View this month's Buyer's Guide

Group Policy, which you implement through Windows Server 2003 or Windows 2000 Server, is an indispensable feature for managing the behavior of clients and servers in Windows environments. But maintaining a large number of Group Policy Objects (GPOs) and their links to domains, organizational units (OUs), and sites can be a difficult task. The products in this Buyer's Guide provide general Group Policy management assistance; they also extend and enhance Group Policy's basic functionality.

Basic Operations
Many of the products, such as solutions from Active Directory (AD) and Group Policy solution wizards BindView and NetIQ, help you perform Group Policy management tasks. These tasks include functions such as GPO creation and maintenance, policy analysis, import and export, backup and restore, and reporting.

Creation and Maintenance
For GPO creation and maintenance, look for advanced features that let you control and track GPO changes. Products that offer thorough change and release management strategies let you view a given GPO's properties at any point in its life cycle.

Policy Analysis
Group Policy analysis usually takes the form of a Resultant Set of Policies (RsoP), which lets you see which policies will be in effect when a given user logs on to a specific computer. The ability to perform offline analysis of different scenarios, such as when you move a user to another OU or move a computer to a different site, is another important feature to consider.

Import and Export
Thoroughly testing GPOs before putting them into production is an important step. Many organizations create and test GPOs in lab environments. You can save hours of work and avoid potential data entry errors by exporting GPOs from a lab environment and importing them into a production environment. You can also use import and export to move GPOs between production domains.

Backup and Restore
A good Group Policy management product lets you back up GPOs, security group filters, and Group Policy links to disk. Backups are useful when a GPO becomes corrupt or a newly implemented GPO causes a problem. You can also use backup to migrate Group Policy settings to a new domain or forest. Some vendors' tools let you replicate, synchronize, and manually copy GPOs between domains and forests when you migrate the associated security group filters and Group Policy links. This functionality lets you easily transfer the policy settings from a test environment to a production environment. Find a product that automatically documents the backup contents, including the settings for backed-up GPOs.

Reporting
Robust reporting for diagnostic, troubleshooting, and business-management purposes is a must-have. Look for a centralized reporting tool that provides insight from a variety of angles into your organization's object classes, policy settings, policy-affected registry keys, and security. The ability to search for a GPO that defines a specific setting and to compare a specific GPO with another version of the same GPO, an archived GPO, or a live GPO in AD are especially helpful features. Discovering problems such as GPO corruption and replication failures ensures that your policy infrastructure stays healthy. Report output options will ensure that you can use the results more effectively.

Extending Group Policy Functionality
Other products in this Buyer's Guide are geared toward leveraging the Group Policy infrastructure to extend its native capabilities. FullArmor GPAnywhere! lets you apply the power of Group Policy to nonnetworked and remote systems. You can use FullArmor GPAnywhere! to create, edit, import, and export GPOs with Windows 2003's Active Directory Application Mode (ADAM) and export the GPOs to clients as executable policy files. Another FullArmor solution, IntelliPolicy for Clients, provides new policies and options for desktop and server management that aren't available out of the box with Windows 2003. FullArmor has partnered with NetIQ to develop synergies with NetIQ's Group Policy Administrator products.

Vintela Group Policy (VGP), an add-on to Vintela Authentication Services (VAS), uses the existing Group Policy interface that's native to AD to extend policy-based management to UNIX and Linux systems. Although VGP currently provides an interface for creating UNIX and Linux GPOs through ADAM template files, a fully functioning server-side extension is in development and scheduled to be included in a future version of VGP.