NetPro GPOADmin
NetPro’s GPOADmin takes a different
approach from the other two products in
this review. Rather than creating a brandnew
interface, GPOADmin extends GPMC. If
you’re already using GPMC, then you’ll feel
comfortable with GPOADmin, which Figure
2 shows. Like Group Policy Administrator, in
order to use GPOADmin you must have SQL
Server 2000 installed, and you’ll also need the
.NET Framework 2.0.
There are two setup applications on the
GPOADmin CD-ROM: GPOADminExtensions.
msi and GPOADminSetup.msi. GPOADmin-Setup.msi is the complete setup package to get
your enterprise up and running. I chose to run
it on my DC, but an enterprise would probably
want to run it on a dedicated server in a production
environment. Once GPOADmin is set
up and running, you can use GPOADminExtensions.
msi to extend the GPMC installations
on your administration PCs.
Installing GPOADmin went smoothly and
presented no problems. After the installation is
complete, you are prompted to install a license file, which is a simple .txt file that you receive
from NetPro. The import process for the license
file took only a few seconds and went off without
a hitch.
When you run GPOADmin the first time,
you’re prompted to install the following
three components via a wizard: GPOADmin
Database, GPOADmin Service, and the
optional Monitoring Agent. I had no problems
creating the database on SQL Server or
creating the service that keeps track of the
Group Policy activity. In the wizard, I chose
to enable Comments are required with GPO
Version because I wanted to see this functionality
in action.
Testing GPOADmin
To begin my testing, I found the default domain
policy and backed it up. The process in GPOADmin
is nearly identical to Group Policy
Administrator’s process.
The next step presented my first problem:
I couldn’t find a way to edit the GPO offline.
A quick review of the “Admin Guide” showed
me what I was doing wrong: I was looking for
a repository, or the word “offline” in the tool.
But GPOADmin uses a “Lineage,” which is a
version history of each Group Policy. This way
of rolling out new GPOs took a bit of getting
used to because I didn’t find it very intuitive.
The reporting in GPOADmin consists of
numerous default reports that give such useful
information as a listing of “Ineffective GPOs”
(i.e., GPOs that aren’t linked to an OU), Group
Policy with “Cross-domain linked GPOs,” and
GPOs with duplicate links. You can also compare and contrast different GPOs to identify
the differences between them. According to
NetPro, GPOADmin “is the only solution with
the ability to compare between two backups
made with Microsoft GPMC so that organizations
can leverage their investment with existing
GPO backups.” This is a useful feature for
organizations that are already using GPMC.
One of the most intriguing features that
I found while evaluating these products is
GPOADmin’s “GPO Cloaking.” It allows you to
stage new GPOs in production yet keep them
hidden from administrators who don’t have
permission to see them. This feature prevents
junior administrators from linking to and using
a new GPO before it has been approved.
Extending GPMC is a slick idea and one
that has paid off for NetPro. The only feature
that I found to be frustrating was the implementation
of Lineages. Given a choice, I would
much prefer to have a separate repository to
work from. Repositories give you a clear understanding
of which GPOs are in production and
which are not. Other than that, GPOADmin is a
solid, clean product.
ScriptLogic Active
Administrator
ScriptLogic’s Active Administrator is the most
expensive solution I evaluated, but it’s also
the most robust. It has most of the features
the other products have, plus some additional
ones. This product’s tabbed interface was my
favorite to work with.
Product setup, including standard installation
questions, went off without a hitch. Active Administrator can use an MSDE back end to
store its Security Event Database. However,
MSDE has a maximum limit of five simultaneous
connections. ScriptLogic recommends
that you use SQL Server if “the combination of
domain controllers and the number of users
accessing the information will be greater than
five.” So, if you had two DCs and only three
administrators simultaneously accessing data
via Active Administrator, the MSDE database
would work just fine.
Active Administrator stores non-security–
related Group Policy data in an easily accessible
folder structure. You are prompted to
create this structure during the setup routine.
I chose to install it on the root of the C drive:
C:\aadata. This folder is automatically shared
as ActiveAdministrator with a security setting
of EVERYONE - FULL CONTROL. ScriptLogic
recommends that you “modify the permissions
of the share to only allow access by the service
accounts used by the Active Administrator services,
and by the users who will run the Active
Administrator console.” Doing so protects the
data in these folders from being accessed by
unauthorized users. I recommend that you
create a security group called Role Active
Administrators and assign this group Modify
permission on the ActiveAdministrator folder.
(To learn more about how to use role-based
security, see “Let’s Get Organized: File Server
Basics,” May 2007, InstantDoc ID 95354.) Don’t
forget to double-check your corporate backup
settings to ensure that these folders are backed
up regularly.
The folder structure of the ActiveAdministrator
share looks like the following:
C:\aadata
ActiveTemplates
ADBackups
GPOHistory
GPORespository
Register
