Executive Summary:
Group Policy lets you centrally configure and manage computers and remote users in your Active Directory (AD) environment. However, many IT pros find deploying Group Policy difficult. They’ve been frustrated, for example, when they’ve tried to find a specific setting in Group Policy, or design Active Directory (AD) organization units (OUs) with Group Policy in mind, or troubleshoot nonworking Group Policy Objects (GPOs). With Microsoft’s new Group Policy Preferences offering as well as current and future ISV products, Group Policy will be increasingly useful to more organizations.
|
“There’s no reason Group Policy shouldn’t
be easy to use,” says SDM Software CEO
and Group Policy MVP Darren Mar-Elia. If
you’re in the 22 percent of IT pros who admit to “winging
it” as they configure and manage Group Policy, you might
be surprised to hear that statement. Many IT pros have
found it difficult to find a specific setting in Group Policy,
to design Active Directory (AD) organization units (OUs)
with Group Policy in mind, to set up user and computer
groups to work with Group Policy, to troubleshoot nonworking
Group Policy Objects (GPOs), and to back up the
GPO infrastructure.
That a significant number of IT pros acknowledge
being somewhat clueless about Group Policy—even as
they use it—surprised Group Policy solution provider
NetIQ. The company surveyed IT pros about how they
use Group Policy and published the results in 2007.
According to Sacha Dawes, senior manager of product
marketing at NetIQ, that figure of 22 percent is evidence
of the lack of available native tools for managing Group
Policy, including “the severe lack of change control.”
In a conversation with Windows IT Pro magazine in
the fall of 2007, Dawes noted that 58 percent of survey
respondents said they’d experienced an unplanned outage
from a Group Policy change and that their troubleshooting
time ranged from 45 minutes to more than 6
hours. And more than half of the respondents also said
that they had no system set up to alert them to a Group
Policy problem or anomaly—their “strategy” was simply
to wait for an incident to occur.
Group Policy experts, solution providers, and users
agree that Group Policy can get you into a lot of trouble if
you don’t use it properly. They differ on what Microsoft’s
role is in managing this technology and what vendors can
best do to help fill in the gaps. They also have different
opinions on what impact Microsoft’s soon-to-be-released
Group Policy Preferences (technology from the acquisition
of DesktopStandard) will have on the Group Policy
tools market.
Most agree, however, that if you’re not using Group
Policy yet, you will be. Let’s look at how Group Policy
has evolved, why it has a reputation for causing IT pros
to sweat bullets, and how Microsoft and third-party tools
aim to help ease your Group Policy pain.
Group Policy Past and Present
Group Policy is a Windows feature that lets you centrally
configure and manage computers and remote users in
an Active Directory (AD) environment. You’ll find Group
Policy at work in the enterprise as well as in smaller organizations,
such as schools and libraries, where it can be
used to restrict users’ actions and increase security.
Using Group Policy, you configure settings and store
them in Group Policy Objects (GPOs). You create and
edit GPOs with two tools: The Group Policy Object Editor
(GPE) lets you create and edit one setting at a time, and
the Group Policy Management Console (GPMC) lets you
create and edit multiple settings at a time. After you create
the GPO, you target or link it to an AD site, a domain,
or, more typically, an organizational unit (OU). Then the
Group Policy client pulls a list of GPOs appropriate to a
machine and logged-on user and applies the GPOs. The
GPOs enforce your organization’s security settings and
restrictions—and keep users from overriding them.
NetIQ’s survey found that a surprising number of IT
departments use Group Policy as a way to write fewer
scripts. The more typical use, however, is for configuration
management and for implementing server security and
protection at the client level. Group Policy’s usefulness is
clear; what, then, makes it so difficult to master?
Consider that Group Policy began in Windows 2000
with just 500 settings. “You could wrap your brain around
that,” Microsoft’s Lead Program Manager in Group Policy,
Kevin Sullivan, says. Windows XP Service Pack 2 (SP2)
had “800 additional settings. With Vista, it’s 3,000. A slew
more will appear in 2008.”
Mar-Elia, of SDM Software, explains: “The way Group
Policy was built, a team built the engine and created a
framework. But the team didn’t create a standard. So each
product group went off and did its own thing.” Sullivan
offers the Microsoft perspective: “The Group Policy team
doesn’t decide what needs to be managed, for example,
in Windows Media Player—but we do help them and test
the Group Policy experience.”
With the acquisition of DesktopStandard in 2006,
Microsoft at least made it easier on itself in the Group
Policy arena. DesktopStandard’s GPOVault Enterprise
became Microsoft Advanced Group Policy Management
(AGPM) and was released in the Microsoft Desktop Optimization
Pack (MDOP) for Software Assurance (SA) in July
2007. AGPM lets you manage GPOs by offering change
control (e.g., the ability to check GPOs in and out for editing),
the ability to compare two versions of a GPO, and
role-based delegation. Microsoft is integrating Desktop-
Standard’s PolicyMaker Standard Edition, Share Manager,
and Registry Extension into the GPMC and renaming it
Group Policy Preferences. It will be in Windows Server
2008 and offered as a Windows Vista SP1 download in the
Remote Server Administration Toolkit (RSAT).
Two vendors whose product offerings don’t overlap
with Microsoft’s Group Policy offerings comment favorably
on the release of the newly acquired tools. Thorbjörn Sjövold, CTO and founder of Special
Operations Software (Specops), says Microsoft
“more than doubled the number of
Group Policy extensions with Group Policy
preference extensions (GPPE). This is really
good news because it shows that Microsoft
believes in Group Policy and is committing
to the technology.” The former CEO
of DesktopStandard, now CEO of BeyondTrust,
John Moyer, adds, “What Microsoft
is releasing with Group Policy Preferences
is going to make Group Policy useful to the
broader market and will help with standardizing
desktops.”
The settings in Group Policy Preferences
“could potentially reach a staggering number,”
Microsoft’s Sullivan says. “I mean that
in a ‘wow, look at my breadth of management’
way. For example, it’s easy to distribute
binary data out to clients. It’s a pretty exponential
leap we’re looking at.”
Group Policy Preferences adds flexibility,
Sullivan says. An administrator can create
an image, deploy it to users, and users
can change some of the preferences if the
administrator allows it. “An admin can set or
narrow down in Editor, turn on filter options,
and look for commented settings.” Sullivan
points out the usefulness of being able to
annotate GPOs with commented settings.
“Today, if customers open a GPO and see a
creation date of 2000, they don’t know why
it was created or who created it.” Another
feature in Group Policy Preferences is what
he calls “starter GPOs.” What he refers to is
architecture that supports a baseline application.
“You can create starter GPOs with
canned settings and another admin can use
those canned settings as a starting point” to
configure a new GPO.
Continue on Page 2
Previous
Register
