Executive Summary:

Group Policy lets you centrally configure and manage computers and remote users in your Active Directory (AD) environment. However, many IT pros find deploying Group Policy difficult. They’ve been frustrated, for example, when they’ve tried to find a specific setting in Group Policy, or design Active Directory (AD) organization units (OUs) with Group Policy in mind, or troubleshoot nonworking Group Policy Objects (GPOs). With Microsoft’s new Group Policy Preferences offering as well as current and future ISV products, Group Policy will be increasingly useful to more organizations.


“There’s no reason Group Policy shouldn’t be easy to use,” says SDM Software CEO and Group Policy MVP Darren Mar-Elia. If you’re in the 22 percent of IT pros who admit to “winging it” as they configure and manage Group Policy, you might be surprised to hear that statement. Many IT pros have found it difficult to find a specific setting in Group Policy, to design Active Directory (AD) organization units (OUs) with Group Policy in mind, to set up user and computer groups to work with Group Policy, to troubleshoot nonworking Group Policy Objects (GPOs), and to back up the GPO infrastructure.

That a significant number of IT pros acknowledge being somewhat clueless about Group Policy—even as they use it—surprised Group Policy solution provider NetIQ. The company surveyed IT pros about how they use Group Policy and published the results in 2007. According to Sacha Dawes, senior manager of product marketing at NetIQ, that figure of 22 percent is evidence of the lack of available native tools for managing Group Policy, including “the severe lack of change control.”

In a conversation with Windows IT Pro magazine in the fall of 2007, Dawes noted that 58 percent of survey respondents said they’d experienced an unplanned outage from a Group Policy change and that their troubleshooting time ranged from 45 minutes to more than 6 hours. And more than half of the respondents also said that they had no system set up to alert them to a Group Policy problem or anomaly—their “strategy” was simply to wait for an incident to occur.

Group Policy experts, solution providers, and users agree that Group Policy can get you into a lot of trouble if you don’t use it properly. They differ on what Microsoft’s role is in managing this technology and what vendors can best do to help fill in the gaps. They also have different opinions on what impact Microsoft’s soon-to-be-released Group Policy Preferences (technology from the acquisition of DesktopStandard) will have on the Group Policy tools market.

Most agree, however, that if you’re not using Group Policy yet, you will be. Let’s look at how Group Policy has evolved, why it has a reputation for causing IT pros to sweat bullets, and how Microsoft and third-party tools aim to help ease your Group Policy pain.

Group Policy Past and Present
Group Policy is a Windows feature that lets you centrally configure and manage computers and remote users in an Active Directory (AD) environment. You’ll find Group Policy at work in the enterprise as well as in smaller organizations, such as schools and libraries, where it can be used to restrict users’ actions and increase security.

Using Group Policy, you configure settings and store them in Group Policy Objects (GPOs). You create and edit GPOs with two tools: The Group Policy Object Editor (GPE) lets you create and edit one setting at a time, and the Group Policy Management Console (GPMC) lets you create and edit multiple settings at a time. After you create the GPO, you target or link it to an AD site, a domain, or, more typically, an organizational unit (OU). Then the Group Policy client pulls a list of GPOs appropriate to a machine and logged-on user and applies the GPOs. The GPOs enforce your organization’s security settings and restrictions—and keep users from overriding them.

NetIQ’s survey found that a surprising number of IT departments use Group Policy as a way to write fewer scripts. The more typical use, however, is for configuration management and for implementing server security and protection at the client level. Group Policy’s usefulness is clear; what, then, makes it so difficult to master?

Consider that Group Policy began in Windows 2000 with just 500 settings. “You could wrap your brain around that,” Microsoft’s Lead Program Manager in Group Policy, Kevin Sullivan, says. Windows XP Service Pack 2 (SP2) had “800 additional settings. With Vista, it’s 3,000. A slew more will appear in 2008.”

Mar-Elia, of SDM Software, explains: “The way Group Policy was built, a team built the engine and created a framework. But the team didn’t create a standard. So each product group went off and did its own thing.” Sullivan offers the Microsoft perspective: “The Group Policy team doesn’t decide what needs to be managed, for example, in Windows Media Player—but we do help them and test the Group Policy experience.”

With the acquisition of DesktopStandard in 2006, Microsoft at least made it easier on itself in the Group Policy arena. DesktopStandard’s GPOVault Enterprise became Microsoft Advanced Group Policy Management (AGPM) and was released in the Microsoft Desktop Optimization Pack (MDOP) for Software Assurance (SA) in July 2007. AGPM lets you manage GPOs by offering change control (e.g., the ability to check GPOs in and out for editing), the ability to compare two versions of a GPO, and role-based delegation. Microsoft is integrating Desktop- Standard’s PolicyMaker Standard Edition, Share Manager, and Registry Extension into the GPMC and renaming it Group Policy Preferences. It will be in Windows Server 2008 and offered as a Windows Vista SP1 download in the Remote Server Administration Toolkit (RSAT).

Two vendors whose product offerings don’t overlap with Microsoft’s Group Policy offerings comment favorably on the release of the newly acquired tools. Thorbjörn Sjövold, CTO and founder of Special Operations Software (Specops), says Microsoft “more than doubled the number of Group Policy extensions with Group Policy preference extensions (GPPE). This is really good news because it shows that Microsoft believes in Group Policy and is committing to the technology.” The former CEO of DesktopStandard, now CEO of BeyondTrust, John Moyer, adds, “What Microsoft is releasing with Group Policy Preferences is going to make Group Policy useful to the broader market and will help with standardizing desktops.”

The settings in Group Policy Preferences “could potentially reach a staggering number,” Microsoft’s Sullivan says. “I mean that in a ‘wow, look at my breadth of management’ way. For example, it’s easy to distribute binary data out to clients. It’s a pretty exponential leap we’re looking at.”

Group Policy Preferences adds flexibility, Sullivan says. An administrator can create an image, deploy it to users, and users can change some of the preferences if the administrator allows it. “An admin can set or narrow down in Editor, turn on filter options, and look for commented settings.” Sullivan points out the usefulness of being able to annotate GPOs with commented settings. “Today, if customers open a GPO and see a creation date of 2000, they don’t know why it was created or who created it.” Another feature in Group Policy Preferences is what he calls “starter GPOs.” What he refers to is architecture that supports a baseline application. “You can create starter GPOs with canned settings and another admin can use those canned settings as a starting point” to configure a new GPO.

Continue on Page 2

Jason Leznek, Microsoft Senior Product Manager for Windows Client Manageability, adds, “The other thing that Group Policy Preferences lets you do is richer targeting. Group Policy Preferences lets you set Windows Management Instrumentation (WMI) filtering or go beyond, and it’s in a GUI. You can have check boxes; you can specify situations for settings; you can have multiple settings in one GPO.”

According to Sullivan, Microsoft jumped on those feature changes that provided best customer value and didn’t step on partners. Sullivan says his team asked customers, “What do you want to do in Group Policy?” The answer was that they wanted to do everything they could on their systems. “Group Policy Preferences provides application extension,” Sullivan notes. “Partners can go in through the core and add and enrich.”

Third-Party Solutions
You’ll find several big players in the Group Policy arena and some smaller ones. Tools from third parties tend to fall into two main areas—those that extend what you can do with Group Policy and those that help you manage Group Policy.

Tools that extend Group Policy. Within the extension area are tools that add Group Policy functions. Examples of such functions include software deployment and asset inventory. Two vendors in this arena are BeyondTrust and Specops.

BeyondTrust uses the concept of least privilege to help administrators configure applications to run on desktops. “We get apps that require admin privileges to run on the desktop where they don’t have administrative privilege,” CEO Moyer says. He notes the impact of a recent US Office of Management and Budget mandate: “Federal agencies must move to standard configurations for Vista and XP, which means no more local administrator accounts. The local administrator account undermines all settings. It undermines what you’re trying to do with Group Policy. We see the need to exploit this concept, developing new products and new versions.”

As a former strategic Group Policy partner of DesktopStandard, Specops offered tools that didn’t overlap with DesktopStandard’s and that don’t overlap with Microsoft’s releases. Specops founder and CTO Thorbjörn Sjövold, says that, besides DesktopStandard, Specops is actually the only winner among the Group Policy Extension ISVs when it comes to Microsoft’s Group Policy Preferences offering.

Tools that extend Group Policy include the following:

  • BeyondTrust Privilege Manager—lets administrators use Group Policy to configure applications so users can launch them without having administrator privileges. It includes the ability to let enterprises operate with User Account Control (UAC) turned on or off.
  • FullArmor Endpoint Policy Manager— uses an organization’s existing Group Policy infrastructure to provide real-time management and enforcement of endpoint policy settings by pushing Group Policy settings to client computers that might not connect often to the domain; it also provides auditing and reporting for compliance.
  • FullArmor GPAnywhere—lets administrators create portable policies from Group Policy settings and settings provided by IntelliPolicy for Clients to enforce policies on devices outside AD.
  • Specops Command—combines Windows PowerShell with Group Policy, making it possible to execute PowerShell scripts on any number of computers.
  • Specops Deploy—uses a Group Policy client-side extension (CSE) that replaces the built-in Group Policy software installation (GPSI) functionality in Windows.
  • Specops Inventory—uses Group Policy to provide detailed data to track Windowsbased IT assets.
  • Specops Password Policy—removes the obstacle of the single password policy per domain in Group Policy.

Tools that manage Group Policy. Within the management area, you see tools that focus on specific management functions— such as troubleshooting, reporting, and security—and tools that offer many management functions across the board. Mar-Elia, of SDM Software, approaches Group Policy by conceiving of his products in three “buckets”: troubleshooting, management, and reporting. “I decided the first thing I wanted to do was get tools for troubleshooting.” His second product was something he’d wanted to do for a long time. Editing GPOs required Group Policy Editor (GPE); Microsoft provides Group Policy Management Console (GPMC), and there was some scripting, but it was geared toward the GPO. He wanted to make a Group Policy Software Development Kit (SDK) and expose settings. The result was the company’s scripting toolkit.

He has two additional products ready to release: One is Group Policy Backup and Recovery. “GPMC provides backup and recovery as an afterthought. I’m trying to make it more of an enterprise-strength solution, with backup and restore links.” The other is Desktop Policy Manager, which rides on the scripting toolkit. With it, smallto- midsized businesses (SMBs) can manage Group Policy by using a Web interface that walks people through how to define settings and shows them in profiles. According to Mar-Elia, it hides the linking. “Instead of thousands of settings, the user sees a dozen. Not everyone has to see the complexity of GPMC—we shield them from that.”

Gil Kirkpatrick, CTO of NetPro, says, “Smaller organizations are just now beginning to experiment with Group Policy. I talked to a group of SMBs about AD backup and recovery, and very few were using it. It looked complicated to them.” He says, however, that we’ll see many smaller businesses getting into Group Policy. “I think that’s what’s driving a lot of the introduction of Group Policy tools.” In the past, he says, “management tools didn’t scale well to the SMB area and weren’t intuitive. Microsoft built the platform services well, then gave you a crappy interface and left it to the ISVs to fill in.” NetPro’s tools cover the AD realm and include specific Group Policy management tools, such as GPOADmin. It’s not yet possible to be an all-NetPro shop, though additional offerings are in the future.

Using Group Policy, Kirkpatrick says, “needs to be a controlled IT process, a process that’s standardized.” The other need is “to be able to delegate Group Policy creation or setting. Native tools don’t let you delegate the ability to manage Group Policy.”

Continue on Page 3

About Microsoft’s recent entry of the DesktopStandard product version, he says, “We had just released GPOADmin, which competed with DesktopStandard’s product— but Microsoft split that product in two.” As he understands the Microsoft offering, “It doesn’t help you much with respect to management, but it does have a nice UI. It’s not like Microsoft solved the management problem in Group Policy. Vendors will just have to be more innovative.” NetPro’s GPOADmin “expanded features and added workflow. You can delegate and let others make changes and an email goes out to higher administrators who can approve and apply the changes. It doesn’t make sense for shops with one IT guy, but it’s necessary for large shops and is in line with IT Infrastructure Library (ITIL).”

Tools that help you manage Group Policy include the following:

  • NetIQ Group Policy Administrator—offers a change management process for GPOs, including offline management, versioning, workflow and delegation, the ability to replicate GPOs, and auditing and reporting capabilities.
  • NetIQ Group Policy Guardian—alerts administrators when certain Group Policy changes occur, details and documents Group Policy change history, and offers change tracking.
  • NetPro ChangeAuditor—adds audit visibility beyond native logs with coverage for GPOs and nested groups in addition to real-time auditing and reporting of AD, file system, and Exchange changes.
  • NetPro GPOADmin—lets you automate change management tasks by configuring workflow approval processes that include the ability to do offline edits to GPOs as well as GPO commenting, tracking, version control, backup, scheduling, and change auditing.
  • Quest Software Quest Group Policy Extensions for Desktops—lets you use Group Policy to implement and enforce endpoint security and includes tools that extend Group Policy to manage desktops, including the ability to configure Microsoft Office applications and to manage Microsoft Outlook remotely.
  • Quest Software Quest Group Policy Manager— adds version control and a new UI to its GPO change management solution, which includes archiving and rollback, a multilevel approval process, and the use of PowerShell to automate Group Policy management tasks. SDM Software
  • GPExpert Backup Manager for Group Policy—lets you manage the backup and recovery of GPOs and GPO links in your AD environment.
  • SDM Software GPExpert Scripting Toolkit for PowerShell—helps you automate Group Policy management using Power- Shell.
  • SDM Software GPExpert Status Monitor— lets Help desk administrators find out quickly when Group Policy isn’t working by referring to desktop event logs that record successes or failures in Group Policy processing.
  • SDM Software GPExpert Troubleshooting Pak—helps administrators troubleshoot and resolve problems in Group Policy processing.

Group Policy in Your Future
With its acquisition of DesktopStandard and the resulting new Group Policy–related offerings, Microsoft is giving more attention to configuration and management difficulties that have plagued Group Policy users. As third parties build more features into their Group Policy products, those tools will expand on what Microsoft has done.

Sjövold, of Specops, says, “Microsoft’s renewed commitment to Group Policy will most likely encourage more ISVs to build solutions on top of Group Policy.” Peter Beauregard of BeyondTrust concurs: “We look at what \[Microsoft’s\] doing, and it gets people excited about Group Policy.” According to NetPro’s Kirkpatrick, “Microsoft had a gaping wound with respect to management of Group Policy. They’ve put a good bandage on it. But they’re not going to have a team of 20 developers working on updating Group Policy Preferences.” He adds, “There’s still lots of room to innovate.”

Mar-Elia, of SDM Software, also sees room for growth: “There’s a ton of untapped potential, stuff that Group Policy could do better—the engine could be more resilient, you could have more robust reporting, and you could add the ability to fail over to another location.” He adds, “We’ll see XML start to permeate Group Policy” as a more unified way of describing configuration.