Got this question today:
- A rule/monitor is created and disabled by default
- The rule/monitor is overridden and enforced to False for a class
- The rule/monitor is then overridden and enforced to True for a specific object of the class
Will the rule be True or False?
I created a rule and disabled it by default. I then made an override for All Windows Server and enabled marked the ”Enforced” box.
I then made an override for a specific object of Windows Server, and changed the Override Value to True. I applied this change, but the Effective Value would still be False, because it is “inherited” from the enforced change in Windows Server.
I then marked the Enforced box on the override for the specific object. The Effective Value then changed to True.
I used eventcreate to create a test event. An alert was raised:
So, making a long story short: if both true and false is enforced, true beats false