8.3 Control Access to Settings and Controls with Microsoft Group Policy

As an administrator, you can limit users' ability to modify their workspace or session documents by setting permissions from the Microsoft Group Policy Management Console using group policy templates.

NOTE:You can restrict access to Reflection controls only on systems on which the Windows User Access Control (UAC) is enabled. If the UAC is disabled, the configuration settings that restrict access do not apply.

Reflection installs a set of group policy templates (ADMX files) to the following directory:

\Program Files\Micro Focus\Reflection\Configuration\GroupPolicy

NOTE:To use this feature, you must be running Windows 7, Windows 8.1, or later on an administrative machine. For more information about managing group policy, see Managing Group Policy ADMX Files Step-by-Step Guide.

ADMX files

ADMX files are divided into language-neutral files (.admx) and language-specific resource files (.adml), available to all Group Policy administrators. These factors allow Group Policy tools to adjust their UI according to the administrator's configured language.

Reflection setup.exe installs ADMX files to:

... \ install_dir \Configuration\GroupPolicy\ADMX

It installs ADML files to the following directory:

...\
    install_dir \Configuration\GroupPolicy\ADMX\en-us
  

Reflection provides the following ADMX Group Policy files. Each of these files has a corresponding ADML language file.

This file

Controls access to

ACTIONS.admx

Actions

APPLICATION.admx

Reflection Workspace

RD3X.admx

3270 terminal settings

RD5X.admx

5250 terminal settings

RDOX.admx

VT terminal settings

ReflectionWorkspace.admx

Root-level ADMX file

ReflectionSecurity.admx

TLS and PKI settings

NOTE:This directory also includes the ReflectionPCIDSS.admx file. This file is used to configure information privacy through Group Policy and is not used to control access.

8.3.1 Install Group Policy Templates

Before you deploy group policy definitions, set and test them on a local test machine.

To deploy ADMX files on a local test machine

  1. Copy the .admx files from …\ install_dir \Configuration\GroupPolicy\ADMX to the central store ( %systemroot%\PolicyDefinitions)

  2. Copy all required locale .adml files to: %systemroot%\PolicyDefinitions\<locale>

  3. Open the Group Policy Object Editor ( gpedit.msc)

  4. Under either Computer Configuration or User Configuration, browse to Administrative Templates | Reflection Desktop or Administrative Templates | Reflection Security.

  5. In the Group Policy Management Editor, navigate to the setting or feature you want to configure.

  6. Enable the Group Policy settings you want to restrict access to.

    NOTE:For more about using ADMX files to set group policy, see Managing Group Policy ADMX Files Step-by-Step Guide.

8.3.2 Set Access with Group Policy

To set access with Group Policy Object Editor

  1. In the Group Policy Management Editor, navigate to the setting or feature you want to configure.

    The following example shows all shipping ADMX files loaded into the GPO Editor under User Configuration. Group Policies can be set at the machine (Computer Configuration) or user (User Configuration) levels.

  2. Enable the Group Policy settings you want to use.

    The following example shows the following:

    • The current node is the RD3X Document\Connection\TN3270Basic group.

    • All the settings for this group are listed in the right-hand panel.

    • The Restrict ConnectionTimeout setting policy is Enabled. This setting for 3270 display sessions is restricted.

    Registry keys are added when policy settings are Enabled. These keys remain in the registry when policy settings are Disabled. No key is present when policy settings are Not Configured.