasible to have the local machine policy not be processed, by default, unless a higher policy allows the local machine policy to be processed. Multiple local machine policy objects, with an ordering among them, are also feasible. Local machine policy is particularly useful for standalone machines that are not part of a domain. Security descriptors (e.g., including Discretionary Access Control Lists, or DACLS), described below, in conjunction with local machine policies provide for different groups of users having different policies on stand-alone machines.
  • Thus, as expected from an analysis of FIG. 6, the site's enforced policy, GPO1, is strongest in the master ordered list 90, followed by the domain's enforced policy objects (GPO1, GPO3 as ranked by strength within that level), followed by OU2's enforced policy (GPO3, GPO5 as ranked by strength within that level). The non-enforced policy is less strong, ordered as GPO4, GPO6. Note that alternatively, if there was no blocking selected, the order would have read, from weakest to strongest, Local Machine policy object(s), GPO2, GPO6, GPO4, GPO5, GPO3, GPO3, GPO1, GPO1.
  • At this time the ordered list 90 of policy objects is complete, and the policies now may be applied to the user or users of OU2 and/or the machine on which the user is logging on. It should be noted that the machine policies are applied to the machine when the machine operating system is booted, while the user group policies are applied when a user of the group logs on. In addition, group policy may be processed periodically, (a default time of ninety minutes, factoring in a thirty-minute variable offset to distribute the network and server load, wherein both times may be changed by a policy), so that policy changes are updated on machines that are not frequently re-booted and for users that do not frequently log off.
  • Once the ordered list 90 of policy objects is complete, at least one client extension 100 is typically called (e.g., by a desktop management engine 102, FIG. 2) and the list 90 provided thereto to be processed in any way the client-side extension 100 deems appropriate. Indeed, because the group policy objects may contain virtually any type of information, and because the information therein and the list 90 may be used by a client extension 100 in any desired way, the system and method of the present invention are highly extensible. Typical examples of how the list 90 is used is to determine which security settings apply to a user or machine, (e.g., access rights and/or group memberships), determine whether one or more user folders are redirected to the network, and so on. Scripts may be processed according to the ordered list 90, for example to apply policies that determine which applications will be centrally deployed (assigned, published and/or installed) to users and machines of a network, as described in U.S. patent application Ser. No. 09/158,968.
  • Another typical way in which policies are applied is to have at least some of the settings of the policy objects written to the registry of the user's machine. Applications and the like may then check the appropriate registry locations before taking certain requested actions, in order to perform or not perform the action according to the policy setting, (or some default value if no policy is defined for a particular setting). By way of example, FIG. 10 shows one way of placing policy into a user's machine registry, using registry APIs for writing thereto. In general, a policy setting may be defined or not defined, and if defined, has some value for its setting. Thus, defined policies are written into the registry from weakest to strongest based on the ranked list 90 of group policy objects, whereby stronger group policy objects write defined policy settings over the settings of weaker policies, i.e., last writer wins. To this end, at step 1000, the weakest policy object in the list 90, i.e., the LGPO (local group policy object) is selected. Then, at step 1002, each registry-based setting that is defined is written to the registry. Step 1004 then tests to see if all the group policy objects have been handled, which at this time is not true, and thus step 1004 branches to step 1006 to select the next weakest group policy object, “GPO6” from the list 90. Step 1006 then returns to step 1002 to write the defined settings of “GPO6” to the registry. The next weakest group policy object, “GPO4” is selected at step 1006, which then returns to step 1002 to write the defined settings of “GPO4” to the registry, and so on, until the group policy objects in the list are handled. Note that undefined policy settings are not written, whereby any defined policy settings remain intact in the registry. Thus, for example, if GPO6 had an Internet access policy bit setting of 1 (Allowed), and GPO4 had no opinion on Internet access, then the “allowed” setting from GPO6 remains (unless subsequently overwritten by defined GPO5, GPO3 or GPO1 policy). In this manner, policies are accumulated and combined in an ordering determined by the administrators.
  • Still another way in which policy may be applied to a user is to maintain the ordered list 90 of group policy objects in association with a user/machine, and then walk through the list from strongest to weakest seeking a defined policy setting that satisfies a pending action request. For example, the various applications and settings therefor available to a group need not be written into the registry for each user, but rather maintained in the group policy objects. If the user wishes to run an application, the process attempting to run the application uses the list to first look to the strongest policy object to see if the action is allowed or denied, and if undefined, continues by querying the next strongest policy object in the list 90. The process will continue walking through the list 90 until an answer (e.g., allow or deny) is obtained, or until there are no more policy objects in the list to query, at which time a default answer may be used.
  • Additional features of group policy objects are also provided to facilitate administrator control over their operation. First, an association between a directory container and a group policy object may be disabled, e.g., via an administrator selection (FIG. 5), whereby the group policy object is not applied to users for that particular directory container. However, this is not the same as removing the association of the group policy object with the container, because the group policy object still appears (in a disabled state) in a list of group policy objects seen by the administrator via the user interface.
  • Another feature is that a group policy object includes both computer settings (HKEY_LOCAL_MACHINE) and user (HKEY_CURRENT_USER) settings, which may be separately disabled. Such disables are global, i.e., they apply to all links thereto, whereby all users under a directory container associated with the group policy object will not get the disabled portion or portions of the group policy object. For example, an administrator may disable the computer or user settings if either portion is not needed, providing a performance improvement. Similarly, an administrator may use this type of disabling to debug a group policy object problem, e.g., by turning off one portion of the group policy object at a time to determine which portion causes a problem.
  • The present invention also provides additional flexibility with respect to administering policy in a number of other ways. First, as described above, since group policy is maintained in objects, the containers may link to more than one group policy object and the group policy objects may be shared by multiple directory objects (containers), i.e., the same group policy object may be applied to multiple sites/domains/organizational units. For example, as shown in FIG. 11, user 80 2 receives policy from the chain A, B, C, D, in a hierarchical order with enforcement and blocking possible as described above. However, the user 80 3 under organizational unit 76 Z shares the group policy object 66 D with organizational unit 76 D, rather than having an independent group policy object defined therefor, whereby the user 80 3 receives policy from the chain A, B, Y, Z, which is effectively A, B, Y, D. Linking is valuable because it means only one set of policy settings needs to be maintained for possibly many groups of users under different hierarchies, e.g., a change to the setting of any group policy object is potentially implemented in multiple groups. For example, the sales-related policy for an enterprise's East Coast sales group may need to be the same as the policy for its West Coast sales group, however other non-sales policy may be different for the groups. Placing the sales-related policy into a shared group policy object ensures that the sales policy is consistent throughout the enterprise. Note that linking and associations with group policy objects may occur across a domain boundary as shown in FIG. 3, i.e., organizational unit B2 (76 4) is associated with the group policy object A5 (66 5).
  • Each policy object may also handle exception management in order to include or exclude certain users or groups of users from certain policy. To this end, each policy object may include an exclusion list of users and groups to which the policy will not apply and/or an inclusion list of users and groups to which the policy will apply. This is accomplished via the security descriptor associated with each object. An administrator may specify which groups of users and computers have “Apply Group Policy” access control entries in the security descriptor to determine access to the group policy object. In general, groups that have Apply Group Policy and read access to the group policy object receive the group policies therein, while groups that do not have Apply Group Policy or read access to the group policy object do not get the group policies therein. Note that security descriptors include one or more security identifiers and a bitmask of rights associated with each security identifier, and are capable of handling both inclusion and exclusion. For example, within a research group, certain users may be given a different Internet access policy than other users, e.g., via the security descriptor, apply the policy to listed users A, B and C, but no others in the group. Alternatively, via the security descriptor, the policy is applied to all users in the research group except X and Z who are specifically denied access to this policy object. This enables policy to be tailored to individual users without having to construct many separate groups to handle the various exceptions that typically arise in enterprises. Further, policy may be enforced for certain users and suggested for other users by splitting a groups policies into two groups, (e.g., Ae and A), and then using security access control to select which users in that group get which policy.
  • Another aspect of the present invention enables policy based on the machine's physical location, in addition to the user's logical function (reflected in the user's membership in various groups). In other words, policy may be made network topology aware. This is accomplished by associating a group policy object (e.g., 66 4) with a site 72, as shown in FIG. 3. In this way, a user logging on in Europe may be given different policy settings than that same user logging on in the United States. The other aspects of the present invention, including layering (ordering), inheritance, blocking, linking and exception management are applicable to the group policy object or objects of a site, and thus a site's policy object or objects may fit anywhere within the ordered list.
  • The present invention also provides for an enterprise policy, a policy that is applied to all domains. FIG. 12 shows a number of domains 70 A-70 k under an enterprise 92. In this model, domains may be placed under the enterprise, whereby the policy settings of the enterprise are propagated through the domains via inheritance. Moreover, as described above, a number of domains may share a group policy object to achieve a similar effect.
  • Moreover, in keeping with the invention, the desktop management engine 102 (FIG. 2) may further facilitate the use of group policy objects by the client-side extensions 100, primarily to enhance performance. A first way in which performance may be enhanced is by separating the various client-side extensions 100 by functionality (e.g., one for handling registry-based settings, one for scripts, one for security policy settings and so forth), whereby each extension may receive a customized ordered list 90 listing only those group policy objects that are relevant thereto. In other words, rather than generate only one ordered list 90, the desktop management engine 102 may generate a plurality of such lists, one for each extension, each list customized, applied and maintained on a per-extension basis. For example, an extension may be interested only in security policy, whereby group policy objects that have no security policy therein need not be part of the ordered list received by that extension. An attribute in each of the group policy objects lists the extensions that have settings therein, whereby the desktop management engine 102 knows which of the extensions 102 are interested in which group policy objects, and each extension receives in its ordered list only those group policy objects that are tagged with that extension's identifying information.
  • The desktop management engine 102 monitors for various types of events and notifies appropriate extensions of those events, whereby the extensions 100 may reapply the policy. A first type of event occurs when some change is made to the order of the group policy objects in the ordered list 90 with respect to each affected extension. For example, an administrator may remove (or add) a group policy object, whereby a new ordered list is generated for each extension. The new list is compared with the previous list for each extension to see if the list has changed for that extension, whereby the relevant extensions are separately called upon such a change, e.g., when policy is updated. To this end, the desktop management engine 102 saves the previous ordered list of group policy objects for each extension and compares it to the new list, taking into consideration which changes are relevant per extension.
  • By way of example, as shown in FIG. 13A, group policy object GPOB has been removed from a previous list GPOA, GPOB, GPOC, and GPOD, causing a new list of GPOA, GPOC, and GPOD. Each extension tagged in GPOB is then called with the change information (i.e., GPOB was deleted), and also passed the new list. The called extensions can act on this information, such as to do what is necessary to clear out GPOB's policy settings, and thereafter typically reapplies the new list (GPOA, GPOC, GPOD), although theoretically, the extension need not reapply the new list if it was intelligent enough to know that GPOB had only some isolated policy settings. Note that dependencies among the group policy objects may be changed, however, so policy according to the new list is ordinarily reapplied.
  • To remove (or add) a group policy object from a list, the administrator may not actually remove (or add) the group policy object from a container, but may effectively remove (or add) the group policy object (e.g., GPOB) with respect to an extension. For example, the administrator may nullify all security settings from a group policy object, whereby that GPOB policy object is no longer relevant to the client-side security extension and is removed from the ordered list (GPOA, GPOC and GPOD) received by the security extension. However, GPOB may still be relevant to other extensions such as script and registry extensions, whereby those extensions receive (if necessary) the full ordered list, GPOA, GPOB, GPOC, and GPOD. Another reason that a GPO may be removed from (or added to) a list is that an administrator may change a user's security rights. For example, an administrator may change a user's security rights such that the user no longer has access to a group policy object. In such an event, the group policy object is removed from each of the ordered lists in which it is identified. Similarly, if security is changed to give a user access to a group policy object, that group policy object is accumulated in new appropriately-ordered lists for the user.
  • FIG. 13B shows another type of change, wherein the administrator reorders the policy objects, e.g., GPOA, GPOB GPOC and GPOD to GPOA, GPOC, GPOB and GPOD. Because of dependencies (e.g., among scripts) and other order-related settings (e.g., last-writer wins in the registry settings) as described above, the extensions that use these group policy objects are called to be made aware of such a reordering, so that each such extension can reapply the group policy objects in the new order.
  • As represented in FIG. 13C, another change occurs when the information in a group policy object changes, as tracked by a version number. In FIG. 13C, an applied version of GPOB, GPOB1 has been changed to version GPOB2, and the extensions that deal with GPOB need to be called with the change information so that GPOB1's policy is removed and the new policy in GPOB2 is applied. Because of possible dependencies among the group policy objects, the extensions generally reapply the entire new list.
  • Another change which extensions may register for notification of is changes to group membership. In general, whenever an administrator changes a user's membership in a group, e.g., by removing the member from a group or adding the member to a new group, the group policy desktop management engine 102 calls each extension registered for notification of this type of change. Because group memberships under directory containers determine which policy objects apply, each called extension will ordinarily reapply policy in response to the call, although the actual action taken by the extension is up to the extension.
  • Another factor that may be used to influence how group policy is applied is the rate at which data may be transferred. For example, if a link is slow, then certain policy information such as registry settings are applied, but other policy-related events such as software installations are not applied (because they would take too long), e.g., if scripts are not applied due to a slow link, the script extension may clear the scripts. More particularly, registry-based polices and security settings are applied by default (and cannot be turned off), while other policies are not applied by default. Other than the registry and security settings, another policy setting may specify whether the behavior should apply for slow links.
  • At each policy update, (which requires an IP connection) the data transfer rate is evaluated, as described below. Whenever a change from a slow to fast or fast to slow link is detected, a link transition flag indicating a change in the rate, along with a link rate flag (slow or fast), are used to call appropriately-registered extensions to provide the information needed to adjust for the link's data transfer rate. Of course, a finer distinction among rates may be provided other than simply fast or slow, e.g., relatively small software installations may take place for medium or fast connections, but not over slow connections, however a straightforward distinction between fast and slow is presently implemented.
  • To determine the connection rate, each client machine generally follows the steps set forth in FIGS. 14A-14B. First, at step 1400, two variables, a loop counter (Try) and a transmission time counter (Total), described below, are initialized to zero. Then, at step 1402, the domain controller is pinged over the link with no (zero bytes) of data. When the response is received at the client, step 1404 records the time, e.g., sets a variable Time1 to the amount of time it took to receive the response. If at step 1406 the response (round trip) time is rapid, e.g., less than ten milliseconds, then the connection is known to be fast, whereby step 1406 branches to step 1420 where the flags are adjusted as necessary and the process ends. Extensions registered for link transitions may be called at this time, e.g., if the link was previously slow. Note that if the ping timed out without a response, this value is not valid and is discarded, e.g., the process branches ahead to step 1416 (not shown).
  • If at step 1406 a response was received and took longer than ten milliseconds, there may be a number of reasons why the response was slow, including that the connection is slow, or that the domain controller was temporarily busy. Thus, rather than assume the connection is slow, an actual data transfer rate is calculated, by looping up to three times, while discarding any clearly invalid values and averaging to balance any temporary anomalies. To this end, step 1406 branches to step 1408 where the domain controller is again pinged, this time with four kilobytes (4096 bytes) of data. At step 1410, the response time is recorded in a second variable, Time2, (provided the ping did not time out, whereby the process would effectively discard this invalid value and also Time1, e.g., by branching ahead to step 1416, not shown). If the response time took less than ten milliseconds as determined at step 1412, then as described above, the connection is considered to be fast, whereby step 1412 branches to step 1420 to adjust the link rate as necessary, after which the process is ended.
  • If the response again took more than ten milliseconds, step 1412 branches to step 1414 where the difference between Time1 and Time2, Delta, is calculated and, if the result is valid, is added to a Total. Another example of an invalid result is one in which the result is negative, i.e., the four-kilobyte transfer time (Time2) was smaller than the zero data transfer time, (Time1). Because Time1 corresponded to the time to transfer no data, under ordinary circumstances Time1 represents the time taken for overhead in the ping/response operation. In an ordinary case, the overhead time will be the same for the subsequent “4K” ping/response operation, and thus Delta equals the time to transfer four kilobytes of data after compensating for the overhead. However, as mentioned above, rather than calculate the data transfer rate from a single sample, an average is used, and thus step 1416 increments a loop counter and step 1418 evaluates whether the loop has been performed the desired number of times, (e.g., three). If not, step 1418 loops back to step 1402 where the transfer rate is again obtained. Note that while looping, if at any time a response can come back in less than ten milliseconds, the connection is considered to be fast and the process is ended.
  • Once the Total time for the three four-kilobyte transfers is obtained, this information may be used to determine whether the link is fast or slow. An administrator may set the slow versus fast threshold, or a default threshold may be used (e.g., 500 kilobits per second, i.e., 500 kbps). Because it is desirable to compare the actual data transfer rate with a threshold data transfer rate number that is meaningful to an administrator, steps 1430-1436 convert the Total time to a data transfer rate. To this end, step 1430 averages the time by dividing by the number of valid samples in the average, e.g., three, while step 1432 adjusts for the amount of data sent (four kilobytes) and the way in which time is measured (1000 ticks per second). Step 1434 converts bytes to bits, while step 1436 adjusts for the units of data transfer rates being in “kilobits” per second.
  • Once the measured data transfer rate (Z) is obtained, at step 1438 the actual rate Z is compared against a threshold value, established by default or set by an administrator. If below the rate, the link is considered slow (step 1440), while if above the rate, the link is considered fast (step 1442), whereby the link transition and link rate bits are adjusted accordingly.
  • Still another feature of the desktop management engine 102 enables group policy objects to be accumulated based on a machine's location in the hierarchy, instead of or in conjunction with the user's policy. By way of example, machines in a computer laboratory may need policy settings that carefully control what is allowed to be done to those machines, regardless of which user is logging on. A machine policy setting in the registry determines how policy is to be applied, in one of three modes, the normal mode, in conjunction with user policy, (merge mode), or instead of user-based policy settings (replace mode).
  • FIG. 15 shows an example of how policy is applied based on the mode setting, wherein users under organizational unit OU1 and machines under organizational unit OU2 are under DomainZ. As shown in FIG. 15, OU1 has a group policy object GPOD associated therewith, OU2 has a group policy object GPOC associated therewith, and DomainZ has two group policy objects associated therewith, GPOA and GPOB. As described above, in the normal node, the ordered list will be that accumulated for the user, i.e., GPOA, GPOB, and GPOD (from weakest to strongest assuming no enforcement for purposes of simplicity). If the machine indicates that merge mode should be applied, two lists of ordered group policy objects will be obtained, first one for the user and then one for the machine. The machine's policy list of ordered group policy objects is merged with the user's policy list by appending the machine policy list at the strong end of the user policy list. Thus, the ordered list of group policy objects for the hierarchy in FIG. 15 when in merge mode will be accumulated as GPOA, GPOB, GPOD GPOA, GPOB and GPOC. Lastly, when replace mode is set, the policy is simply the machine's policy list of ordered group policy objects instead of the user's policy list, GPOA, GPOB and GPOC.
  • As can be seen from the foregoing detailed description, there is provided a method and system for implementing policy by accumulating policies for a policy recipient, (e.g., computers or users) from policy objects associated with containers. Policy settings for the policy recipient may be accumulated by inheritance, enforced by directory objects, blocked from being inherited, and layered in a specified order. Linking group policy objects is also provided, as is exception-based management.
  • While the invention is susceptible to various modifications and alternative constructions, certain illustrated embodiments thereof are shown in the drawings and have been described above in detail. It should be understood, however, that there is no intention to limit the invention to the specific form or forms disclosed, but on the contrary, the intention is to cover all modifications, alternative constructions, and equivalents falling within the spirit and scope of the invention.

Claims (15)

  1. 1. A computer-readable medium having computer-executable instructions for performing a method, comprising:
    placing policy settings into a plurality of group policy objects, each policy object associated with at least one directory container;
    accumulating the policy settings of the plurality of group policy objects into an accumulated policy for a policy recipient; and
    associating the accumulated policy with the policy recipient.
  2. 2. The computer-readable medium of claim 1 wherein accumulating the policy settings comprises, determining the accumulated policy for the policy recipient.
  3. 3. The computer-readable medium of claim 2 wherein the policy recipient is logically below a hierarchy of directory containers, and wherein determining the policy settings of the plurality of group policy objects comprises, inheriting at least some of the settings from a policy object associated with a directory container hierarchically above another directory container.
  4. 4. The computer-readable medium of claim 3 wherein the directory container hierarchically above the other directory container corresponds to a site.
  5. 5. The computer-readable medium of claim 3 wherein the directory container hierarchically above the other directory container corresponds to a domain.
  6. 6. The computer-readable medium of claim 3 wherein the directory container hierarchically above the other directory container corresponds to an organizational unit.
  7. 7. The computer-readable medium of claim 3 wherein the directory container hierarchically above the other directory container corresponds to an enterprise having a plurality of domains thereunder.
  8. 8. The computer-readable medium of claim 1 wherein accumulating the policy settings of the plurality of group policy objects comprises, blocking least some of the settings from a policy object associated with a directory container hierarchically above another directory container
  9. 9. The computer-readable medium of claim 1 wherein each of the policy objects is associated with a directory container organized in a hierarchy of directory containers, and wherein accumulating the policy settings of the plurality of group policy objects comprises, inheriting the settings from at least one policy object associated with a directory container hierarchically above the policy recipient, and blocking the inheritance of settings from at least one other policy object associated with a directory container hierarchically above the policy recipient.
  10. 10. The computer-readable medium of claim 1 wherein accumulating the policy settings of the plurality of group policy objects comprises ordering the group policy objects.
  11. 11. The computer-readable medium of claim 10 having further computer-executable instructions comprising, applying the accumulated policy to the policy recipient.
  12. 12. The computer-readable medium of claim 1 having further computer-executable instructions comprising, associating a plurality of directory containers with a common group policy object.
  13. 13. The computer-readable medium of claim 1 having further computer-executable instructions comprising, associating a directory container with a plurality of group policy objects.
  14. 14. The computer-readable medium of claim 1 wherein each of the policy objects is associated with a directory container organized in a hierarchy of directory containers, and having further computer-executable instructions comprising, separating the policy settings of a directory container hierarchically above the policy recipient into enforced and non-enforced settings, and wherein the step of accumulating the policy settings of the plurality of group policy objects comprises, inheriting the enforced settings, and blocking the inheritance of the non-enforced settings.
  15. 15. The computer-readable medium of claim 1 wherein accumulating the policy settings includes receiving administrator input.
US11234887 1998-08-14 2005-09-26 System and method for implementing group policy Abandoned US20060167858A1 (en)

Priority Applications (4)

Application Number Priority Date Filing Date Title
US13480598 true 1998-08-14 1998-08-14
US09268455 US6466932B1 (en) 1998-08-14 1999-03-16 System and method for implementing group policy
US10254155 US6950818B2 (en) 1998-08-14 2002-09-24 System and method for implementing group policy
US11234887 US20060167858A1 (en) 1998-08-14 2005-09-26 System and method for implementing group policy

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US11234887 US20060167858A1 (en) 1998-08-14 2005-09-26 System and method for implementing group policy

Publications (1)

Publication Number Publication Date
US20060167858A1 true true US20060167858A1 (en) 2006-07-27

Family

ID=26832692

Family Applications (3)

Application Number Title Priority Date Filing Date
US09268455 Active US6466932B1 (en) 1998-08-14 1999-03-16 System and method for implementing group policy
US10254155 Expired - Fee Related US6950818B2 (en) 1998-08-14 2002-09-24 System and method for implementing group policy
US11234887 Abandoned US20060167858A1 (en) 1998-08-14 2005-09-26 System and method for implementing group policy

Family Applications Before (2)

Application Number Title Priority Date Filing Date
US09268455 Active US6466932B1 (en) 1998-08-14 1999-03-16 System and method for implementing group policy
US10254155 Expired - Fee Related US6950818B2 (en) 1998-08-14 2002-09-24 System and method for implementing group policy

Country Status (1)

Country Link
US (3) US6466932B1 (en)

Cited By (50)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040111519A1 (en) * 2002-12-04 2004-06-10 Guangrui Fu Access network dynamic firewall
US20040162733A1 (en) * 2003-02-14 2004-08-19 Griffin Philip B. Method for delegated administration
US20040167900A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. Virtual repository complex content model
US20040167868A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. System and method for a virtual content repository
US20050081062A1 (en) * 2003-10-10 2005-04-14 Bea Systems, Inc. Distributed enterprise security system
US20050097353A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy analysis tool
US20050188295A1 (en) * 2004-02-25 2005-08-25 Loren Konkus Systems and methods for an extensible administration tool
US20050251851A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Configuration of a distributed security system
US20050257154A1 (en) * 2004-05-14 2005-11-17 Bea Systems, Inc. Graphical association of elements for portal and webserver administration
US20050256899A1 (en) * 2004-05-14 2005-11-17 Bea Systems, Inc. System and method for representing hierarchical data structures
US20050257245A1 (en) * 2003-10-10 2005-11-17 Bea Systems, Inc. Distributed security system with dynamic roles
US20050257172A1 (en) * 2004-05-14 2005-11-17 Bea Systems, Inc. Interface for filtering for portal and webserver administration
US20050256906A1 (en) * 2004-05-14 2005-11-17 Bea Systems, Inc. Interface for portal and webserver administration-efficient updates
US20060123026A1 (en) * 2004-11-18 2006-06-08 Bea Systems, Inc. Client server conversion for representing hierarchical data structures
US20060173808A1 (en) * 2005-01-28 2006-08-03 Trenten Peterson Graphical user interface (GUI) to associate information with an object
US20060259954A1 (en) * 2005-05-11 2006-11-16 Bea Systems, Inc. System and method for dynamic data redaction
US20070043716A1 (en) * 2005-08-18 2007-02-22 Blewer Ronnie G Methods, systems and computer program products for changing objects in a directory system
US20070073638A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for using soft links to managed content
US20080077983A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Non-invasive insertion of pagelets
US20080104661A1 (en) * 2006-10-27 2008-05-01 Joseph Levin Managing Policy Settings for Remote Clients
US20080201761A1 (en) * 2007-02-16 2008-08-21 Microsoft Corporation Dynamically Associating Attribute Values with Objects
US20080208926A1 (en) * 2007-02-22 2008-08-28 Smoot Peter L Data management in a data storage system using data sets
US20080208917A1 (en) * 2007-02-22 2008-08-28 Network Appliance, Inc. Apparatus and a method to make data sets conform to data management policies
US20080270413A1 (en) * 2007-04-27 2008-10-30 Dmitri Gavrilov Client-Specific Transformation of Distributed Data
US20090064270A1 (en) * 2007-08-29 2009-03-05 Rajeev Gupta Template based federation of policies
US7516475B1 (en) * 2002-07-01 2009-04-07 Cisco Technology, Inc. Method and apparatus for managing security policies on a network
US20090249431A1 (en) * 2008-03-27 2009-10-01 Microsoft Corporation Determining Effective Policy
US7653930B2 (en) 2003-02-14 2010-01-26 Bea Systems, Inc. Method for role and resource policy management optimization
US7673323B1 (en) 1998-10-28 2010-03-02 Bea Systems, Inc. System and method for maintaining security in a distributed computer network
US7752205B2 (en) 2005-09-26 2010-07-06 Bea Systems, Inc. Method and system for interacting with a virtual content repository
US20100211545A1 (en) * 2009-02-17 2010-08-19 Microsoft Corporation Context-Aware Management of Shared Composite Data
US7818344B2 (en) 2005-09-26 2010-10-19 Bea Systems, Inc. System and method for providing nested types for content management
US20110072082A1 (en) * 2008-05-14 2011-03-24 Masaya Fujiwaka Information processing system and information processing method
US7917537B2 (en) 2005-09-26 2011-03-29 Oracle International Corporation System and method for providing link property types for content management
US7953734B2 (en) 2005-09-26 2011-05-31 Oracle International Corporation System and method for providing SPI extensions for content management system
US7992189B2 (en) 2003-02-14 2011-08-02 Oracle International Corporation System and method for hierarchical role-based entitlements
US20110202969A1 (en) * 2010-02-15 2011-08-18 Bank Of America Corporation Anomalous activity detection
US8086615B2 (en) 2005-03-28 2011-12-27 Oracle International Corporation Security data redaction
US20120011560A1 (en) * 2010-07-07 2012-01-12 Computer Associates Think, Inc. Dynamic Policy Trees for Matching Policies
US20120159335A1 (en) * 2007-06-01 2012-06-21 Nenuphar, Inc. Integrated System and Method for Implementing Messaging, Planning, and Search Functions in a Mobile Device
WO2012160245A1 (en) * 2011-05-20 2012-11-29 Nokia Corporation Method and apparatus for providing end-to-end privacy for distributed computations
WO2012173626A1 (en) * 2011-06-16 2012-12-20 Hewlett-Packard Development Company, L.P. System and method for policy generation
WO2013067238A1 (en) * 2011-11-02 2013-05-10 Microsoft Corporation Inheritance of rules across hierarchical levels
US8463852B2 (en) 2006-10-06 2013-06-11 Oracle International Corporation Groupware portlets for integrating a portal with groupware systems
US8819164B2 (en) 2007-08-31 2014-08-26 Microsoft Corporation Versioning management
US9177022B2 (en) 2011-11-02 2015-11-03 Microsoft Technology Licensing, Llc User pipeline configuration for rule-based query transformation, generation and result display
US9282005B1 (en) * 2007-11-01 2016-03-08 Emc Corporation IT infrastructure policy breach investigation interface
US9348489B1 (en) * 2015-09-28 2016-05-24 International Business Machines Corporation Graphical user interfaces for managing hierarchical systems
US9552491B1 (en) * 2007-12-04 2017-01-24 Crimson Corporation Systems and methods for securing data
US9558274B2 (en) 2011-11-02 2017-01-31 Microsoft Technology Licensing, Llc Routing query results

Families Citing this family (269)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7904187B2 (en) 1999-02-01 2011-03-08 Hoffberg Steven M Internet appliance system and method
US8352400B2 (en) 1991-12-23 2013-01-08 Hoffberg Steven M Adaptive pattern recognition based controller apparatus and method and human-factored interface therefore
US6901509B1 (en) 1996-05-14 2005-05-31 Tumbleweed Communications Corp. Apparatus and method for demonstrating and confirming the status of a digital certificates and other data
US7389413B2 (en) * 1998-07-23 2008-06-17 Tumbleweed Communications Corp. Method and system for filtering communication
US7350226B2 (en) 2001-12-13 2008-03-25 Bea Systems, Inc. System and method for analyzing security policies in a distributed computer network
US7779406B2 (en) 1999-04-16 2010-08-17 Microsoft Corporation Method and system for managing lifecycles of deployed applications
US6976069B1 (en) * 1999-04-30 2005-12-13 Klingman Edwin E Multi-site network monitor for measuring performance over an internet
US6882984B1 (en) * 1999-06-04 2005-04-19 Bank One, Delaware, National Association Credit instrument and system with automated payment of club, merchant, and service provider fees
JP3490642B2 (en) * 1999-06-30 2004-01-26 ソニー株式会社 Transmission apparatus and transmission method, receiving apparatus and receiving method, and transmission and reception system and reception method
US6684244B1 (en) * 2000-01-07 2004-01-27 Hewlett-Packard Development Company, Lp. Aggregated policy deployment and status propagation in network management systems
US20050154885A1 (en) * 2000-05-15 2005-07-14 Interfuse Technology, Inc. Electronic data security system and method
US7418489B2 (en) * 2000-06-07 2008-08-26 Microsoft Corporation Method and apparatus for applying policies
US7444395B2 (en) * 2000-06-07 2008-10-28 Microsoft Corporation Method and apparatus for event handling in an enterprise
US7174557B2 (en) 2000-06-07 2007-02-06 Microsoft Corporation Method and apparatus for event distribution and event handling in an enterprise
US7171459B2 (en) * 2000-06-07 2007-01-30 Microsoft Corporation Method and apparatus for handling policies in an enterprise
US7194764B2 (en) 2000-07-10 2007-03-20 Oracle International Corporation User authentication
US7124203B2 (en) 2000-07-10 2006-10-17 Oracle International Corporation Selective cache flushing in identity and access management systems
US8204999B2 (en) * 2000-07-10 2012-06-19 Oracle International Corporation Query string processing
US7197555B1 (en) * 2000-09-13 2007-03-27 Canon Kabushiki Kaisha Directory server tracking tool
US6684220B1 (en) * 2000-09-20 2004-01-27 Lockheed Martin Corporation Method and system for automatic information exchange
US7113900B1 (en) 2000-10-24 2006-09-26 Microsoft Corporation System and method for logical modeling of distributed computer systems
US6915338B1 (en) * 2000-10-24 2005-07-05 Microsoft Corporation System and method providing automatic policy enforcement in a multi-computer service application
US6886038B1 (en) * 2000-10-24 2005-04-26 Microsoft Corporation System and method for restricting data transfers and managing software components of distributed computers
US7606898B1 (en) 2000-10-24 2009-10-20 Microsoft Corporation System and method for distributed management of shared computers
US7093288B1 (en) * 2000-10-24 2006-08-15 Microsoft Corporation Using packet filters and network virtualization to restrict network communications
US6907395B1 (en) 2000-10-24 2005-06-14 Microsoft Corporation System and method for designing a logical model of a distributed computer system and deploying physical resources according to the logical model
US7634546B1 (en) * 2000-11-01 2009-12-15 Stefan Edward Strickholm System and method for communication within a community
US7013332B2 (en) * 2001-01-09 2006-03-14 Microsoft Corporation Distributed policy model for access control
US7185364B2 (en) 2001-03-21 2007-02-27 Oracle International Corporation Access system interface
US7590684B2 (en) * 2001-07-06 2009-09-15 Check Point Software Technologies, Inc. System providing methodology for access control with cooperative enforcement
US7243374B2 (en) 2001-08-08 2007-07-10 Microsoft Corporation Rapid application security threat analysis
US20030093537A1 (en) * 2001-10-23 2003-05-15 James Tremlett Application server domains
US7240280B2 (en) * 2001-10-24 2007-07-03 Bea Systems, Inc. System and method for application flow integration in a portal framework
US7251812B1 (en) * 2001-10-31 2007-07-31 Microsoft Corporation Dynamic software update
US7225256B2 (en) 2001-11-30 2007-05-29 Oracle International Corporation Impersonation in an access system
US7159036B2 (en) * 2001-12-10 2007-01-02 Mcafee, Inc. Updating data from a source computer to groups of destination computers
US7565683B1 (en) * 2001-12-12 2009-07-21 Weiqing Huang Method and system for implementing changes to security policies in a distributed security system
US7921284B1 (en) 2001-12-12 2011-04-05 Gary Mark Kinghorn Method and system for protecting electronic data in enterprise environment
USRE43906E1 (en) 2001-12-12 2013-01-01 Guardian Data Storage Llc Method and apparatus for securing digital assets
US7930756B1 (en) 2001-12-12 2011-04-19 Crocker Steven Toye Multi-level cryptographic transformations for securing digital assets
US7921450B1 (en) 2001-12-12 2011-04-05 Klimenty Vainstein Security system using indirect key generation from access rules and methods therefor
US7260555B2 (en) 2001-12-12 2007-08-21 Guardian Data Storage, Llc Method and architecture for providing pervasive security to digital assets
US7783765B2 (en) 2001-12-12 2010-08-24 Hildebrand Hal S System and method for providing distributed access control to secured documents
US7921288B1 (en) 2001-12-12 2011-04-05 Hildebrand Hal S System and method for providing different levels of key security for controlling access to secured items
US7380120B1 (en) 2001-12-12 2008-05-27 Guardian Data Storage, Llc Secured data format for access control
US8006280B1 (en) 2001-12-12 2011-08-23 Hildebrand Hal S Security system for generating keys from access rules in a decentralized manner and methods therefor
US7478418B2 (en) * 2001-12-12 2009-01-13 Guardian Data Storage, Llc Guaranteed delivery of changes to security policies in a distributed system
USRE41546E1 (en) 2001-12-12 2010-08-17 Klimenty Vainstein Method and system for managing security tiers
US8065713B1 (en) 2001-12-12 2011-11-22 Klimenty Vainstein System and method for providing multi-location access management to secured items
US7681034B1 (en) 2001-12-12 2010-03-16 Chang-Ping Lee Method and apparatus for securing electronic data
US7950066B1 (en) 2001-12-21 2011-05-24 Guardian Data Storage, Llc Method and system for restricting use of a clipboard application
US7707416B2 (en) 2002-02-01 2010-04-27 Novell, Inc. Authentication cache and authentication on demand in a distributed network environment
US7487535B1 (en) * 2002-02-01 2009-02-03 Novell, Inc. Authentication on demand in a distributed network environment
US7546629B2 (en) * 2002-03-06 2009-06-09 Check Point Software Technologies, Inc. System and methodology for security policy arbitration
EP1349316A1 (en) * 2002-03-27 2003-10-01 BRITISH TELECOMMUNICATIONS public limited company Policy based system management
CA2479651A1 (en) * 2002-03-27 2003-10-09 British Telecommunications Public Limited Company Policy based system management
WO2004001647A1 (en) * 2002-06-25 2003-12-31 Chien Liang Chua Networking system
US8028077B1 (en) * 2002-07-12 2011-09-27 Apple Inc. Managing distributed computers
US20070244930A1 (en) * 2003-07-18 2007-10-18 Bartlette Troy L System and method for utilizing profile information
US8544084B2 (en) * 2002-08-19 2013-09-24 Blackberry Limited System and method for secure control of resources of wireless mobile communication devices
US7512810B1 (en) 2002-09-11 2009-03-31 Guardian Data Storage Llc Method and system for protecting encrypted files transmitted over a network
US8176334B2 (en) 2002-09-30 2012-05-08 Guardian Data Storage, Llc Document security system that permits external users to gain access to secured files
JP4400059B2 (en) * 2002-10-17 2010-01-20 株式会社日立製作所 Policy setting support tool
US6850943B2 (en) * 2002-10-18 2005-02-01 Check Point Software Technologies, Inc. Security system and methodology for providing indirect access control
US7219142B1 (en) * 2002-10-21 2007-05-15 Ipolicy Networks, Inc. Scoping of policies in a hierarchical customer service management system
US7257834B1 (en) * 2002-10-31 2007-08-14 Sprint Communications Company L.P. Security framework data scheme
US7836310B1 (en) 2002-11-01 2010-11-16 Yevgeniy Gutnik Security system that uses indirect password-based encryption
US20040107360A1 (en) * 2002-12-02 2004-06-03 Zone Labs, Inc. System and Methodology for Policy Enforcement
KR100468859B1 (en) * 2002-12-05 2005-01-29 삼성전자주식회사 Monolithic inkjet printhead and method of manufacturing thereof
US7890990B1 (en) 2002-12-20 2011-02-15 Klimenty Vainstein Security system with staging capabilities
US7334013B1 (en) 2002-12-20 2008-02-19 Microsoft Corporation Shared services management
US20050160007A1 (en) * 2003-02-25 2005-07-21 Fujitsu Limited Subscription-based sales system, terminal device, management device, server and program
WO2004080550A3 (en) * 2003-03-10 2005-06-23 Cyberscan Tech Inc Dynamic configuration of a gaming system
US20040184070A1 (en) * 2003-03-18 2004-09-23 Microsoft Corporation Network printer connection update scheme for printer clients
US7823077B2 (en) 2003-03-24 2010-10-26 Microsoft Corporation System and method for user modification of metadata in a shell browser
US7769794B2 (en) 2003-03-24 2010-08-03 Microsoft Corporation User interface for a file system shell
US7712034B2 (en) 2003-03-24 2010-05-04 Microsoft Corporation System and method for shell browser
US7890960B2 (en) * 2003-03-26 2011-02-15 Microsoft Corporation Extensible user context system for delivery of notifications
US7827561B2 (en) 2003-03-26 2010-11-02 Microsoft Corporation System and method for public consumption of communication events between arbitrary processes
US7650575B2 (en) 2003-03-27 2010-01-19 Microsoft Corporation Rich drag drop user interface
US7536386B2 (en) 2003-03-27 2009-05-19 Microsoft Corporation System and method for sharing items in a computer system
US7627552B2 (en) 2003-03-27 2009-12-01 Microsoft Corporation System and method for filtering and organizing items based on common elements
US7526483B2 (en) 2003-03-27 2009-04-28 Microsoft Corporation System and method for virtual folder sharing including utilization of static and dynamic lists
US7499925B2 (en) * 2003-03-27 2009-03-03 Microsoft Corporation File system for displaying items of different types and from different physical locations
US7454786B2 (en) * 2003-03-27 2008-11-18 International Business Machines Corporation Method for integrated security roles
US7587411B2 (en) 2003-03-27 2009-09-08 Microsoft Corporation System and method for filtering and organizing items based on common elements
US7925682B2 (en) 2003-03-27 2011-04-12 Microsoft Corporation System and method utilizing virtual folders
JP2004302931A (en) * 2003-03-31 2004-10-28 Fujitsu Ltd Secret content management method
US8136155B2 (en) * 2003-04-01 2012-03-13 Check Point Software Technologies, Inc. Security system with methodology for interprocess communication control
US7783672B2 (en) * 2003-04-09 2010-08-24 Microsoft Corporation Support mechanisms for improved group policy management user interface
US20040215650A1 (en) * 2003-04-09 2004-10-28 Ullattil Shaji Interfaces and methods for group policy management
US8244841B2 (en) * 2003-04-09 2012-08-14 Microsoft Corporation Method and system for implementing group policy operations
US7240292B2 (en) 2003-04-17 2007-07-03 Microsoft Corporation Virtual address bar user interface control
US20040249674A1 (en) * 2003-05-06 2004-12-09 Eisenberg Floyd P. Personnel and process management system suitable for healthcare and other fields
US7409644B2 (en) 2003-05-16 2008-08-05 Microsoft Corporation File system shell
CA2527501A1 (en) 2003-05-28 2004-12-09 Caymas Systems, Inc. Multilayer access control security system
US7343628B2 (en) * 2003-05-28 2008-03-11 Sap Ag Authorization data model
US8707034B1 (en) 2003-05-30 2014-04-22 Intellectual Ventures I Llc Method and system for using remote headers to secure electronic files
JP4759513B2 (en) * 2003-06-02 2011-08-31 リキッド・マシンズ・インコーポレーテッドLiquid Machines,Inc. Dynamic management of data objects in a distributed and collaborative environment
US7480798B2 (en) * 2003-06-05 2009-01-20 International Business Machines Corporation System and method for representing multiple security groups as a single data object
US7188252B1 (en) 2003-06-10 2007-03-06 Microsoft Corporation User editable consent
US7299410B2 (en) * 2003-07-01 2007-11-20 Microsoft Corporation System and method for reporting hierarchically arranged data in markup language formats
US7788726B2 (en) * 2003-07-02 2010-08-31 Check Point Software Technologies, Inc. System and methodology providing information lockbox
US7269853B1 (en) 2003-07-23 2007-09-11 Microsoft Corporation Privacy policy change notification
US20050047412A1 (en) * 2003-08-25 2005-03-03 Susan Hares Establishment and enforcement of policies in packet-switched networks
US8639824B1 (en) * 2003-09-19 2014-01-28 Hewlett-Packard Development Company, L.P. System and method for dynamic account management in a grid computing system
US7454488B2 (en) * 2003-09-23 2008-11-18 Hewlett-Packard Development Company, L.P. Method and system for managing a network of nodes
US20050075075A1 (en) * 2003-09-23 2005-04-07 Gabriel Wechter Method and system for determining a network management scalability threshold of a network manager with respect to a network
US7703140B2 (en) 2003-09-30 2010-04-20 Guardian Data Storage, Llc Method and system for securing digital assets using process-driven security policies
US8127366B2 (en) 2003-09-30 2012-02-28 Guardian Data Storage, Llc Method and apparatus for transitioning between states of security policies used to secure electronic documents
US7788366B2 (en) * 2003-10-08 2010-08-31 Aternity, Inc Centralized network control
US7882132B2 (en) 2003-10-09 2011-02-01 Oracle International Corporation Support for RDBMS in LDAP system
US7904487B2 (en) 2003-10-09 2011-03-08 Oracle International Corporation Translating data access requests
US7644432B2 (en) * 2003-10-10 2010-01-05 Bea Systems, Inc. Policy inheritance through nested groups
US7251822B2 (en) * 2003-10-23 2007-07-31 Microsoft Corporation System and methods providing enhanced security model
US7181463B2 (en) * 2003-10-24 2007-02-20 Microsoft Corporation System and method for managing data using static lists
US7804609B2 (en) * 2003-11-07 2010-09-28 Desktop Standard Corporation Methods and systems to connect network printers
US7158977B2 (en) * 2003-11-21 2007-01-02 Lenovo (Singapore) Pte. Ltd. Method and system for identifying master profile information using client properties selected from group consisting of client location, user functionality description, automatically retrieving master profile using master profile location in autonomic computing environment without intervention from the user
US20050120206A1 (en) * 2003-12-02 2005-06-02 John Hines Method and system for rule-based certificate validation
US7921299B1 (en) 2003-12-05 2011-04-05 Microsoft Corporation Partner sandboxing in a shared multi-tenant billing system
US7546640B2 (en) * 2003-12-10 2009-06-09 International Business Machines Corporation Fine-grained authorization by authorization table associated with a resource
US7590705B2 (en) * 2004-02-23 2009-09-15 Microsoft Corporation Profile and consent accrual
US8024779B2 (en) * 2004-02-26 2011-09-20 Packetmotion, Inc. Verifying user authentication
US9584522B2 (en) * 2004-02-26 2017-02-28 Vmware, Inc. Monitoring network traffic by using event log information
US8214875B2 (en) * 2004-02-26 2012-07-03 Vmware, Inc. Network security policy enforcement using application session information and object attributes
US8166554B2 (en) 2004-02-26 2012-04-24 Vmware, Inc. Secure enterprise network
US7941827B2 (en) * 2004-02-26 2011-05-10 Packetmotion, Inc. Monitoring network traffic by using a monitor device
US7797239B2 (en) * 2004-03-12 2010-09-14 Sybase, Inc. Hierarchical entitlement system with integrated inheritance and limit checks
US8478668B2 (en) * 2004-03-12 2013-07-02 Sybase, Inc. Hierarchical entitlement system with integrated inheritance and limit checks
US8613102B2 (en) 2004-03-30 2013-12-17 Intellectual Ventures I Llc Method and system for providing document retention using cryptography
US8336040B2 (en) 2004-04-15 2012-12-18 Raytheon Company System and method for topology-aware job scheduling and backfilling in an HPC environment
US8190714B2 (en) * 2004-04-15 2012-05-29 Raytheon Company System and method for computer cluster virtualization using dynamic boot images and virtual disk
US8335909B2 (en) 2004-04-15 2012-12-18 Raytheon Company Coupling processors to each other for high performance computing (HPC)
US9178784B2 (en) 2004-04-15 2015-11-03 Raytheon Company System and method for cluster management based on HPC architecture
JP2005310243A (en) * 2004-04-20 2005-11-04 Seiko Epson Corp Memory controller, semiconductor integrated circuit apparatus, semiconductor apparatus, microcomputer, and electronic equipment
US7694236B2 (en) 2004-04-23 2010-04-06 Microsoft Corporation Stack icons representing multiple objects
US7657846B2 (en) 2004-04-23 2010-02-02 Microsoft Corporation System and method for displaying stack icons
US7992103B2 (en) 2004-04-26 2011-08-02 Microsoft Corporation Scaling icons for representing files
US8707209B2 (en) 2004-04-29 2014-04-22 Microsoft Corporation Save preview representation of files being created
US7421438B2 (en) 2004-04-29 2008-09-02 Microsoft Corporation Metadata editing control
US7496583B2 (en) * 2004-04-30 2009-02-24 Microsoft Corporation Property tree for metadata navigation and assignment
US8108430B2 (en) 2004-04-30 2012-01-31 Microsoft Corporation Carousel control for metadata navigation and assignment
US8024335B2 (en) 2004-05-03 2011-09-20 Microsoft Corporation System and method for dynamically generating a selectable search extension
US7496910B2 (en) * 2004-05-21 2009-02-24 Desktopstandard Corporation System for policy-based management of software updates
US8892530B1 (en) * 2004-05-28 2014-11-18 Amdocs, Inc. Policy configuration user interface
JP4793839B2 (en) * 2004-06-29 2011-10-12 インターナショナル・ビジネス・マシーンズ・コーポレーションInternational Business Maschines Corporation Access control means according to the tree structure data
US20060005001A1 (en) * 2004-06-30 2006-01-05 Dinesh Sinha Using hierarchical INI files to represent complex user settings in a multi user environment
US7617501B2 (en) 2004-07-09 2009-11-10 Quest Software, Inc. Apparatus, system, and method for managing policies on a computer having a foreign operating system
US8060937B2 (en) * 2004-07-15 2011-11-15 Lieberman Software Corporation System for protecting domain system configurations from users with local privilege rights
US7707427B1 (en) 2004-07-19 2010-04-27 Michael Frederick Kenrich Multi-level file digests
US20060053035A1 (en) * 2004-09-09 2006-03-09 Eisenberg Floyd P Healthcare personnel management system
JP4455239B2 (en) * 2004-09-10 2010-04-21 キヤノン株式会社 Information processing method and apparatus
US7680935B2 (en) * 2004-09-30 2010-03-16 Microsoft Corporation Entity domains
US8244882B2 (en) * 2004-11-17 2012-08-14 Raytheon Company On-demand instantiation in a high-performance computing (HPC) system
US7433931B2 (en) * 2004-11-17 2008-10-07 Raytheon Company Scheduling in a high-performance computing (HPC) system
US7653642B2 (en) * 2004-11-30 2010-01-26 Microsoft Corporation Auto quota
US7607164B2 (en) * 2004-12-23 2009-10-20 Microsoft Corporation Systems and processes for managing policy change in a distributed enterprise
US20060156393A1 (en) * 2005-01-12 2006-07-13 Microsoft Corporation Access control trimming
US7503075B2 (en) * 2005-01-12 2009-03-10 Microsoft Corporation Access trimmed user interface
US7631073B2 (en) * 2005-01-27 2009-12-08 International Business Machines Corporation Method and apparatus for exposing monitoring violations to the monitored application
US20060167891A1 (en) * 2005-01-27 2006-07-27 Blaisdell Russell C Method and apparatus for redirecting transactions based on transaction response time policy in a distributed environment
US20060174320A1 (en) * 2005-01-31 2006-08-03 Microsoft Corporation System and method for efficient configuration of group policies
US7383503B2 (en) * 2005-02-23 2008-06-03 Microsoft Corporation Filtering a collection of items
US9137251B2 (en) * 2005-03-16 2015-09-15 Fortinet, Inc. Inheritance based network management
US20060224628A1 (en) * 2005-03-29 2006-10-05 Bea Systems, Inc. Modeling for data services
US8631476B2 (en) * 2005-03-31 2014-01-14 Sap Ag Data processing system including explicit and generic grants of action authorization
US20060236253A1 (en) * 2005-04-15 2006-10-19 Microsoft Corporation Dialog user interfaces for related tasks and programming interface for same
US8490015B2 (en) 2005-04-15 2013-07-16 Microsoft Corporation Task dialog and programming interface for same
US7614016B2 (en) * 2005-04-21 2009-11-03 Microsoft Corporation Multiple roots in navigation pane
US8195646B2 (en) 2005-04-22 2012-06-05 Microsoft Corporation Systems, methods, and user interfaces for storing, searching, navigating, and retrieving electronic information
US7536410B2 (en) * 2005-04-22 2009-05-19 Microsoft Corporation Dynamic multi-dimensional scrolling
US8522154B2 (en) 2005-04-22 2013-08-27 Microsoft Corporation Scenario specialization of file browser
JP4736816B2 (en) * 2005-04-28 2011-07-27 富士ゼロックス株式会社 Reading document management program, reading a document management system, read the document management method
US20060259490A1 (en) * 2005-04-28 2006-11-16 Kazunori Horikiri Document management system, document management method, and recording medium storing program for document management
US8572744B2 (en) * 2005-05-02 2013-10-29 Steelcloud, Inc. Information security auditing and incident investigation system
US7913289B2 (en) * 2005-05-23 2011-03-22 Broadcom Corporation Method and apparatus for security policy and enforcing mechanism for a set-top box security processor
US7844996B2 (en) * 2005-05-23 2010-11-30 Broadcom Corporation Method and apparatus for constructing an access control matrix for a set-top box security processor
US9652637B2 (en) 2005-05-23 2017-05-16 Avago Technologies General Ip (Singapore) Pte. Ltd. Method and system for allowing no code download in a code download scheme
WO2006129225A3 (en) * 2005-05-31 2007-02-08 Franciscus L A J Kamperman Flexible domain policy distribution
US20060277253A1 (en) * 2005-06-01 2006-12-07 Ford Daniel E Method and system for administering network device groups
US8086707B2 (en) * 2005-06-30 2011-12-27 Intel Corporation Systems and methods for grid agent management
US7665028B2 (en) 2005-07-13 2010-02-16 Microsoft Corporation Rich drag drop user interface
US8006088B2 (en) * 2005-08-18 2011-08-23 Beyondtrust Corporation Methods and systems for network-based management of application security
US9565191B2 (en) * 2005-08-23 2017-02-07 The Boeing Company Global policy apparatus and related methods
US8271418B2 (en) * 2005-08-23 2012-09-18 The Boeing Company Checking rule and policy representation
US7941309B2 (en) 2005-11-02 2011-05-10 Microsoft Corporation Modeling IT operations/policies
US20070168696A1 (en) * 2005-11-15 2007-07-19 Aternity Information Systems, Ltd. System for inventing computer systems and alerting users of faults
US8352589B2 (en) * 2005-11-15 2013-01-08 Aternity Information Systems Ltd. System for monitoring computer systems and alerting users of faults
US7904949B2 (en) 2005-12-19 2011-03-08 Quest Software, Inc. Apparatus, systems and methods to provide authentication services to a legacy application
JP4859198B2 (en) * 2005-12-22 2012-01-25 キヤノン株式会社 The information processing apparatus, information processing method, program, storage medium
US9864752B2 (en) * 2005-12-29 2018-01-09 Nextlabs, Inc. Multilayer policy language structure
US8544058B2 (en) * 2005-12-29 2013-09-24 Nextlabs, Inc. Techniques of transforming policies to enforce control in an information management system
US8688813B2 (en) 2006-01-11 2014-04-01 Oracle International Corporation Using identity/resource profile and directory enablers to support identity management
US8087075B2 (en) 2006-02-13 2011-12-27 Quest Software, Inc. Disconnected credential validation using pre-fetched service tickets
US7870564B2 (en) * 2006-02-16 2011-01-11 Microsoft Corporation Object-based computer system management
US9904809B2 (en) 2006-02-27 2018-02-27 Avago Technologies General Ip (Singapore) Pte. Ltd. Method and system for multi-level security initialization and configuration
US9177176B2 (en) 2006-02-27 2015-11-03 Broadcom Corporation Method and system for secure system-on-a-chip architecture for multimedia data processing
US7856653B2 (en) * 2006-03-29 2010-12-21 International Business Machines Corporation Method and apparatus to protect policy state information during the life-time of virtual machines
US20070244897A1 (en) * 2006-04-18 2007-10-18 David Voskuil Methods and systems for change management for a group policy environment
US8935416B2 (en) * 2006-04-21 2015-01-13 Fortinet, Inc. Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer
US8019845B2 (en) * 2006-06-05 2011-09-13 International Business Machines Corporation Service delivery using profile based management
US7747736B2 (en) * 2006-06-05 2010-06-29 International Business Machines Corporation Rule and policy promotion within a policy hierarchy
US8429712B2 (en) 2006-06-08 2013-04-23 Quest Software, Inc. Centralized user authentication system apparatus and method
US9489318B2 (en) 2006-06-19 2016-11-08 Broadcom Corporation Method and system for accessing protected memory
US20080059123A1 (en) * 2006-08-29 2008-03-06 Microsoft Corporation Management of host compliance evaluation
US20080072280A1 (en) * 2006-08-30 2008-03-20 Tardo Joseph J Method and system to control access to a secure asset via an electronic communications network
US7610315B2 (en) * 2006-09-06 2009-10-27 Adobe Systems Incorporated System and method of determining and recommending a document control policy for a document
US7640345B2 (en) * 2006-09-18 2009-12-29 Emc Corporation Information management
US8612570B1 (en) 2006-09-18 2013-12-17 Emc Corporation Data classification and management using tap network architecture
US8060620B2 (en) * 2006-10-05 2011-11-15 Microsoft Corporation Profile deployment using a generic format
US7895332B2 (en) 2006-10-30 2011-02-22 Quest Software, Inc. Identity migration system apparatus and method
US8086710B2 (en) 2006-10-30 2011-12-27 Quest Software, Inc. Identity migration apparatus and method
US8166515B2 (en) * 2006-10-30 2012-04-24 Microsoft Corporation Group policy for unique class identifier devices
US7971232B2 (en) * 2006-10-30 2011-06-28 Microsoft Corporation Setting group policy by device ownership
US7698639B2 (en) * 2006-12-13 2010-04-13 Microsoft Corporation Extensible framework for template-based user settings management
US20080184277A1 (en) * 2007-01-26 2008-07-31 Microsoft Corporation Systems management policy validation, distribution and enactment
US20080184200A1 (en) * 2007-01-26 2008-07-31 Microsoft Corporation Software configuration policies' validation, distribution, and enactment
US7972870B2 (en) * 2007-02-02 2011-07-05 Dana-Farber Cancer Institute, Inc. Methods and compositions relating to the regulation of MUC1 by HSF1 and STAT3
US8490148B2 (en) 2007-03-12 2013-07-16 Citrix Systems, Inc Systems and methods for managing application security profiles
US7853678B2 (en) * 2007-03-12 2010-12-14 Citrix Systems, Inc. Systems and methods for configuring flow control of policy expressions
US7865589B2 (en) * 2007-03-12 2011-01-04 Citrix Systems, Inc. Systems and methods for providing structured policy expressions to represent unstructured data in a network appliance
US8631147B2 (en) 2007-03-12 2014-01-14 Citrix Systems, Inc. Systems and methods for configuring policy bank invocations
US7853679B2 (en) * 2007-03-12 2010-12-14 Citrix Systems, Inc. Systems and methods for configuring handling of undefined policy events
US7870277B2 (en) * 2007-03-12 2011-01-11 Citrix Systems, Inc. Systems and methods for using object oriented expressions to configure application security policies
US8386653B2 (en) * 2007-03-27 2013-02-26 Microsoft Corporation Instrumenting configuration and system settings
US7996823B2 (en) * 2007-05-31 2011-08-09 International Business Machines Corporation Mechanism to provide debugging and optimization in policy and knowledge controlled distributed computing systems, through the use of tagged policies and knowledge representation elements
US8762984B2 (en) * 2007-05-31 2014-06-24 Microsoft Corporation Content distribution infrastructure
US7945941B2 (en) * 2007-06-01 2011-05-17 Cisco Technology, Inc. Flexible access control policy enforcement
US20090063650A1 (en) * 2007-09-05 2009-03-05 International Business Machines Corporation Managing Collections of Appliances
US8868720B1 (en) 2007-09-28 2014-10-21 Emc Corporation Delegation of discovery functions in information management system
US9141658B1 (en) 2007-09-28 2015-09-22 Emc Corporation Data classification and management for risk mitigation
US8548964B1 (en) 2007-09-28 2013-10-01 Emc Corporation Delegation of data classification using common language
US9323901B1 (en) * 2007-09-28 2016-04-26 Emc Corporation Data classification for digital rights management
US8522248B1 (en) 2007-09-28 2013-08-27 Emc Corporation Monitoring delegated operations in information management systems
US9461890B1 (en) 2007-09-28 2016-10-04 Emc Corporation Delegation of data management policy in an information management system
US7966665B1 (en) 2007-11-16 2011-06-21 Open Invention Network, Llc Compliance validator for restricted network access control
US8875306B2 (en) * 2008-02-12 2014-10-28 Oracle International Corporation Customization restrictions for multi-layer XML customization
US8966465B2 (en) 2008-02-12 2015-02-24 Oracle International Corporation Customization creation and update for multi-layer XML customization
US8935365B1 (en) * 2008-03-14 2015-01-13 Full Armor Corporation Group policy framework
US7941443B1 (en) * 2008-05-21 2011-05-10 Symantec Corporation Extending user account control to groups and multiple computers
US8996658B2 (en) * 2008-09-03 2015-03-31 Oracle International Corporation System and method for integration of browser-based thin client applications within desktop rich client architecture
US9122520B2 (en) 2008-09-17 2015-09-01 Oracle International Corporation Generic wait service: pausing a BPEL process
US8799319B2 (en) 2008-09-19 2014-08-05 Oracle International Corporation System and method for meta-data driven, semi-automated generation of web services based on existing applications
US9760234B2 (en) * 2008-10-14 2017-09-12 International Business Machines Corporation Desktop icon management and grouping using desktop containers
US8392682B2 (en) * 2008-12-17 2013-03-05 Unisys Corporation Storage security using cryptographic splitting
US8108495B1 (en) * 2009-04-30 2012-01-31 Palo Alto Networks, Inc. Managing network devices
US8850549B2 (en) 2009-05-01 2014-09-30 Beyondtrust Software, Inc. Methods and systems for controlling access to resources and privileges per process
US8255984B1 (en) 2009-07-01 2012-08-28 Quest Software, Inc. Single sign-on system for shared resource environments
US8679415B2 (en) 2009-08-10 2014-03-25 Unifrax I Llc Variable basis weight mounting mat or pre-form and exhaust gas treatment device
US9589145B2 (en) 2010-11-24 2017-03-07 Oracle International Corporation Attaching web service policies to a group of policy subjects
US8650250B2 (en) 2010-11-24 2014-02-11 Oracle International Corporation Identifying compatible web service policies
US8806569B2 (en) 2011-02-07 2014-08-12 Tufin Software Technologies Ltd. Method and system for analyzing security ruleset by generating a logically equivalent security rule-set
US9578030B2 (en) 2011-02-07 2017-02-21 Tufin Software Technologies Ltd. Method and system for analyzing security ruleset by generating a logically equivalent security rule-set
US8655824B1 (en) * 2011-03-07 2014-02-18 The Boeing Company Global policy framework analyzer
US8560819B2 (en) 2011-05-31 2013-10-15 Oracle International Corporation Software execution using multiple initialization modes
US9043864B2 (en) 2011-09-30 2015-05-26 Oracle International Corporation Constraint definition for conditional policy attachments
US8954942B2 (en) 2011-09-30 2015-02-10 Oracle International Corporation Optimizations using a BPEL compiler
US9329784B2 (en) 2011-10-13 2016-05-03 Microsoft Technology Licensing, Llc Managing policies using a staging policy and a derived production policy
US8959503B2 (en) 2012-10-05 2015-02-17 Microsoft Technology Licensing Llc Application version gatekeeping during upgrade
CA2912703C (en) * 2013-05-16 2017-11-28 Iboss, Inc. Location based network usage policies
US20140343989A1 (en) * 2013-05-16 2014-11-20 Phantom Technologies, Inc. Implicitly linking access policies using group names
EP2819346B1 (en) * 2013-06-28 2018-06-20 Kaspersky Lab, ZAO System and method for automatically configuring application control rules
RU2589852C2 (en) 2013-06-28 2016-07-10 Закрытое акционерное общество "Лаборатория Касперского" System and method for automatic regulation of rules for controlling applications
US8738791B1 (en) 2013-07-17 2014-05-27 Phantom Technologies, Inc. Location based network usage policies
JP6252739B2 (en) * 2013-09-13 2017-12-27 株式会社リコー Transmission management system, a management method and program
CA2981789A1 (en) 2014-04-04 2015-10-08 David Goldschlag Method for authentication and assuring compliance of devices accessing external services
US20170034075A1 (en) * 2015-07-31 2017-02-02 Vmware, Inc. Policy Framework User Interface
US9606792B1 (en) * 2015-11-13 2017-03-28 International Business Machines Corporation Monitoring communication quality utilizing task transfers
US20180136951A1 (en) * 2016-11-16 2018-05-17 Vmware, Inc. Policy enabled application-release-management subsystem

Citations (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5335346A (en) * 1989-05-15 1994-08-02 International Business Machines Corporation Access control policies for an object oriented database, including access control lists which span across object boundaries
US5675782A (en) * 1995-06-06 1997-10-07 Microsoft Corporation Controlling access to objects on multiple operating systems
US5765153A (en) * 1996-01-03 1998-06-09 International Business Machines Corporation Information handling system, method, and article of manufacture including object system authorization and registration
US5787427A (en) * 1996-01-03 1998-07-28 International Business Machines Corporation Information handling system, method, and article of manufacture for efficient object security processing by grouping objects sharing common control access policies
US5797128A (en) * 1995-07-03 1998-08-18 Sun Microsystems, Inc. System and method for implementing a hierarchical policy for computer system administration
US5822521A (en) * 1995-11-06 1998-10-13 International Business Machines Corporation Method and apparatus for assigning policy protocols in a distributed system
US5842218A (en) * 1996-12-06 1998-11-24 Media Plan, Inc. Method, computer program product, and system for a reorienting categorization table
US5872928A (en) * 1995-02-24 1999-02-16 Cabletron Systems, Inc. Method and apparatus for defining and enforcing policies for configuration management in communications networks
US5878415A (en) * 1997-03-20 1999-03-02 Novell, Inc. Controlling access to objects in a hierarchical database
US5889953A (en) * 1995-05-25 1999-03-30 Cabletron Systems, Inc. Policy management and conflict resolution in computer networks
US5958050A (en) * 1996-09-24 1999-09-28 Electric Communities Trusted delegation system
US6041347A (en) * 1997-10-24 2000-03-21 Unified Access Communications Computer system and computer-implemented process for simultaneous configuration and monitoring of a computer network
US6064656A (en) * 1997-10-31 2000-05-16 Sun Microsystems, Inc. Distributed system and method for controlling access control to network resources
US6070244A (en) * 1997-11-10 2000-05-30 The Chase Manhattan Bank Computer network security management system
US6105027A (en) * 1997-03-10 2000-08-15 Internet Dynamics, Inc. Techniques for eliminating redundant access checking by access filters
US6148333A (en) * 1998-05-13 2000-11-14 Mgi Software Corporation Method and system for server access control and tracking
US6167445A (en) * 1998-10-26 2000-12-26 Cisco Technology, Inc. Method and apparatus for defining and implementing high-level quality of service policies in computer networks
US6202066B1 (en) * 1997-11-19 2001-03-13 The United States Of America As Represented By The Secretary Of Commerce Implementation of role/group permission association using object access type
US6237037B1 (en) * 1997-06-26 2001-05-22 Telefonaktiebolaget Lm Ericsson (Publ) Method and arrangement relating to communications systems
US6393474B1 (en) * 1998-12-31 2002-05-21 3Com Corporation Dynamic policy management apparatus and method using active network devices
US6408326B1 (en) * 1999-04-20 2002-06-18 Microsoft Corporation Method and system for applying a policy to binary data
US6441835B1 (en) * 1999-11-16 2002-08-27 International Business Machines Corporation Resolution policy for direct manipulation on hierarchically structured visuals
US6463470B1 (en) * 1998-10-26 2002-10-08 Cisco Technology, Inc. Method and apparatus of storing policies for policy-based management of quality of service treatments of network data traffic flows
US6466984B1 (en) * 1999-07-02 2002-10-15 Cisco Technology, Inc. Method and apparatus for policy-based management of quality of service treatments of network data traffic flows by integrating policies with application programs
US6538668B1 (en) * 1999-04-09 2003-03-25 Sun Microsystems, Inc. Distributed settings control protocol
US6539425B1 (en) * 1999-07-07 2003-03-25 Avaya Technology Corp. Policy-enabled communications networks
US6598121B2 (en) * 1998-08-28 2003-07-22 International Business Machines, Corp. System and method for coordinated hierarchical caching and cache replacement
US6721758B1 (en) * 2001-03-30 2004-04-13 Novell, Inc. System and method for using schema attributes as meta-data in a directory service
US6785728B1 (en) * 1997-03-10 2004-08-31 David S. Schneider Distributed administration of access to information
US7146635B2 (en) * 2000-12-27 2006-12-05 International Business Machines Corporation Apparatus and method for using a directory service for authentication and authorization to access resources outside of the directory service
US20080028436A1 (en) * 1997-03-10 2008-01-31 Sonicwall, Inc. Generalized policy server

Patent Citations (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5335346A (en) * 1989-05-15 1994-08-02 International Business Machines Corporation Access control policies for an object oriented database, including access control lists which span across object boundaries
US5872928A (en) * 1995-02-24 1999-02-16 Cabletron Systems, Inc. Method and apparatus for defining and enforcing policies for configuration management in communications networks
US5889953A (en) * 1995-05-25 1999-03-30 Cabletron Systems, Inc. Policy management and conflict resolution in computer networks
US5675782A (en) * 1995-06-06 1997-10-07 Microsoft Corporation Controlling access to objects on multiple operating systems
US5797128A (en) * 1995-07-03 1998-08-18 Sun Microsystems, Inc. System and method for implementing a hierarchical policy for computer system administration
US5822521A (en) * 1995-11-06 1998-10-13 International Business Machines Corporation Method and apparatus for assigning policy protocols in a distributed system
US5765153A (en) * 1996-01-03 1998-06-09 International Business Machines Corporation Information handling system, method, and article of manufacture including object system authorization and registration
US5787427A (en) * 1996-01-03 1998-07-28 International Business Machines Corporation Information handling system, method, and article of manufacture for efficient object security processing by grouping objects sharing common control access policies
US5958050A (en) * 1996-09-24 1999-09-28 Electric Communities Trusted delegation system
US5842218A (en) * 1996-12-06 1998-11-24 Media Plan, Inc. Method, computer program product, and system for a reorienting categorization table
US6105027A (en) * 1997-03-10 2000-08-15 Internet Dynamics, Inc. Techniques for eliminating redundant access checking by access filters
US6785728B1 (en) * 1997-03-10 2004-08-31 David S. Schneider Distributed administration of access to information
US20080028436A1 (en) * 1997-03-10 2008-01-31 Sonicwall, Inc. Generalized policy server
US5878415A (en) * 1997-03-20 1999-03-02 Novell, Inc. Controlling access to objects in a hierarchical database
US6237037B1 (en) * 1997-06-26 2001-05-22 Telefonaktiebolaget Lm Ericsson (Publ) Method and arrangement relating to communications systems
US6041347A (en) * 1997-10-24 2000-03-21 Unified Access Communications Computer system and computer-implemented process for simultaneous configuration and monitoring of a computer network
US6064656A (en) * 1997-10-31 2000-05-16 Sun Microsystems, Inc. Distributed system and method for controlling access control to network resources
US6070244A (en) * 1997-11-10 2000-05-30 The Chase Manhattan Bank Computer network security management system
US6202066B1 (en) * 1997-11-19 2001-03-13 The United States Of America As Represented By The Secretary Of Commerce Implementation of role/group permission association using object access type
US6148333A (en) * 1998-05-13 2000-11-14 Mgi Software Corporation Method and system for server access control and tracking
US6598121B2 (en) * 1998-08-28 2003-07-22 International Business Machines, Corp. System and method for coordinated hierarchical caching and cache replacement
US6167445A (en) * 1998-10-26 2000-12-26 Cisco Technology, Inc. Method and apparatus for defining and implementing high-level quality of service policies in computer networks
US6463470B1 (en) * 1998-10-26 2002-10-08 Cisco Technology, Inc. Method and apparatus of storing policies for policy-based management of quality of service treatments of network data traffic flows
US6393474B1 (en) * 1998-12-31 2002-05-21 3Com Corporation Dynamic policy management apparatus and method using active network devices
US6538668B1 (en) * 1999-04-09 2003-03-25 Sun Microsystems, Inc. Distributed settings control protocol
US6408326B1 (en) * 1999-04-20 2002-06-18 Microsoft Corporation Method and system for applying a policy to binary data
US6466984B1 (en) * 1999-07-02 2002-10-15 Cisco Technology, Inc. Method and apparatus for policy-based management of quality of service treatments of network data traffic flows by integrating policies with application programs
US6539425B1 (en) * 1999-07-07 2003-03-25 Avaya Technology Corp. Policy-enabled communications networks
US6441835B1 (en) * 1999-11-16 2002-08-27 International Business Machines Corporation Resolution policy for direct manipulation on hierarchically structured visuals
US7146635B2 (en) * 2000-12-27 2006-12-05 International Business Machines Corporation Apparatus and method for using a directory service for authentication and authorization to access resources outside of the directory service
US6721758B1 (en) * 2001-03-30 2004-04-13 Novell, Inc. System and method for using schema attributes as meta-data in a directory service

Cited By (83)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7673323B1 (en) 1998-10-28 2010-03-02 Bea Systems, Inc. System and method for maintaining security in a distributed computer network
US7516475B1 (en) * 2002-07-01 2009-04-07 Cisco Technology, Inc. Method and apparatus for managing security policies on a network
US7743158B2 (en) * 2002-12-04 2010-06-22 Ntt Docomo, Inc. Access network dynamic firewall
US20040111519A1 (en) * 2002-12-04 2004-06-10 Guangrui Fu Access network dynamic firewall
US20040162733A1 (en) * 2003-02-14 2004-08-19 Griffin Philip B. Method for delegated administration
US7653930B2 (en) 2003-02-14 2010-01-26 Bea Systems, Inc. Method for role and resource policy management optimization
US7992189B2 (en) 2003-02-14 2011-08-02 Oracle International Corporation System and method for hierarchical role-based entitlements
US8831966B2 (en) 2003-02-14 2014-09-09 Oracle International Corporation Method for delegated administration
US20040167900A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. Virtual repository complex content model
US20040167868A1 (en) * 2003-02-20 2004-08-26 Bea Systems, Inc. System and method for a virtual content repository
US20050102401A1 (en) * 2003-10-10 2005-05-12 Bea Systems, Inc. Distributed enterprise security system for a resource hierarchy
US20050097353A1 (en) * 2003-10-10 2005-05-05 Bea Systems, Inc. Policy analysis tool
US20050257245A1 (en) * 2003-10-10 2005-11-17 Bea Systems, Inc. Distributed security system with dynamic roles
US20050081062A1 (en) * 2003-10-10 2005-04-14 Bea Systems, Inc. Distributed enterprise security system
US20050251851A1 (en) * 2003-10-10 2005-11-10 Bea Systems, Inc. Configuration of a distributed security system
US20050188295A1 (en) * 2004-02-25 2005-08-25 Loren Konkus Systems and methods for an extensible administration tool
US20050257154A1 (en) * 2004-05-14 2005-11-17 Bea Systems, Inc. Graphical association of elements for portal and webserver administration
US20050256906A1 (en) * 2004-05-14 2005-11-17 Bea Systems, Inc. Interface for portal and webserver administration-efficient updates
US20050256899A1 (en) * 2004-05-14 2005-11-17 Bea Systems, Inc. System and method for representing hierarchical data structures
US20050257172A1 (en) * 2004-05-14 2005-11-17 Bea Systems, Inc. Interface for filtering for portal and webserver administration
US7783670B2 (en) 2004-11-18 2010-08-24 Bea Systems, Inc. Client server conversion for representing hierarchical data structures
US20060123026A1 (en) * 2004-11-18 2006-06-08 Bea Systems, Inc. Client server conversion for representing hierarchical data structures
US8589446B2 (en) * 2005-01-28 2013-11-19 International Business Machines Corporation Graphical user interface (GUI) to associate information with an object
US20060173808A1 (en) * 2005-01-28 2006-08-03 Trenten Peterson Graphical user interface (GUI) to associate information with an object
US8898198B2 (en) 2005-01-28 2014-11-25 International Business Machines Corporation Graphical user interface (GUI) to associate information with an object
US8086615B2 (en) 2005-03-28 2011-12-27 Oracle International Corporation Security data redaction
US7748027B2 (en) 2005-05-11 2010-06-29 Bea Systems, Inc. System and method for dynamic data redaction
US20060259954A1 (en) * 2005-05-11 2006-11-16 Bea Systems, Inc. System and method for dynamic data redaction
US20070043716A1 (en) * 2005-08-18 2007-02-22 Blewer Ronnie G Methods, systems and computer program products for changing objects in a directory system
US7953734B2 (en) 2005-09-26 2011-05-31 Oracle International Corporation System and method for providing SPI extensions for content management system
US7752205B2 (en) 2005-09-26 2010-07-06 Bea Systems, Inc. Method and system for interacting with a virtual content repository
US7818344B2 (en) 2005-09-26 2010-10-19 Bea Systems, Inc. System and method for providing nested types for content management
US20070073638A1 (en) * 2005-09-26 2007-03-29 Bea Systems, Inc. System and method for using soft links to managed content
US7917537B2 (en) 2005-09-26 2011-03-29 Oracle International Corporation System and method for providing link property types for content management
US20080077982A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Credential vault encryption
US20080313728A1 (en) * 2006-09-22 2008-12-18 Bea Systems, Inc. Interstitial pages
US20080250388A1 (en) * 2006-09-22 2008-10-09 Bea Systems, Inc. Pagelets in adaptive tags
US8136150B2 (en) 2006-09-22 2012-03-13 Oracle International Corporation User role mapping in web applications
US20080077809A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Credential Vault Encryption
US20080077981A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Pagelets in adaptive tags in non-portal reverse proxy
US8397283B2 (en) 2006-09-22 2013-03-12 Oracle International Corporation User role mapping in web applications
US20080077980A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Pagelets
US20080077983A1 (en) * 2006-09-22 2008-03-27 Bea Systems, Inc. Non-invasive insertion of pagelets
US7861289B2 (en) 2006-09-22 2010-12-28 Oracle International Corporation Pagelets in adaptive tags in non-portal reverse proxy
US7861290B2 (en) 2006-09-22 2010-12-28 Oracle International Corporation Non-invasive insertion of pagelets
US7865943B2 (en) 2006-09-22 2011-01-04 Oracle International Corporation Credential vault encryption
US7886352B2 (en) 2006-09-22 2011-02-08 Oracle International Corporation Interstitial pages
US20110047611A1 (en) * 2006-09-22 2011-02-24 Bea Systems, Inc. User Role Mapping in Web Applications
US7904953B2 (en) 2006-09-22 2011-03-08 Bea Systems, Inc. Pagelets
US8463852B2 (en) 2006-10-06 2013-06-11 Oracle International Corporation Groupware portlets for integrating a portal with groupware systems
US20080104661A1 (en) * 2006-10-27 2008-05-01 Joseph Levin Managing Policy Settings for Remote Clients
US20080201761A1 (en) * 2007-02-16 2008-08-21 Microsoft Corporation Dynamically Associating Attribute Values with Objects
US8095970B2 (en) * 2007-02-16 2012-01-10 Microsoft Corporation Dynamically associating attribute values with objects
US20080208917A1 (en) * 2007-02-22 2008-08-28 Network Appliance, Inc. Apparatus and a method to make data sets conform to data management policies
US20080208926A1 (en) * 2007-02-22 2008-08-28 Smoot Peter L Data management in a data storage system using data sets
US7953928B2 (en) 2007-02-22 2011-05-31 Network Appliance, Inc. Apparatus and a method to make data sets conform to data management policies
US20080270413A1 (en) * 2007-04-27 2008-10-30 Dmitri Gavrilov Client-Specific Transformation of Distributed Data
US7774310B2 (en) 2007-04-27 2010-08-10 Microsoft Corporation Client-specific transformation of distributed data
US20120159335A1 (en) * 2007-06-01 2012-06-21 Nenuphar, Inc. Integrated System and Method for Implementing Messaging, Planning, and Search Functions in a Mobile Device
US20090064270A1 (en) * 2007-08-29 2009-03-05 Rajeev Gupta Template based federation of policies
US8819164B2 (en) 2007-08-31 2014-08-26 Microsoft Corporation Versioning management
US9282005B1 (en) * 2007-11-01 2016-03-08 Emc Corporation IT infrastructure policy breach investigation interface
US9552491B1 (en) * 2007-12-04 2017-01-24 Crimson Corporation Systems and methods for securing data
US8166516B2 (en) 2008-03-27 2012-04-24 Microsoft Corporation Determining effective policy
US20090249431A1 (en) * 2008-03-27 2009-10-01 Microsoft Corporation Determining Effective Policy
US20110072082A1 (en) * 2008-05-14 2011-03-24 Masaya Fujiwaka Information processing system and information processing method
US8601166B2 (en) * 2008-05-14 2013-12-03 Nec Corporation Information processing system and information processing method for generating distribution and synchronization rules in a client/server environment based on operation environment data
US20100211545A1 (en) * 2009-02-17 2010-08-19 Microsoft Corporation Context-Aware Management of Shared Composite Data
US8738584B2 (en) * 2009-02-17 2014-05-27 Microsoft Corporation Context-aware management of shared composite data
US8595789B2 (en) * 2010-02-15 2013-11-26 Bank Of America Corporation Anomalous activity detection
US20110202969A1 (en) * 2010-02-15 2011-08-18 Bank Of America Corporation Anomalous activity detection
US9154521B2 (en) 2010-02-15 2015-10-06 Bank Of America Corporation Anomalous activity detection
US20120011560A1 (en) * 2010-07-07 2012-01-12 Computer Associates Think, Inc. Dynamic Policy Trees for Matching Policies
US8661499B2 (en) * 2010-07-07 2014-02-25 Ca, Inc. Dynamic policy trees for matching policies
US8661500B2 (en) 2011-05-20 2014-02-25 Nokia Corporation Method and apparatus for providing end-to-end privacy for distributed computations
WO2012160245A1 (en) * 2011-05-20 2012-11-29 Nokia Corporation Method and apparatus for providing end-to-end privacy for distributed computations
WO2012173626A1 (en) * 2011-06-16 2012-12-20 Hewlett-Packard Development Company, L.P. System and method for policy generation
WO2013067238A1 (en) * 2011-11-02 2013-05-10 Microsoft Corporation Inheritance of rules across hierarchical levels
US9189563B2 (en) 2011-11-02 2015-11-17 Microsoft Technology Licensing, Llc Inheritance of rules across hierarchical levels
US9792264B2 (en) 2011-11-02 2017-10-17 Microsoft Technology Licensing, Llc Inheritance of rules across hierarchical levels
US9558274B2 (en) 2011-11-02 2017-01-31 Microsoft Technology Licensing, Llc Routing query results
US9177022B2 (en) 2011-11-02 2015-11-03 Microsoft Technology Licensing, Llc User pipeline configuration for rule-based query transformation, generation and result display
US9348489B1 (en) * 2015-09-28 2016-05-24 International Business Machines Corporation Graphical user interfaces for managing hierarchical systems

Also Published As

Publication number Publication date Type
US6950818B2 (en) 2005-09-27 grant
US6466932B1 (en) 2002-10-15 grant
US20030023587A1 (en) 2003-01-30 application

Similar Documents

Publication Publication Date Title
Moore et al. Policy Core Information Model--Version 1 Specification
US6708170B1 (en) Method and system for usage of non-local data within a lightweight directory access protocol directory environment
US5999978A (en) Distributed system and method for controlling access to network resources and event notifications
US6501491B1 (en) Extensible user interface for viewing objects over a network
US6772350B1 (en) System and method for controlling access to resources in a distributed environment
US6562076B2 (en) Extending application behavior through active properties attached to a document in a document management system
US6754896B2 (en) Method and system for on-demand installation of software implementations
US6182083B1 (en) Method and system for multi-entry and multi-template matching in a database
US6795967B1 (en) Changing user identities without closing applications
US7171459B2 (en) Method and apparatus for handling policies in an enterprise
US6463470B1 (en) Method and apparatus of storing policies for policy-based management of quality of service treatments of network data traffic flows
Crampton Specifying and enforcing constraints in role-based access control
EP0913967A2 (en) System and method for providing database acces control in a secure distributed network
US6941465B1 (en) Method of enforcing a policy on a computer network
US20020002577A1 (en) System and methods for providing dynamic authorization in a computer system
US5778222A (en) Method and system for managing access to objects
US5765153A (en) Information handling system, method, and article of manufacture including object system authorization and registration
US6038563A (en) System and method for restricting database access to managed object information using a permissions table that specifies access rights corresponding to user access rights to the managed objects
US6505300B2 (en) Method and system for secure running of untrusted content
US7269612B2 (en) Method, system, and program for a policy based storage manager
US20070100830A1 (en) Method and apparatus for access control list (ACL) binding in a data processing system
US6330560B1 (en) Multiple manager to multiple server IP locking mechanism in a directory-enabled network
US6633907B1 (en) Methods and systems for provisioning online services
Baldwin Naming and grouping privileges to simplify security management in large databases
US7461158B2 (en) System and method for controlling access rights to network resources

Legal Events

Date Code Title Description
AS Assignment

Owner name: MICROSOFT CORPORATION, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:DENNIS, MICHAEL W.;FREED, MICHELE L.;PLASTINA, DANIEL;AND OTHERS;REEL/FRAME:018914/0641;SIGNING DATES FROM 19990331 TO 19990402

AS Assignment

Owner name: MICROSOFT TECHNOLOGY LICENSING, LLC, WASHINGTON

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MICROSOFT CORPORATION;REEL/FRAME:034766/0001

Effective date: 20141014