Executive Summary:
BeyondTrust Privilege Manager, New Boundary Technologies' Policy Commander, and Quest Software's GPOADmin each fill Group Policy–Management gaps that exist in a standard Windows installation. Take a look at these three products if you need to remove users from the local administrators group, or you need to lock down all your PCs and be able to prove it with online reports, or you need to create a Group Policy workflow approval process.
|
Ever since two PCs were first connected to one another in a business environment, systems administrators have been trying to find easier ways to manage networked computers. In Windows 2000 Microsoft introduced group policies that laid a foundation for PC management that's still in use today. In this article I review three Group Policy products that all play a different role in how you manage the computers on your network. Two of the products either use or integrate heavily with Group Policy, whereas the other product relies on a custom solution.
BeyondTrust Privilege Manager
BeyondTrust Privilege Manager's aim is simple: to remove the requirement that users must be local administrators on their PCs in order to run software. This goal seems simple at first—until you actually try to accomplish it. In addition to not being able to run software, regular users can't change the time zone or run the built-in disk defragmenter utility. Privilege Manager lets you easily grant permissions on an application-by-application basis.
BeyondTrust Privilege Manager
PROS: Easy to give users elevated privileges on an application-by-application basis; simple installation
CONS: Cost per seat might put this handy solution out of reach for some budget-minded companies
RATING: 4 out of 5
PRICE: $37.20/seat (includes Upgrade Assurance and Premium Support)
RECOMMENDATION: Privilege Manager is a good solution if you don't have time to manually research how to relax the folder and registry permissions so that your users don't have to be local administrators.
CONTACT: BeyondTrust • 603-610-4255 • www.beyondtrust.com
|
Installation. I followed the Privilege Manager Installation Guide PDF, which walked me through the simple installation procedure. You can install Privilege Manager on Windows Server 2003 SP1 or better, or on Win2K SP4. You need to install the program on the same machine that you use to edit Group Policy. Be sure to install the Microsoft .NET Framework 2.0, which you can download from Microsoft's website. Installation is fast, taking only a few minutes—and it doesn't require any user intervention. The installation is also clean; it doesn't add any desktop shortcuts or Start menu items. Instead, Privilege Manager adds itself into Group Policy Object Editor as a Group Policy extension, as Figure 1 shows. Privilege Manager comes in both a 32-bit and a 64-bit version. Of the three solutions that I tested, Privilege Manager was by far the easiest to install and configure.
In addition to the administration portion of Privilege Manager, you must install a client for each PC that you want to manage. Because the client is in MSI format, you can easily deploy it through Group Policy. The client also comes in both 32-bit and 64-bit versions.
Configuration and use. Configuring a new Privilege Manager policy to allow users to run software is just like creating a new Group Policy setting. The new policy can be applied to users and computers during computer startup or user logon, or at 90-minute intervals. I started with a new Group Policy setting and navigated to the Group Policy Object (GPO) extension called Computer Security, which is added when Privilege Manager is installed. Next, I right-clicked and created a new Privilege Manager policy. You can choose from nine types of rules, including Path Rule (allow an application based on its path); Hash Rule (allow an application based on its hash); and rules for folders, MSI files, and certificates. An "everything rule" (called a Shell Rule) lets users run any application they want, while keeping a strict audit on the activity. This rule is useful for "power users" (e.g., developers) whose application-running privileges can't be restricted, but who need to be reminded that they are responsible for what happens on their machine. You can even set a rule to prompt the user to enter a justification for running an application.
Privilege Manager's configuration and capabilities are flexible. For example, you can create a Self-Service Installation Point, which is a read-only network share with a Folder Rule applied to it and that includes software you want users to be able to install. If a user requests a specific application, you can simply drop the setup files into the network share, and the user can then install the application.
Although you can set up a rule for any application that you want users to be able to run, Privilege Manager also has some built-in rules for common tasks. For example, you can give users permission to change their time zone, run a disk defrag, set the power options, or configure accessibility options.
Sometimes the exact process and variables a program uses aren't obvious. For these situations, Privilege Manager includes a cool troubleshooting tool called Policy Monitor (PolMon.exe). Policy Monitor displays the specific commands used when a user tries to change the time or defragment the hard drive. If you have a custom application that you need to give a user elevated privileges to, this handy tool will give you the information you need.
Previous
Register
