Groups are used to restrict the scope of Policies to a particular subset of client computers.

Groups Window

The Groups window shows groups, which can be used to restrict the scope of Policies. Groups which have been created manually by an administrator will be listed here. Also, if the KeyServer is set to use certain authentication methods (such as Active Directory), groups which are defined externally by the authentication method will appear in the window as well. These groups are not editable as they are controlled by the external source. However, some authentication methods do not gather a list of groups, so some groups may not appear in this window, even though they can be used for Policies (see Policy Details Window for more about using groups for Policy restrictions).

Double clicking a Group opens the Group Details window:

Group Details Window

The Group Details Window shows the name of the group, and has five panels: Nodes, Divisions, Locations, Filter, and Notes.

Group membership is determined by an OR of various conditions. When checking to see if a client is in the scope of a policy, each condition for the group is checked, and if any of them are met, group membership is satisfied, and the policy applies to the client. Group membership can be given either because the computer is in the node list for the group, it is in a Division which is associated with the group, it is in a Location which is associated with the group, it matches the Filter defined for the group, or the authentication module recognizes the computer or user as a member of the group. Currently, it is important to note that the Group Details Window does not show any indication of whether this group is a valid group according to the authentication module. It does, however, list Computers, Divisions, and Locations which are associated with the group, and the filter pane lets you bring up a window showing those computers which match the filter.

The Nodes pane contains a list of computers associated with the Group, along with the last user and time at which this group allowed someone on the computer to use a policy. Any computer on this list is a member of the Group. Computers can be dragged from the Computers Window into this list.

The Divisions pane lets you include all the nodes of an entire Division just by referencing the Division name (as defined in the Computers window). Then any changes to a computer's Division affiliation, configured by dragging items in the Computers window, will be automatically reflected in any Group definition that depend on it.

The Locations pane lists each Location which is associated with the Group, as well as the type of the Location. Any computers in these locations on the network can be member of the Group. Location objects can be dragged from the Locations Window into this list.

The Filter pane allows you to define a filter just as you would in the main computers window (see the Filters documentation for more). Then any computer which matches the filter can be a member of the group. The “Show Computers” button lets you check that the filter is working as expected.

The Notes pane contains a single item, which is a free-form text field. You can use it for any information you want. It can also be used in custom reports.