3 Tools to Manage Group Policy

Executive Summary: Group Policy is one of Microsoft Active Directory’s most important features. This product review compares NetIQ’s Group Policy Administrator, NetPro’s GPOADmin, and ScriptLogic’s Active Administrator, three software products that manage Group Policy and help administrators in large IT departments with change management.

Microsoft is good at giving systems administrators cool product features that make our lives easier. Take Group Policy, for example. What started as simple (yet problematic) Windows NT 4.0 System Policies has turned into an enterprise solution for managing desktop settings and deploying software. You can use Group Policy to do things like remove the Run command from the Start menu (to help prevent users from gaining a command prompt), display a logon message that users must acknowledge before logging on, and run scripts for logon, logoff, and even start-up and shut-down. If a policy isn’t available to do something you want, you can very often create your own by using an Administrative (.adm) template. If you’re not using Group Policy in your infrastructure, you’re missing out on one of Active Directory’s (AD’s) most important features.

But unfortunately, for large environments, Microsoft doesn’t always provide the best tools to manage Group Policy. Group Policy Management Console (GPMC) was released in 2003 and was a great improvement over the original tools that came with the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. But GPMC lacks robust features for a complex AD environment, such as change-management capability, an offline repository, and version control. Here’s where the products in this review enter the picture. NetIQ Group Policy Administrator, NetPro GPOADmin, and Script- Logic Active Administrator all seek to fill voids in the Microsoft tools. The products take varying approaches to Group Policy management, but they all give administrators tools to keep track of Group Policy in an environment that requires change management.

Two products that fit the criteria for this comparative review are missing from it. Quest Software, which recently purchased ScriptLogic, requested that we include Script- Logic Active Administrator here, rather than Quest’s Group Policy Manager. And Microsoft’s recent acquisition of DesktopStandard has resulted in the former DesktopStandard product GPOVault being unavailable for review at this time.

The Testing Environment
To test the products, I used VMware Server 1.0.3 to set up a simple AD domain. Each domain controller (DC) was a Windows 2003 Server machine running SP1 with up-to-date security patches. I used each product to edit existing policies as well as to create new ones.

In addition, I ran each product through a typical change-management scenario that might be found in a structured IT department. Specifically, I altered the password requirements in a default domain policy. Unlike a small shop, where one or two administrators can freely make changes at will, a large, structured, enterprise IT department will demand a formal process whenever network settings are changed. I’ve worked in both situations, and I learned that, at first, change management can seem stifling and unnecessary. However, you quickly come to understand that the processes are in place not only to protect the network but also to protect you. Imagine the consequences of changing password policy without proper approval in an enterprise environment.

So, based on my experience, I created the following typical Group Policy changemanagement process, then I used each of the products I reviewed to implement Group Policy within the process:

1. A request is made to create or alter Group Policy.
2. The request is reviewed by peers and tested in a lab.
3. Implementation is approved.
4. The original Group Policy Object (GPO) (if applicable) is backed up for rollback purposes.
5. An offline GPO is created, edited, then verified by peers.
6. The approved GPO is linked to the appropriate organizational unit (OU), and the old GPO is unlinked, if applicable.
7. Verification that the new GPO is in production is made.
8. Changes made to GPOs are audited periodically to ensure that the rules are being followed.

In addition to observing how each product fit into a change-management process, I looked at how easy it was to work with the product. Did the installation make sense? Was the interface intuitive and easy to navigate? And, were there any compelling features that set one product apart from the others?

NetIQ Group Policy Administrator
I had a lot of trouble installing NetIQ’s Group Policy Administrator, but not because there was a problem with the NetIQ product. Rather, the instructions for installing the application were incorrect. The “Trial Guide” clearly states that you can use Microsoft Data Engine (MSDE) to store the Group Policy Repository (Group Policy Administrator’s offline version of your GPOs), which Figure 1 shows. I read and reread the Trial Guide (i.e., Group Policy Administrator Trial Guide.pdf) but couldn’t get the product to install. I eventually called NetIQ technical support and learned that the Trial Guide was a rewrite (dated February 10, 2006) of the earlier 4.0 product version, that some important information has been left out, and that this is a known issue at NetIQ. I expressed to the technician my opinion that a Trial Guide with known misinformation from 2006 should have been updated by now. I was told that it would be updated when the next version of the software comes out. The technician was friendly and extremely knowledgeable about the product. I just wish the Trial Guide had been correct so that I hadn’t had to call him in the first place. If you decide to give Group Policy Administrator a try, be sure to review the hardware, software, and network requirements for NetIQ Group Policy Administrator 5.0 at www.netiq.com/support. Look for Knowledge Base article 70246. In the end, I had to install Microsoft SQL Server 2000 SP3 to evaluate Group Policy Administrator.

Testing Group Policy Administrator
The Group Policy Administrator Roles and Delegation wizard lets you specify who can create, edit, and link GPOs (as well as many other permissions) from within the GP Repository. You can designate a Group or User, what kind of permissions they will have, and which repository or specific Group Policy within the repository the permissions apply to. Keeping a tight leash on the repository will help prevent it from becoming a mess of half-used and obsolete GPOs.

To change the password policy within the change-management process I described earlier, I first located the default domain policy and backed it up by right-clicking the GPO under the GP Explorer node in the administrative interface and choosing Backup. Group Policy Administrator stores backups as regular folders, so you need to save them on a file server that’s backed up regularly. If you need to restore a GPO from a backup, a Group Policy Administrator wizard walks you through the procedure.

The next step was to edit an offline version of the default domain Group Policy. Editing the “live” version of a GPO can be risky because any changes you make can be immediately seen by the objects (i.e., User, Computer) that are affected by that Group Policy. To protect the production AD, you shouldn’t directly edit GPOs from within the NetIQ tool. Instead, edit them from within the GP Repository. The repository is empty by default. When you create a new GPO in Group Policy Administrator, it will originate in the repository and then be imported into the production AD. You must import existing GPOs (those you created before you installed Group Policy Administrator) into the repository if you want to edit them.

Once a GPO has been copied to the repository, you can check it out of the repository, edit it, then check it back in to the repository (multiple GPOs have to be mass imported via a script that Group Policy Administrator provides). I like the fact that Group Policy Administrator prompts the administrator to enter a comment when checking GPOs in and out of the repository. This kind of feature can be extremely valuable whenever a change management process is audited. After you edit a GPO from within the repository, you can run a report that compares the GPO in the repository to the one currently online in AD. Another useful report differentiates the two GPOs, pointing you to exactly where the differences are. Although the comparison report and the differential report sound as if they give the same information, they do not. The Group Policy Comparison report compares all the settings in the repository GPO to the online GPO’s settings. The Differential report shows only the settings that differ between the two GPOs. These are powerful reports that can help you identify problems immediately. The reports also help meet the next-to-last requirement in the change-management process I outlined earlier: verifying that the new GPO is in production.

The only feature Group Policy Administrator lacks is built-in audit functionality. The tool tracks the changes you make to the GPOs in the repository but doesn’t track the GPOs that are in production. NetIQ has a product available for separate purchase called Group Policy Guardian that integrates with Group Policy Administrator and keeps track of production GPOs.