Jason Leznek, Microsoft Senior Product
Manager for Windows Client Manageability,
adds, “The other thing that Group Policy
Preferences lets you do is richer targeting.
Group Policy Preferences lets you set Windows
Management Instrumentation (WMI)
filtering or go beyond, and it’s in a GUI. You
can have check boxes; you can specify situations
for settings; you can have multiple settings
in one GPO.”
According to Sullivan, Microsoft jumped
on those feature changes that provided best
customer value and didn’t step on partners.
Sullivan says his team asked customers,
“What do you want to do in Group Policy?”
The answer was that they wanted to do everything
they could on their systems.
“Group Policy Preferences provides application
extension,” Sullivan notes. “Partners
can go in through the core and add and
enrich.”
Third-Party Solutions
You’ll find several big players in the Group
Policy arena and some smaller ones. Tools
from third parties tend to fall into two main
areas—those that extend what you can do
with Group Policy and those that help you
manage Group Policy.
Tools that extend Group Policy. Within
the extension area are tools that add Group
Policy functions. Examples of such functions
include software deployment and asset
inventory. Two vendors in this arena are BeyondTrust and Specops.
BeyondTrust uses the concept of least
privilege to help administrators configure
applications to run on desktops. “We get
apps that require admin privileges to run on
the desktop where they don’t have administrative
privilege,” CEO Moyer says. He notes
the impact of a recent US Office of Management
and Budget mandate: “Federal agencies
must move to standard configurations
for Vista and XP, which means no more local
administrator accounts. The local administrator
account undermines all settings. It
undermines what you’re trying to do with
Group Policy. We see the need to exploit this
concept, developing new products and new
versions.”
As a former strategic Group Policy partner
of DesktopStandard, Specops offered
tools that didn’t overlap with DesktopStandard’s
and that don’t overlap with Microsoft’s
releases. Specops founder and CTO Thorbjörn
Sjövold, says that, besides DesktopStandard,
Specops is actually the only winner
among the Group Policy Extension ISVs
when it comes to Microsoft’s Group Policy Preferences offering.
Tools that extend Group Policy include the
following:
- BeyondTrust Privilege Manager—lets
administrators use Group Policy to configure
applications so users can launch them
without having administrator privileges.
It includes the ability to let enterprises
operate with User Account Control (UAC)
turned on or off.
- FullArmor Endpoint Policy Manager—
uses an organization’s existing Group
Policy infrastructure to provide real-time
management and enforcement of endpoint
policy settings by pushing Group
Policy settings to client computers that
might not connect often to the domain; it
also provides auditing and reporting for
compliance.
- FullArmor GPAnywhere—lets administrators
create portable policies from Group
Policy settings and settings provided by
IntelliPolicy for Clients to enforce policies
on devices outside AD.
- Specops Command—combines Windows
PowerShell with Group Policy, making it
possible to execute PowerShell scripts on
any number of computers.
- Specops Deploy—uses a Group Policy
client-side extension (CSE) that replaces
the built-in Group Policy software installation
(GPSI) functionality in Windows.
- Specops Inventory—uses Group Policy to
provide detailed data to track Windowsbased
IT assets.
- Specops Password Policy—removes the
obstacle of the single password policy per
domain in Group Policy.
Tools that manage Group Policy. Within
the management area, you see tools that
focus on specific management functions—
such as troubleshooting, reporting, and
security—and tools that offer many management functions across the board. Mar-Elia, of
SDM Software, approaches Group Policy by
conceiving of his products in three “buckets”:
troubleshooting, management, and reporting.
“I decided the first thing I wanted to
do was get tools for troubleshooting.” His
second product was something he’d wanted
to do for a long time. Editing GPOs required
Group Policy Editor (GPE); Microsoft provides
Group Policy Management Console
(GPMC), and there was some scripting, but
it was geared toward the GPO. He wanted to
make a Group Policy Software Development
Kit (SDK) and expose settings. The result was
the company’s scripting toolkit.
He has two additional products ready to
release: One is Group Policy Backup and
Recovery. “GPMC provides backup and
recovery as an afterthought. I’m trying to
make it more of an enterprise-strength
solution, with backup and restore links.”
The other is Desktop Policy Manager, which
rides on the scripting toolkit. With it, smallto-
midsized businesses (SMBs) can manage
Group Policy by using a Web interface that
walks people through how to define settings
and shows them in profiles. According to
Mar-Elia, it hides the linking. “Instead of
thousands of settings, the user sees a dozen.
Not everyone has to see the complexity of
GPMC—we shield them from that.”
Gil Kirkpatrick, CTO of NetPro, says,
“Smaller organizations are just now beginning
to experiment with Group Policy. I
talked to a group of SMBs about AD backup
and recovery, and very few were using it.
It looked complicated to them.” He says,
however, that we’ll see many smaller businesses
getting into Group Policy. “I think
that’s what’s driving a lot of the introduction
of Group Policy tools.” In the past, he says,
“management tools didn’t scale well to the
SMB area and weren’t intuitive. Microsoft
built the platform services well, then gave
you a crappy interface and left it to the ISVs
to fill in.” NetPro’s tools cover the AD realm
and include specific Group Policy management
tools, such as GPOADmin. It’s not yet
possible to be an all-NetPro shop, though
additional offerings are in the future.
Using Group Policy, Kirkpatrick says, “needs
to be a controlled IT process, a process that’s
standardized.” The other need is “to be able
to delegate Group Policy creation or setting.
Native tools don’t let you delegate the ability
to manage Group Policy.”
Continue on Page 3
Register
