PolicyMaker Does Its Share
Extend Group Policy settings with DesktopStandard's PolicyMaker Share Manager
Most of Microsoft's Group Policy settings focus on
desktop management. Extending those settings to allow centralized Windows network administration is the primary goal of DesktopStandard's PolicyMaker series.
PolicyMaker Share Manager simplifies centralized shared folder management for Windows servers and clients, essentially compensating for Microsoft's management oversight in this arena. Share Manager includes both a server component that sits on domain controllers and a client component for managing the product.
Installation is quick and easy. After installation, Group Policy objects (GPOs) pick up a new administrative template called Server Settings with a Network Shares subfolder, so you can quickly create and manage shares across your network (see Figure 1).
|Figure 1. You configure network shares with a familiar, easy-to-use interface. (Click image to view larger version.)
You essentially load a GPO with
lists of shared folders. Then Share Manager will ensure that those shares are created uniformly across all the computers to which the GPO applies. For example, if you want to give your help desk easy access to user profiles by giving all client computers a shared folder pointing to the Documents and Settings folder, tell Share Manager to make the share and link the GPO to your domain.
| DesktopStandard PolicyMaker Share Manager
| Version Reviewed: Beta
Current Status: Beta
Expected Release: Late 2005 or early 2006
In the beta release tested, Share Manager didn't seem to provide a way to configure share security. That's something DesktopStandard may add to the final version or to a future
version. I don't regard it as a major shortcoming. Most administrators prefer to manage permissions through NTFS, thus leaving share permissions wide open, which is a common preference. Quite frankly, it's also a good idea, since managing both share and file permissions can be incredibly confusing. Still, it would
be nice to see at least an option to apply uniform share permissions.
Share Manager is intuitive and easy to use. It adds a "PolicyMaker" tab to the GPO editor (in addition to the built-in "Extended" and "Standard" tabs), and provides a clean interface for viewing the network share policy settings you've created. The interface reflects Microsoft's own interface design for Windows, so Share Manager looks like a seamless part of your environment.
In demonstration mode (which you can see prior to installing a license for the product), you can configure all the network shares you like to get a feel for how the product works. The settings simply won't be applied to any servers until you've added the license. That's a minor downside, as it prevents you from truly testing the product before buying a full license.
| Beta Man's
| The software described here is incomplete and still under development; expect it to change before its final release--and hope it changes for the better.
It would be nice to have a fully-functional evaluation period—even just a few days. This is about as uncomplicated a product as you can get, so it would help to actually see it in action before making a purchase. It's possible that the final release will offer such a trial period.
From a performance standpoint, Share Manager runs smoothly and quickly. It's indistinguishable, in fact, from the GPO settings provided by Microsoft. Even in this beta version, I found no bugs or hiccups. This suggests a thorough testing and QA process—something I always appreciate in today's hurried marketplace.
Windows 2003 SP1 has a new feature called Access-Based Enumeration (ABE). This essentially prevents users from seeing shared folders to which they don't have access. Surprisingly enough, Microsoft has not had a
feature like this until now.
NetWare 3.0 had a similar feature. ScriptLogic WinCloak (www.scriptlogic.com) also provides ABE-like features, but you have to install a software driver, which not every administrator wants to do (of course, prior to Win2003 SP1, doing so is your only choice if you want that functionality). Win2003 SP1 provides both graphical and command-line utilities for managing ABE. For example, simply open the Properties dialog for any shared folder, and select the ABE option (see Figure 2).
|Figure 1. You can enable and apply access-based enumeration through a tab in the properties settings. (Click image to view larger version.)
Obviously, managing ABE on a per-share basis is less than optimal. It's moderately surprising that Microsoft didn't provide some means of managing this feature en masse. Fortunately, Share Manager fills that gap.
Using Share Manager, you can
turn ABE on or off for each share you're managing. You can also globally enable or disable ABE for an entire server. Microsoft may add ABE support to a future release of Windows XP or a service pack, but it's not there yet.
There are two main advantages to the evolving industry best practice of turning on ABE globally. First, it prevents users from seeing things to which they don't have access. That helps keep them from being tempted to try and hack into something. Second, it prevents users from accidentally trying to access a folder they don't have permission for and thereby filling your security audit logs with spurious and completely innocent "denied" events.
|Wanted: Betas for Review
|Beta Man is always on the lookout for quality products to review. If you know of a software product that is currently or soon to be in beta, contact Beta Man at [email protected]. Vendors are welcome, but please act early--the meticulous Beta Man needs plenty of lead time.
All the recent fuss over "on-demand management" (IBM's OnDemand,
HP's Adaptive Enterprise, and Microsoft's Dynamic Systems Initiative, for example) is mostly about managing a companywide set of policies and
having individual servers and resources reconfigure themselves as needed. That's exactly the kind of flexibility Share Manager provides.
If your business needs a new project folder, for example, and needs to make it available on 10 servers spread across the world, Share Manager makes it as easy as specifying the new shared
folder and linking the GPO to the correct spot. Instead of managing the 10 servers independently, you can just focus on the top-level policy. If you don't need that shared folder after the project is complete, Share Manager can remove it.
Don Says ...
What I like:
- Extends Group Policy to make management more efficient
- Improves security by hiding shares from users who don't need to see them
- No bugs found, unusual in a
What I don't like:
- No fully functional evaluation version
- No option to set share permissions
That level of management is really the whole point of Group Policy. Share Manager is one of the few applications that extends Group Policy beyond mere configuration setting management and into the realm of provisioning and resource access. It's refreshing to see companies recognizing the value of this approach and appropriately extending Group Policy.
PolicyMaker Share Manager is
obviously set up with the potential to manage more than just shared folders (with its top-level Server Settings folder in the GPO editor). I can easily see how Desktop Standard might extend future versions even further into server management, perhaps
providing global control over shared printer attributes or a range of other server management options.
It'll be interesting to see where
they take the product in the future. In the meantime, it's shaping up
to be an excellent tool for centralizing shared folder management and
taking control of Win2003 SP1's new
Don Jones is a multiple-year recipient of Microsoft’s MVP Award, and is Curriculum Director for IT Pro Content for video training company Pluralsight. Don is also a co-founder and President of PowerShell.org, a community dedicated to Microsoft’s Windows PowerShell technology. Don has more than two decades of experience in the IT industry, and specializes in the Microsoft business technology platform. He’s the author of more than 50 technology books, an accomplished IT journalist, and a sought-after speaker and instructor at conferences worldwide. Reach Don on Twitter at @concentratedDon, or on Facebook at Facebook.com/ConcentratedDon.