System and method for implementing group policy

US 20030023587A1
Filed: 09/24/2002
Published: 01/30/2003
Est. Priority Date: 08/14/1998
Status: Active Grant

First Claim

Patent Images

1. A computer-readable medium having computer-executable instructions for performing a method, comprising:

placing policy settings into a plurality of group policy objects, each policy object associated with at least one directory container;

accumulating the policy settings of the plurality of group policy objects into an accumulated policy for a policy recipient; and

associating the accumulated policy with the policy recipient.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for implementing policy by accumulating policies for a policy recipient from policy objects associated with a hierarchically organized structure of containers, such as directory containers (sites, domains and organizational units) that includes the policy recipient. Based on administrator input, policy settings for the policy recipient may be accumulated into a specific order by inheriting policy from higher containers, which may enforce their policy settings over those of lower containers. Policy that is not enforced may be blocked at a container. The result is an accumulated set of group policy objects that are ordered by relative strength to resolve any policy conflicts. Policy may be applied to a policy recipient by calling extensions, such as an extension that layers the policy settings into the registry or an extension that uses policy information from the objects according to the ordering thereof. Linking of group policy objects to one or more containers (e.g., sites, domains and organizational units) is provided, as is exception management. The effects of group policy may be filtered based on users'"'"' or computers'"'"' membership in security groups.

Citations

32 Claims

1. A computer-readable medium having computer-executable instructions for performing a method, comprising:
- placing policy settings into a plurality of group policy objects, each policy object associated with at least one directory container;
  
  accumulating the policy settings of the plurality of group policy objects into an accumulated policy for a policy recipient; and
  
  associating the accumulated policy with the policy recipient.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The computer-readable medium of claim 1 wherein accumulating the policy settings comprises, determining the accumulated policy for the policy recipient.
  - 3. The computer-readable medium of claim 2 wherein the policy recipient is logically below a hierarchy of directory containers, and wherein determining the policy settings of the plurality of group policy objects comprises, inheriting at least some of the settings from a policy object associated with a directory container hierarchically above another directory container.
  - 4. The computer-readable medium of claim 3 wherein the directory container hierarchically above the other directory container corresponds to a site.
  - 5. The computer-readable medium of claim 3 wherein the directory container hierarchically above the other directory container corresponds to a domain.
  - 6. The computer-readable medium of claim 3 wherein the directory container hierarchically above the other directory container corresponds to an organizational unit.
  - 7. The computer-readable medium of claim 3 wherein the directory container hierarchically above the other directory container corresponds to an enterprise having a plurality of domains thereunder.
  - 8. The computer-readable medium of claim 1 wherein accumulating the policy settings of the plurality of group policy objects comprises, blocking least some of the settings from a policy object associated with a directory container hierarchically above another directory container
  - 9. The computer-readable medium of claim 1 wherein each of the policy objects is associated with a directory container organized in a hierarchy of directory containers, and wherein accumulating the policy settings of the plurality of group policy objects comprises, inheriting the settings from at least one policy object associated with a directory container hierarchically above the policy recipient, and blocking the inheritance of settings from at least one other policy object associated with a directory container hierarchically above the policy recipient.
  - 10. The computer-readable medium of claim 1 wherein accumulating the policy settings of the plurality of group policy objects comprises ordering the group policy objects.
  - 11. The computer-readable medium of claim 10 having further computer-executable instructions comprising, applying the accumulated policy to the policy recipient.
  - 12. The computer-readable medium of claim 1 having further computer-executable instructions comprising, associating a plurality of directory containers with a common group policy object.
  - 13. The computer-readable medium of claim 1 having further computer-executable instructions comprising, associating a directory container with a plurality of group policy objects.
  - 14. The computer-readable medium of claim 1 wherein each of the policy objects is associated with a directory container organized in a hierarchy of directory containers, and having further computer-executable instructions comprising, separating the policy settings of a directory container hierarchically above the policy recipient into enforced and non-enforced settings, and wherein the step of accumulating the policy settings of the plurality of group policy objects comprises, inheriting the enforced settings, and blocking the inheritance of the non-enforced settings.
  - 15. The computer-readable medium of claim 1 wherein accumulating the policy settings includes receiving administrator input.

16. A computer-readable medium having computer-executable instructions for performing a method, comprising:
- placing policy settings into a plurality of group policy objects, wherein each of the policy objects is associated with a directory container organized in a hierarchy of directory containers;
  
  inheriting at least some of the settings from at least one policy object associated with a directory container hierarchically above a policy recipient;
  
  blocking the inheritance of settings from at least one other policy object associated with a directory container hierarchically above the policy recipient;
  
  ordering the group policy objects based on the hierarchy of directory containers; and
  
  associating the ordering of the group policy objects with the policy recipient.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 17. The computer-readable medium of claim 16 further comprising, applying policy settings to the policy recipient based on the ordering of the group policy objects.
  - 18. The computer-readable medium of claim 16 associating the ordering of the group policy objects with the policy recipient comprises, developing an ordered master list of group policy objects.
  - 19. The computer-readable medium of claim 18 wherein applying policy settings to the policy recipient comprises, writing settings from the group policy objects into a database from weakest to strongest based on the ordered master list.
  - 20. The computer-readable medium of claim 18 wherein applying policy settings to the policy recipient comprises, seeking a defined policy setting by evaluating settings from the group policy objects from strongest to weakest based on the ordered master list.
  - 21. The computer-readable medium of claim 16 further comprising, disabling at least part of the association between a directory container and a group policy object.
  - 22. The computer-readable medium of claim 21 wherein disabling at least part of the association comprises disabling the computer settings but not the user settings.
  - 23. The computer-readable medium of claim 21 wherein disabling at least part of the association comprises disabling the user settings but not the computer settings.
  - 24. The computer-readable medium of claim 16 wherein at least one policy object includes an exclusion list of at least one user to which the policy will not apply.
  - 25. The computer-readable medium of claim 16 wherein at least one policy object includes an inclusion list of at least one user to which the policy will apply.

26. A computer-implemented method, comprising:
- placing policy settings into a plurality of group policy objects, each policy object associated with a directory container in a set of directory containers arranged in a hierarchy;
  
  accumulating the policy settings of the plurality of group policy objects into an accumulated policy, wherein conflicting settings are resolved based on the hierarchy and inheritance data; and
  
  associating the accumulated policy with a policy recipient associated with the set of directory containers.
- View Dependent Claims (27, 28, 29, 30, 31, 32)
- - 27. The method of claim 26 wherein the inheritance data indicates that policy settings of a first policy object hierarchically above a second policy object are enforced and must be inherited.
  - 28. The method of claim 26 wherein the inheritance data indicates that policy settings of a first policy object hierarchically above a second policy object are suggested and may be blocked by the second policy object.
  - 29. The method of claim 26 wherein the inheritance data indicates that non-enforced policy settings of a first policy object hierarchically above a second policy object are to be blocked.
  - 30. The method of claim 26 wherein accumulating the policy comprises arranging the policy objects into a master list for applying to the policy recipient.
  - 31. The method of claim 26 further comprising, applying policy settings to the policy recipient, including inheriting at least one policy settings from a policy object that is hierarchically above the policy recipient.
  - 32. The method of claim 26 further comprising, applying policy settings to the policy recipient, including blocking at least one policy settings from a policy object that is hierarchically above the policy recipient.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Daniel Plastina, David E. Kays Jr, Eric R. Flo, Michael W. Dennis, Michele L. Freed, Robert E. Corrington
Inventors
Flo, Eric R., Plastina, Daniel, Corrington, Robert E., Kays, David E. Jr., Freed, Michele L., Dennis, Michael W.

Granted Patent

US 6,950,818 B2
Time in Patent Office

Days
Field of Search
US Class Current

707/3
CPC Class Codes

G06F 21/10   Protecting distributed prog...

G06F 21/604   Tools and structures for ma...

G06F 21/62   Protecting access to data v...

G06Q 10/10   Office automation; Time man...

H04L 63/102   Entity profiles

H04L 63/104   Grouping of entities

Y10S 707/99933   Query processing, i.e. sear...

Y10S 707/99939   Privileged access

Y10S 707/99942   Manipulating data structure...

Y10S 707/99945   Object-oriented database st...

Y10S 707/99953   Recoverability

System and method for implementing group policy

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for implementing group policy

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links