Product Reviews

On Track and On Time

Group Policy Manager keeps a tight grip on policy updates.

• By Erik Westgard
• 04/01/2006

This is where the delicate balance between speedy updates and following procedure is thrown into jeopardy. You may need a security review on a major Group Policy change, but you still need to make the change in a hurry.

This review and approval cycle is becoming part of the workflow process in many enterprise-level systems administration tools. With a high-end operating environment like Windows Server 2003, though, most of the administration tools are still designed for speed. You can go in and quickly make changes, but there’s not always a review process available. That’s where Quest Group Policy Manager comes in, a tool that notifies those who need to know (like those security pros) about changes and updates.

Get a Grip on Group Policy
Quest Software has grown into a major infrastructure management player, and has expanded its set of infrastructure and Active Directory management tools over the last few years by acquiring FastLane and Aelita. In 2004, Quest released Group Policy Manager as a standalone product, and released the current version in December of 2005.

[Click on image for larger view.]

Figure 1. Group Policy Manager lets you determine which actions and permissions are associated with a particular role.

Group Policy Manager is rich in features and flexible in operation. It’s aimed at shops with 1,000 users or more, some of whom have teams working on Group Policy within a distributed systems administration team model.

Up and Running
There are two parts of Group Policy Manager to install. There’s the server module that runs as a privileged service with full access to the Group Policy Objects in the managed forest. There is also a management console component, which runs on the server or another workstation. You can have multiple server instances to manage multiple domains independently within a forest.

One hint on installing the server component: You’ll be asked to provide a user ID, which must have appropriate privileges on the server upon which it is installed, including "Log on locally" and "Log on as a service." If you get the message that "Log on as a service" was successful, that’s a good sign.

While the documentation is a little sparse, and some of the installation-related error messages a bit on the cryptic side, the online support forum had all the answers I needed.

[Click on image for larger view.]

Figure 2. Within the policy properties, Group Policy Manager lets you select the actions for which you want to receive notifications.

Role Call
Group Policy Manager supports role-based delegation and lets you define and enforce rights to perform actions on the version control system. There are several pre-defined roles, including:

• Users
• Moderators
• Approvers
• Linkers
• System Administrators

You can also define custom roles that include more granular rights over Group Policy Objects (GPOs), such as:

• Approve/Reject GPO
• Create GPO
• Edit GPO
• Delete GPO
• Undo Other Check-outs
• Export GPO
• Link/Unlink GPO
• Register GPO
• Unregister GPO
• Rollback
• Incorporate Live
• Create Container
• Edit Container
• Delete Container
• Delegate Security

Working Through Objects and Containers
You can also organize GPOs through user-defined container hierarchies. There’s a managed GPO node that can build one-to-many containers and sub-containers. Each container then has its own security descriptor in which you can grant (or delegate in Group Policy Manager terminology) trustees roles to define access to the container, sub-container or simply a specific GPO within any of those containers.

[Click on image for larger view.]

Figure 3. You can generate reports on a variety of troubleshooting categories, including compliance and security.

As users work with the objects and containers, IT can get notifications based on trigger events like approving a policy change request (see Figure 2). This is helpful, for instance, if you’re in the middle of a deployment and need to be told as soon as a request is approved for full rollout to the network. Group Policy Manager has other even more detailed reporting capabilities.

Group Policy Manager can back up GPOs (including backing up to offline storage). It can also export objects to a test environment. There is a version control system with version numbering for keeping track of changes. It will not let GPO changes go "live" into the online Active Directory environment until they’re approved through whichever process you’ve defined. The idea is to provide a granular approval model, so live GPO updates don’t cause havoc. It’s a similar level of protection to testing security patches before making an enterprise-wide rollout.

Security Compliance
The need for increased rigor around security policy and compliance auditing and checking bodes well for Quest Group Policy Manager. As more organizations start using Group Policy, they’ll need a tool like Group Policy Manager to integrate its strengths with the increased need for compliance with corporate security policies.