Product Reviews

Get into Group Policy

GPAnywhere gives you more flexibility to manage Group Policy, even on older or remote machines, with or without Active Directory.

• By Danielle Ruest and Nelson Ruest
• 02/01/2005

Those of you running Active Directory know that Group Policy is a great advantage when it comes to supporting centralized desktop management, but Group Policy is only available within an AD environment. Every machine and every user has to be a member of an AD domain for it to be able to deploy settings through Group Policy, right? Not any more.

Fazam GPAnywhere is a powerful tool that focuses on local Group Policy management. It works with or without AD, so if you're still running NT to manage your domain—you shouldn't be by now, but if you are—you can still enjoy the power of Group Policy with this nifty tool.

Think Globally, Modify Locally
GPAnywhere modifies the local policy found on every Windows machine since Windows 2000. Because the policy is local, there is no real way to modify it centrally in Windows. Local policy gets modified or overwritten when you deploy Group Policies, but there are several instances where this is impossible. In small shops for example, people may be working in workgroups instead of domains. When machines are in an established workgroup, you don't have a default-centralized way to make sure they are configured properly.

Another more prevalent example would be in a demilitarized zone (DMZ) that many organizations host as a security buffer against outside attacks. Often, machines in a DMZ are not joined to a domain because of the security risk of exposing internal domains to the outside. You can use the Security Configuration and Analysis tool found in Windows to generate a default Security Template that you can apply on each machine to modify the settings in the local policy, but that is a cumbersome process that leaves a lot to be desired.

Other configurations in which you may want to use something like GPAnywhere to centrally manage Group Policy include user settings for terminal servers, older Novell domains with Windows clients, and laptops or other remote clients that are still part of a specific domain.

GPAnywhere works with an instance of AD in Application Mode (ADAM) to store all data related to the local policies you want to manage. When you set up the GPAnywhere server, ADAM is installed automatically. “Server” may not be the right word here, because you can just as easily install GPAnywhere on anything from a Windows XP machine to a full-blown server running Windows Server 2003. Because GPAnywhere relies on ADAM, its minimum requirements are essentially the same as ADAM. It has to run on Windows XP Service Pack 1 or later and/or Windows Server 2003.

During the installation process, GPAnywhere places four core components on the target machine:

• It installs ADAM and sets it to operate on port 389—the standard Lightweight Directory Access Protocol (LDAP) port.
• In the Application Data folder for All Users, the system creates a new folder called FullArmor\FAZAM GPAnywhere and shares it as GPAnywhere.
• It installs Microsoft XML Parser components (MSXML 4.0).
• It also installs the core Fazam GPAnywhere components.

The installation process uses a single Windows Installer file. This means you should be able to deploy it through Group Policy or any other centralized deployment tool, but according to FullArmor, they have not yet tested that deployment option.

Once it's fully installed, you can run GPAnywhere by launching its Microsoft Management Console (MMC). The console is empty by default and is extremely easy to use. When you start the program, you'll see that the console includes only two items—Group Policy Object (GPO) Templates and Computers (see Figure 1). Your first task is to prepare the GPO template you want to use.

Figure 1. GPAnywhere presents a simple, familiar interface. You can create GPOs with a few simple clicks, export them to .exe format and drop them onto applicable machines. (Click image to view larger version.)

Template Tools
GPAnywhere lets you create templates in a number of different ways. You can create them from scratch, import settings from existing AD GPOs or even import settings from Windows NT System Strategies. Once you have created a template, you can edit it through the standard Windows Group Policy Object Editor. This helps keep you working with familiar tools. Once the template is complete, you can export it to an executable file that you can run on non-AD computers.

There are several ways to do this. You can locate computers directly within GPAnywhere through the Computers branch of the navigation tree (see Figure 2). If the computers are within an AD environment, you can search the directory for them. If they are non-AD machines however, you'll need to browse for them. Once you have added all the computers you'll be managing to the console, you can edit some of their local policy settings directly. This doesn't let you modify security settings though. To do that, you'll need to run executable policies on the target machine.

Figure 2. The console lets you edit policy, generate reports or remove a computer from the list. If you choose to edit the local GPO, you won't be able to modify security settings. You'll have to apply an executable policy to do so. (Click image to view larger version.)

Executable policies include only the contents of the GPOs that are activated. This helps keep their size to a minimum. You can run executables on machines simply by dragging and dropping them onto the machine name. You can also schedule them to run at repeated times or at computer startup to ensure the settings are up to date.

REDMOND RATING Documentation 10% ————— 7 Installation 10% ——————— 8 Feature Set 40% ——————— 7 Performance 20% —————— 9 Management 20% —————— 9 Overall Rating: 8.1 ————————————————— Key: 1: Virtually inoperable or nonexistent 5: Average, performs adequately 10: Exceptional

Local Group Policy settings are applied to systems upon which you have installed the GPO templates. Those settings are active whenever you power up those systems.

The local GPO settings let you define desktop requirements and apply personalized configurations. You can also use them to lock out certain functions to prevent users from installing printer or other device drivers, disabling Control Panel applets or even the entire Control Panel.

Local GPO settings also help you enforce security measures like password history, timed lockout settings and the length of idle time before the system automatically terminates a session.

Focused on ADAM
You can generate reports easily with GPAnywhere; just right-click on any computer and select Create Report. Reports are in HTML format and are simple to read.

FullArmor has created a nifty tool that fills a hole in the administrative toolkit. Everyone who has a DMZ on their network needs something like this to apply secure policies to their machines. You can do it with the Security Configuration and Analysis tool, but it is certainly not as easy as it is with GPAnywhere.

It's welcome to see the innovative way that GPAnywhere makes use of ADAM here. It would be nice if more vendors focused on this tool and stayed away from directory schema modifications.