Got this question today:

  1. A rule/monitor is created and disabled by default
  2. The rule/monitor is overridden and enforced to False for a class
  3. The rule/monitor is then overridden and enforced to True for a specific object of the class

Will the rule be True or False?

I created a rule and disabled it by default. I then made an override for All Windows Server and enabled marked the ”Enforced” box.



I then made an override for a specific object of Windows Server, and changed the Override Value to True. I applied this change, but the Effective Value would still be False, because it is “inherited” from the enforced change in Windows Server.



I then marked the Enforced box on the override for the specific object. The Effective Value then changed to True.



I used eventcreate to create a test event. An alert was raised:



So, making a long story short: if both true and false is enforced, true beats false

Happy enforcing!