Adding Administrative Templates to a Group Policy Object
A Group Policy Object (GPO) consists of configuration information that applies to computers, configuration information that applies to users, or sections of policy specifically devoted to each. You can extend the configuration options provided by any Group Policy Object by adding Delinea-provided or custom administrative templates to the object. For example, you can add configuration settings for Delinea agents to a Group Policy Object by adding the centrifydc_settings.xml administrative template. Other administrative templates can be added to control other settings, such as Mac OS X system preferences, if they apply to your environment.
Installing Delinea Group Policy Templates
When you install Access Manager using the installation wizard and you specify that all components be installed, the Delinea group policy templates are included in the installation. See “Install Access Manager and update Active Directory” in the Administrator’s Guide for Windows for details about using the Access Manager installation wizard.
For details about where the Delinea group policy templates reside after they are installed, see Adding Delinea Policies from XML Files.
Because Delinea group policy templates and extensions are packaged separately from other Access Manager components, you have the following options if you prefer to install group policy templates and extensions separately from Access Manager:
- You can install Delinea group policy templates and extensions on any Windows domain computer without also installing Access Manager on the computer.
- You can install Access Manager on any Windows domain computer without also installing Delinea group policy templates and extensions on the computer.
The group policy template and extension package has its own .exe and .msi installer files, so that you can install group policy templates and extensions interactively through an installation wizard (by executing the .exe file) or silently from the command line (by executing the .msi file). Additionally, you can select or de-select the group policy template and extension component for installation when you run the Access Manager installation wizard.
For details about installing group policy templates and extensions separately from Access Manager, see “Install group policy extensions separately from Access Manager” in the Administrator’s Guide for Windows.
Template File Formats
Delinea provides templates in both XML and ADMX format. In most cases, it is best to use the XML templates, which provide greater flexibility, such as the ability to edit settings after setting them initially, and in many cases contain validation scripts for the policies implemented in the template.
However, in certain cases, you may want to add templates by using the ADMX files. For example, if you have implemented a set of custom tools for the Windows ADMX-based policies, and want to extend those tools to work with the Delinea policies, you can implement the Delinea policies by adding the ADMX template files. You should note, however, that ADMX templates do not support extended ASCII code for locales that require double-byte characters. For these locales, you should use the XML templates.
Selecting a Group Policy Object for Delinea Settings
Depending on the requirements of your organization and how you have linked existing Group Policy Objects to sites, domains, and organizational units in your Active Directory forest, you might want to use one of the default Group Policy Objects, use a Group Policy Object you have created specifically for your organization, or create a new Group Policy Object that is specifically for Delinea settings.
If you have created an organizational structure for Delinea objects as described in the Planning and Deployment Guide, creating a new Group Policy Object specifically for Delinea policies gives you the most flexibility and control over the configuration settings for managed computers and the operation of Delinea software. In deciding whether to create a new Group Policy Object or use an existing Group Policy Object, you should consider where policies should be applied. You can link Group Policy Objects to sites, domains, or organizational units to control the scope of the policies you set.
If you prefer to minimize the number of Group Policy Objects you deploy, you can add Delinea settings to one of default Group Policy Objects that are installed on the Windows domain controller:
- Default Domain Controllers Policy
- Default Domain Policy
You can add Delinea settings to any Group Policy Object regardless of whether you have any settings configured or applied to Windows users and computers. Settings that apply to Delinea-managed computers only affect computers where the Delinea Agent is installed.
