The first subfolder stores Active Templates,
which are similar to the Delegation Wizard that
first debuted in Windows 2000. The ADBackups
folder stores exactly what it describes: AD
backups. GPO History is a feature that displays
the names of everyone who changed a Group
Policy and the date the changes were made.
Both Group Policy Administrator and GPOADmin
have a similar structure, but I liked how
Active Administrator made the information
easy to find.
Like Group Policy Administrator, Active
Administrator has a GPO repository, which Figure 3 shows. But the Active Administrator
Group Policy Offline Repository is stored in
a folder structure, rather than on a database.
This is the KISS (Keep It Simple Stupid) principle
at its best—no database requirement or
additional administrative overhead.
Testing Active
Administrator
I read the “Administrators Guide,” familiarized
myself with the product, and then ran through
the mock change-management process. When
I took a backup of the default domain policy, I
immediately noticed a difference with this tool:
When you right-click the policy name in the
GUI and choose Backup, you have a number
of choices:
- Backup Security Group Filters
- Backup Group Policy Links
- Save a GPO Report
- Generate Log File
- Add additional Group Policies to backup
- Schedule the backup
A simple backup and restore mechanism is a
necessity for products of this type, but these
advanced features set Active Administrator
apart from the others.
I then copied the GPO to an offline area
by using the Add to Offline Repository menu
item. Once the GPO is in the repository it can
be checked out, edited, and checked back in.
The process is almost identical to Group Policy
Administrator except that Active Administrator
doesn’t prompt you to add notes.
When it comes to auditing what has happened
with Group Policy, Active Administrator
has a clear lead on the competition. By
using an Active Administrator agent on each
DC, you can keep a close eye on who’s doing
what with Group Policy. In addition to Group
Policy changes, Active Administrator will let
you know who has reset a password, deleted
a user, and performed other administrative
actions. You can capture, track, and report on
more than 80 security events. If your company
requires you to audit whether Group Policy
follows your change-control process, then
Active Administrator is the clear choice for
your environment.
Active Administrator’s tabbed interface is
extremely easy to master. Each area is clearly
labeled, and I found Active Administrator the
easiest tool to hit the ground running with. However, added features that are outside the
scope of Group Policy management make
Active Administrator an expensive option.
Reviewing the Pros
and Cons
All three products do a good job of improving
the Group Policy management process,
but each does so in a different way. Group
Policy Administrator and Active Administrator
both use an offline repository to let
you work on GPOs in an offline environment.
Group Policy Administrator stores
its repository in a SQL Server database.
Active Administrator uses a file system as an
offline repository. GPOADmin, in contrast,
is an extension of GPMC and doesn’t use a
repository at all. Instead, GPOADmin backs
up a GPO automatically before you start
editing and after you finish editing. This
tool is geared toward customers who don’t
want to modify existing GPOs by following
the model that says you replicate an existing
GPO, make changes to it, and when you’re
ready to deploy it, link it where the existing
GPO is and then remove the links to the old
GPO. GPOADmin’s approach is different
because the product satisfies a different set
of customer requirements.
All three products require a back-end database.
Group Policy Administrator’s repository
is in SQL Server. GPOADmin’s database stores
backups and old versions of live, production
GPOs in its database. Active Administrator’s
database stores security events such as editing,
adding, or deleting GPOs, as well as other
security-related events.
The look and feel of each product is unique.
Group Policy Administrator looks like an extension
of GPMC, whereas GPOADmin really is an
extension of this Microsoft tool. Active Administrator
doesn’t look like either Group Policy
Administrator or GPOADmin but resembles
the properties of a User object in AD with its
tabbed layout.
The reporting capabilities of each product
were similar. All three of these tools will
help you find the similarities and differences
between GPOs.
My Bottom Line
If you administer Group Policy in a medium
to large company, then you’re probably
familiar with the frustration of not having
the tools you need to manage Group Policy
in a change-control environment. All three
of these products can help you get your GPOs
organized in a structure that you can easily
manage. NetIQ’s Group Policy Administrator
and NetPro’s GPOADmin are both strong
products. But because ScriptLogic’s Active
Administrator had the best look and feel, was
the most intuitive, and includes extra features
to help manage Group Policy, I designate it
my Editor’s Choice.
Register
There is not a wasted line of text… Meaning, you explain and lay things out so that an Admin at my level (knows enough to be dangerous) can easily follow along; as well as someone at say, Mark Minasi’s level.
There is great info for everyone, regardless of their skill level.
Keep them coming!
Tim Bolton
jsclmedave November 14, 2007 (Article Rating: