Using Administrative Utility
Administrative Utility
The administrative utility allows configuring policy actions (note that you need sufficient administrative rights to do it). It can be found in the Start -> USB for Remote Desktop menu.
Session Tree
The main program window displays a list of active user sessions. Each session contains a list of USB devices available for connecting by the user (the same list that is displayed in tray context menu in the user session). Each device contains a list of policies (if any) applied to the device.
Sessions
For each session it's possible to refresh Policy Storage (it makes sense if the user is a domain user and the Domain Storage is used, and you want to apply new policy actions from the Domain Storage immediately).
In case of refreshing, the Policy Storage will be refreshed for every user of the same domain.
Devices
It's possible to disconnect a selected device (if the device is currently connected).
In case of a disconnect, the logged user is still able to connect the device via tray context menu.
Also, it's possible to add/modify policy for the selected device. When "Add Policy" is selected, it creates a new device group for that device (if it doesn't exist), adds Allow policy for that device and opens Device Access Policies Dialog (so that the Administrator does not need to enter device properties manually).
Policies
In order to modify the selected policy, open Device Access Policies Dialog (double-click on the policy or use context menu).
Policy Editor
There are several ways to access the Device Access Policies dialog:
- In program menu click Program, then Show Policies.
- In main window, select USB device. Then in program menu click Edit -> Add Policy for Device...
- In main window, select USB device. Then use right-click context menu Add Policy....
First of all, choose the proper Policy Storage (Local Policy or Domain Policy).
In case Use only local storage setting is active, domain policy is not used by the program, so the dialog is not displayed and the Local Policy Storage is used.
Domain-Policy Connection
- Domain
- Full DNS name of the domain. NetBIOS names are not supported. In the most cases, the list of domains is detected automatically, so you can select the proper domain name from the drop-down list.
- User name
- Name of the user to access the Active Directory database. If empty, the current username will be used. The following formats are supported: "User Principal Name" (User@Domain) and "Down-Level Logon Name" (Domain\User). In case the domain part is not specified, Domain field is used as the domain name.
- Password
- Password for the user.
- DC name
- DNS name of server DC "server:port" or "server". If not specified, the proper DC server is selected automatically.
If the selected storage does not exist, you'll be prompted to create it.
Predefined device groups with predefined policies (Allow for Everyone) are created automatically in the newly created storage.
Device Access Policies Dialog
The dialog consists of 2 columns. The left column contains the list of USB devices and USB device groups. You can define new device groups, modify and remove existing ones. The right column contains the list of Access Policies for the selected USB device group. You can add new policies or modify and remove existing ones.
Defining Device Groups
In order to add a new device or device group you need to specify it using the following parameters:
- VID
- Vendor ID.
- PID
- Product ID.
- Serial
- Device serial number.
- Class
- Device class.
- Subclass
- Device subclass.
- Protocol
- Device protocol.
These parameters are not mandatory, so it's OK to specify just several of them leaving others by default.
Also you need to specify a unique name for the device group.
Creating several groups with the same values of the parameters is not allowed.
Creating Account Policies
Each Device Group may contain several Account Policies (each Account Policy describes the action for a specified user or user group). To add a new policy, specify the user account and select the policy action.
User accounts format:
| Account | Local account |
| Account@Domain | Domain account |
| Account\Domain | Well known group |
| SID | Cannot get account name |
For specifying the account name, the standard Windows dialog is used:
Testing Effective Policy
Sometimes, especially in complex configurations, it's useful to have a tool allowing you to check access policy for a specified USB device for a specified user.
Just select the proper USB device group in the drop-down list and specify the user account and it will show the effective Policy Action.