Product Reviews

Extend Group Policy Further

The new PolicyMaker adds more extensions to give you greater control over your desktop landscape.

• By Gerry O'Brien
• 06/01/2005

When Microsoft added Group Policy to Windows, most hailed it as an essential addition. Administrators could finally control all the desktops spread throughout their organization. While Microsoft did well to add this capability to Windows, DesktopStandard Corp. (formerly known as AutoProf) has taken it several steps further with the latest version of PolicyMaker.

PolicyMaker 2.0 gives you more options for configuring Group Policy Objects (GPOs). There were 11 extensions in version 1.0. Version 2.0 adds another 13 for a grand total of 24, including extensions for network drives, printers, shortcuts, file folders, data sources and Windows services.

Looks Familiar
One of the first things you'll notice when installing the new PolicyMaker is a comfortably familiar interface. You're brought to an MMC console with what looks like the Group Policy Object Editor, with which most of you already have quite a bit of experience. One thing that's new in version 2.0 is the MMC snap-in, which has been enhanced to reflect the new extensions (see Figure 1).

PolicyMaker lets you configure GPOs for applications like the Microsoft Office Suites from Office 95 all the way through Office 2003. You can also configure Outlook as a separate entity. One of the nicest features about the new Outlook configuration is the ability to specify security parameters for e-mail attachments. Restricting which attachments certain users can open will provide a moderate level of protection from virus files embedded within those attachments.

Figure 1. The new version has an enhanced MMC snap-in to accommodate the new extensions. (Click image to view larger version.)

At one place where I used to work, we had a major problem with people opening attachments and infecting computers with the virus of the week. We recommended e-mail screening software to eliminate the virus threat from attachments. The response was an overwhelming, "No." They felt the risk of missing important attachments outweighed the risk of virus infection.

With the extensions provided in the new PolicyMaker, we could have made both our IT staff and the users happy. You can set rules to allow or prohibit opening certain file types by choosing them from a list (see Figure 2). This can be a great time saver when it comes to configuring Outlook security, which has always been a manual and time-intensive chore.

Figure 2. PolicyMaker lets you set rules and determine who can open certain types of e-mail attachments. (Click image to view larger version.)

Get a Handle on Hardware
PolicyMaker also lets you control hardware devices attached to a computer using the Devices extension in the Control Panel settings under the Windows Settings folder. You can enable and disable hardware devices by specifying an authorized user or by specifying a particular computer (see Figure 3). You can also set common properties for that hardware object with the Common tab.

Your users may need access to VPN or dial-up connections from time to time. With the Network Options extension, you can control how you create, update or delete these connection objects. You can also make connections available to all users or a select few.

Figure 3. You can choose devices or device classes to control with Group Policy. (Click image to view larger version.)

Now, you can also configure and control data sources. These controls provide secure access to database systems residing on the network or the computer. Creating and updating these data access controls has always meant additional work for your developers or administrators. Each computer running an application that uses a particular data source must be configured to use that source or the application will not work. Companies that use either system or user data sources will find this feature helpful as it provides a centralized location for creating and updating these data sources.

REDMOND RATING Documentation 20% 9 Installation 20% 10 Feature Set 20% 8 Performance 10% 10 Management 30% 9 Overall Rating: 9.1 ————————————————— Receiving a rating of 9.0 or above, this product earns the Redmond Most Valuable Product award. Key: 1: Virtually inoperable or nonexistent 5: Average, performs adequately 10: Exceptional

Flexible Reporting
If you need to document configurations, you'll love PolicyMaker's reporting features. Once you've created a GPO, you can view its configuration settings in either HTML or XML. The HTML view is great for a static display of object and configuration properties. You can use the XML view to export that information to other applications or to a database.

Although both views give you configuration information, the XML view also shows the date the GPO was changed, the GPO ID and user ID. You'll have to instruct your XML parser to correctly identify the action abbreviations, such as C for Create. Other settings use abbreviated entries as well, including Boolean-style entries: 1 for yes and 0 for no.

PolicyMaker lets you filter GPOs on the client side by selecting which filters to apply. These filters will always be evaluated prior to any actions taking place. To administer these filters, use the Common tab available on all GPO extensions (see Figure 4).

Figure 4. Create custom filters for GPO extensions. (Click image to view larger version.)

There are a number of filter conditions you can apply to GPOs, and you can apply multiple filters to each object. Applying multiple filters lets you set up "And" and "Or" conditions. For example, you could add a Security Group filter and specify that the filter will apply to the operating system "And" a specific security group from the domain or computer. You could also specify that either the OS filter "Or" the Security Group filter will apply, but not both.

A Wealth of Choices
One of PolicyMaker's greatest strengths is the wealth of configuration options, which should certainly accommodate any of your GPO needs.

Although the learning curve should be relatively short for someone familiar with Group Policy concepts, junior network admins may find the documentation less helpful than it could be. DesktopStandard Corp. does a fairly good job explaining the concepts of Group Policy and PolicyMaker's capabilities, but I think documentation should always have a How-to section and perhaps a Quick Start.

If you need to exert more control over the desktops and servers in your organization and you believe firmly in Group Policy, then you should consider PolicyMaker 2.0.