Whether they control, monitor, or extend Group Policy, each of these tools helps admins manage it
Editor's Note: Information in this buyer's guide comes from vendor representatives and resources and is meant to jump-start, not replace, your own research; also, it is not necessarily comprehensive, as some products might have been left out due to the writer's oversight.
We will gladly add your product to our online table/PDF as a service to our readers, if we determine it falls within the confines of this buyer's guide.
Group Policy began in Windows 2000 with just 500 settings. Windows XP SP2 had 800 additional settings. With Windows Vista, it’s 3,000. And Windows Server 2008 added over 3100 policy settings in administrative templates and over 175 security policy settings.
Group Policy secures and regulates the essentials your organization needs to run smoothly, from critical business applications and processes to settings on users' computers and printers. But try to manage Group Policy and soon enough, even your above-average knowledge can get you in trouble.
The alternative is to avoid touching Group Policy or mess with it as little as possible. In fact, many admins admit that their "strategy" for determining whether they've successfully configured Group Policy properly is to wait for an incident to occur. Then the problems begin.
At the least, your fellow admins and staff have to drop other projects to work on untangling Group Policy knots. At worst, a Group Policy mistake might go undiscovered, or a disgruntled or incompetent admin could alter policy settings, weakening security or potentially causing a data breach.
Microsoft to the Rescue—Not
When Microsoft brought out the Group Policy Management Console (GPMC), it was a welcome addition to Group Policy. Granted, it has helped admins manage Group Policy better, particularly in organizations where not many Group Policy changes are typically made. But where there are frequent changes and multiple administrators involved, the GPMC isn't satisfactory in monitoring and controlling Group Policy changes.
Then Microsoft proffered Advanced Group Policy Management (AGPM), acquired as part of Desktop Standard's technology. AGPM offers admins the ability to check in and check out GPOs while editing them, and it lets admins compare two GPO versions and roll back to a previous GPO version.
Another nice touch is the ability to create GPOs from templates and to delegate access to GPOs. The catch is that you have to be a Windows Software Assurance (SA) customer, as it's part of the Microsoft Desktop Optimization Pack (MDOP), which is only available to SA customers.
Filling in the Gaps
Third-party solution providers have tackled the Group Policy management gaps in their own ways. They offer a wide range of solutions, from tools that automate Group Policy management tasks, to tools that monitor and audit Group Policy changes, to tools that extend Group Policy and help you lockdown desktops using least privilege, to tools that let you combine various aspects of the above.
You can find Group Policy management tools that delegate access, allow check-in and check-out, and offer version control. In addition, many also offer offline repositories of GPOs where you can edit and try out policy settings in the comfort of a test environment rather than putting them directly into a production environment.
Many of these tools extend the GPMC to help you create GPO changes, then verify and compare versions of your GPOS to maintain consistency. Some help you make your desktop and application configuration more uniform and increase their security. Some alert you to changes in GPOs. Some let you create or use policy settings that aren't even part of Group Policy, to assist in becoming compliant with your auditors and with specific regulatory requirements.
In this Buyer's Guide, we depart from our traditional format somewhat to better offer you a look at a variety of Group Policy management tools. (See Table 1 for product information.)
We've rather broadly interpreted management: Some of these tools help you manage Group Policy by automating tasks; others help you by tracking GPO changes; still others help you by extending what Group Policy can do. As prices change depending on licensing and numbers of machines, we leave it to your initiative to get price quotes.
Additionally, we like Group Policy tools that extend Group Policy, making it do what it should have been able to do by itself by now. If you already have a Group Policy management tool and would like to get even more out of Group Policy, look into these solutions as well: