Tech Review: Active Directory Policy Administration Suites

Group Policy should be a no-brainer for organizations running Microsoft Active Directory. It lets IT control changes and a variety of settings for all users and computers in AD from a central console. But some IT pros shy away from Group Policy. Although it's been part of every Windows OS since Win2K, Group Policy is plagued by limitations that can cause major administrative agita. In large domains with multiple administrators, for example, special care must be taken because Group Policy lets you easily adjust settings that affect every computer or user in a domain in real time, yet it lacks true change-management and version-control capabilities. Talk about a recipe for disaster.

The good news is, Microsoft publishes the APIs associated with Group Policy, so a number of third-party applications are available to help fill the gaps left in the native utility. We set out to determine whether those apps could solve a few main problems. First, the lack of a facility in Group Policy to determine who changed what settings, and when, is problematic, especially when there are several administrative spoons in the pot. This problem is compounded by the fact that GPOs (Group Policy Objects)--the building blocks of Group Policy containing individual settings to be deployed to the user or computer--are stored at the domain level in AD and can be modified only within the live AD environment. Bottom line, we've seen people make what they thought were trivial domain-level changes, only to have their helpdesk flooded with calls minutes later.

Smart IT groups work around this by granularizing their GPOs with as few policy settings as possible, so they can quickly undo tweaks that cause mass hysteria without affecting other workable GPOs. The end result of this workaround is dozens, if not hundreds, of GPOs in the AD domain. Problem is, more applied GPOs in a domain means slower login and start-up times for users.

There are other weaknesses in Group Policy: Its scope is limited to Windows XP/2000/2003 domain members, so there's no way to enforce GPOs over Mac OS, Unix, Linux and nondomain members. And though Group Policy can be used to deploy software, it's by no means as robust as conventional desktop management suites, such as those from Altiris or LANDesk, because it cannot repackage setups or copy the installation locally before a setup runs.

Finally, Group Policy has limited native functionality. Accomplishing something as simple as deploying a desktop shortcut requires writing a script. And though Group Policy makes script deployment a snap, scripts often are complex to create and difficult to debug and test. The only way to verify that a script works is to try it for yourself, as the scripts do not report changes to Group Policy's Resultant Set of Policy (RSOP) reports.

No Hot Dog

We set out to find products that could overcome these limitations but discovered that no one suite can do it all. So we narrowed our scope to the most critical pair: Group Policy management and Group Policy extensions. Group Policy management products add version control, enhanced security, additional monitoring/reporting options and other features. Group Policy extensions enhance the functionality of policy settings--the stuff you can manipulate on the client. For our wish list, see "Desired Features at a Glance".

We identified Centrify, Configuresoft, DesktopStandard, FullArmor, NetIQ, Quest Software, ScriptLogic, Special Operations Software and Symantec BindView as possible participants, but after further research we excluded three offerings that fill only niche roles. Special Operations Software's Specops Deploy 3.1 enhances the software deployment aspect of AD Group Policy; Centrify's DirectControl 2.0 integrates Unix, Linux, Mac OS and Java platforms with AD; and FullArmor's PolicyPortal 1.0 is designed to extend Group Policy to Windows machines outside of AD. All have their place, just not in this review.

We sent invitations to the rest of the field. DesktopStandard, NetIQ and Quest accepted. BindView declined, citing its recent acquisition by Symantec. ScriptLogic bowed out because it was about to release a new version of its product, and Configuresoft refused without providing a reason.

To test each product we created a small Windows 2003 domain for our fictitious yet appropriately titled candy maker, Fudge Co., and installed each product into its own identical environment. We judged each on the basis of its feature set for both Group Policy management and Group Policy extensions, ease of use and manageability, granularity of security and access controls, reporting and monitoring capabilities, and, of course, cost. We asked vendors to quote pricing for an organization consisting of 1,000 users and 1,000 computers in a single domain. For more on our test setup, see "How We Tested".

All the vendors that accepted our invitation carry separate products for Group Policy change control and management and Group Policy settings extensions, so we tested both products in each case. This means you could, theoretically, purchase one vendor's Group Policy management product and another's Group Policy extensions. We wouldn't recommend this, though, as we had a difficult time getting one vendor's extensions working within another's management product.

Snap to It

The Group Policy management products we tested--DesktopStandard's GPOVault Enterprise, NetIQ's Group Policy Administrator and Quest's Group Policy Manager--share several features. All are designed so that multiple clients can connect to the server portions of the products, and client components are Microsoft Management Console (MMC) snap-ins. Each uses a repository for storing GPOs offline, or outside the production AD environment. The storage location varies by product. Quest's product was the most flexible, letting us place the repository in SQL Server, MSDE, AD, ADAM (Active Directory Application Mode) or a UNC path. Net IQ Group Policy Administrator's repository can be stored only in SQL Server or MSDE, and GPOVault's repository can be installed at a UNC path or on the local file system.

We could edit, secure and, in some cases, organize GPOs independent of the live AD environment and without a test domain. Each product imposes change-control and management principles over the repository for complete GPO lifecycle management. Multiple versions of a GPO can be stored inside the repository, and we could easily view differences between repository versions and live GPOs--handy when you need to figure out who changed what and when. Every product we tested had this capability, but Quest's was the most robust, letting us not only compare versions but also sort and filter through the history of changes to a GPO.

All the products have built-in AD-integrated security that let us configure repository GPOs such that only specified users, groups or roles may change, create or publish GPOs. When it came time to deploy a repository GPO to AD, a Windows service account brokered the deal on our behalf. This way, a user with permission to publish repository GPOs does not require elevated permissions within AD.

To our dismay, none of the products we tested let us search through GPOs by individual policy setting. A classic annoyance of Group Policy has always been the challenge of determining which of the 1,600-plus policy settings are actually configured within any given GPO. In larger organizations, where there may be dozens of GPOs across multiple domains, it can be like finding a needle in a TCP/IP stack. No product included a search facility that was substantially better than what is already included in Microsoft's GPMC (Group Policy Management Console) tool, which let us search for GPO by name, permission or how the GPO is linked. Quest's product had a nifty utility for searching by individual policy setting, but it could be used only for template creation.

One question we had to ask of these products is, what happens to the corresponding repository GPO when an AD administrator pulls the rug out from under it and changes a live GPO? All the products we tested let us compare the differences between a live GPO to the most current one in the repository, but only GPOVault automatically recorded live changes to GPOs into the repository history. The product didn't go a step further, however, and offer to reconcile the two versions so they'd be consistent again, and as a result when we redeployed the repository GPO, we overwrote the newer version. Bottom line, once you install a Group Policy management product, your days of editing GPOs directly are over.

For Group Policy client-side extensions, DesktopStandard's PolicyMaker Standard + Application Security Bundle, Quest's Group Policy Extensions, and NetIQ's IntelliPolicy all let us use Group Policy to deploy network drives and printers, files, folders, shortcuts, power-management settings, registry settings and local group memberships. Offerings from both DesktopStandard and NetIQ include functionality for elevating or restricting user privileges to running applications. Office settings could be deployed using the DesktopStandard and Quest products. All provided capabilities to filter extensions within the scope of the GPO, which is useful when the setting need only be applied to a specific OS version, for example.

We counted price as 20 percent of the score. Our thinking is that though these utilities make IT's life easier, they'll have minimal measurable effect on the bottom line, so they should be affordable. In addition, Microsoft's practice of bundling third-party functionality into future OS releases makes purchasing these products something of a risk.

We gave Quest a perfect 5 on pricing because its per-PC, as-tested cost was $14.50--exactly half that of the next lowest competitor. DesktopStandard's pricing, at $34.24, was highest, but that's attributable to a pricey security extension that blew away the competition. This extension also goosed DesktopStandard's Group Policy Report Card grade. But even without the Application Security plug-in, this would still be the best extension product tested, and its price would be middle of the pack, raising DesktopStandard's overall score. As for who should spring for the extra security, organizations that need to run their desktops under the principle of least-privilege will benefit greatly. Desktop security is on everyone's radar these days, and we give DesktopStandard kudos for taking it seriously.

On a Roll?

Any of these products will make Group Policy more functional, and all received respectable grades. Quest's GP management app was the best, but DesktopStandard's GP extensions were clearly superior.

Why not recommend purchasing the management app from Quest and the extensions from DesktopStandard? The two don't play well together, mainly because Quest's product doesn't recognize DesktopStandard's extensions. Think of it this way: Extensions provide add-on settings to Group Policy so administrators don't have to write scripts to do fun stuff like deploy shortcuts, map drives and configure power management, while the management apps make life easier by offering change control and management for policies. Because they don't work together, if you wanted to deploy a policy with extensions, you'd have to draft and manage that policy right in AD--you couldn't take advantage of the version-control capabilities of the repository. Egad!

Our recommendation: If you just need change control, Quest delivers. If you need extensions, go with DesktopStandard. If you need both, we recommend DesktopStandard's set, if you can afford it. The onus is on the change-control product to understand extensions, and if you supply both, why would you help sell a competitor's product? We understand the why of the situation, but we don't have to like it, so we're not awarding an Editor's Choice. This was a tough call, but none of our competitors covered both bases well enough.

Quest Software Group Policy Manager 2.5, Group Policy Extensions 2.0.1

Quest's Group Policy Manager is the most feature-rich of the policy-management applications we tested. Even the server configuration showered us with options, letting us store the version-control system in AD, ADAM, SQL Server/MSDE or a network share. And should you change your mind at a later date, you can change the location from within the application.

Group Policy Manager also has the most detailed workflow, notification and security models of the products we tested. This granularity let us customize the GPO version-control system as we saw fit. Of course, this level of granularity often adds configuration complexity. Setting up a complete security and notification model could take some time, depending on how much you customize.

We could organize GPOs in our version-control repository into logical containers and subcontainers. Security and notification settings can be set on a container, so that all GPOs inside inherit those settings. Notification settings, like the role-based delegation discussed earlier, are extremely granular, and we could set up notifications for any step in the workflow. When we tested the workflow aspect of the product, we noticed that every change to the repository required approval, even for a repository administrator. The other two products we tested required approval only at check-in or live deployment. This brings up a disappointing aspect of all the products--each has its own "hard-coded" workflow model, and none was customizable. We could change notifications and roles but could not manipulate what each action was called and which actions required approval.

Like the other tools, Group Policy Manager comes with built-in security roles for trivial activities such as editing, approving and linking GPOs, but what differentiated this product was the ability to define our own security roles. We identified a custom role, which we called "creator-approver," and assigned it to an AD Security group, then let that group create and approve, but not edit, repository GPOs. This role in the Fudgeco.com domain would be the GPO guardian--having final say over GPO deployments in AD, yet not in the trenches deciding which policies should be applied to which users. This would be useful in large, multiple administrator, single-domain AD deployments where a formal change-approval process coordinates actual changes in AD. Although we could duplicate the same security functionality in the other products, only Quest's let us actually name the role, making it easier to re-use and understand without digging through access-control lists.

The template functionality included with Quest Group Policy Manager is the best of the lot. We could create and edit a template without creating the GPO first, and the template repository and security model is in its own area of the version-control system, so it's easy to apply a separate set of security permissions to templates. For any GPO, we could apply one or more templates. When a template is applied, if there is a settings conflict between the template and the GPO, the template will overwrite the existing GPO setting. We looked for a mechanism to do an impact analysis before overwriting and found a report we could run to compare the template's settings with the GPO's settings. This let our Fudgeco domain administrators reapply templates to GPOs to enforce new settings or reverse policy settings another OU administrator enabled, for example.

Quest's Group Policy Extensions product worked a little differently from the other two we tested. Rather than offering up a bunch of settings inside the Group Policy Object Editor (GPOE), Quest's extensions are deployed using templates. We first had to set up a reference workstation and configure the settings, printer mappings and shortcuts we wished to deploy. We then used the Template Capture Wizard to collect those settings into a template, and finally, we imported the template into the GPO editor. The whole process isn't as bad as it sounds, and the template editor let us go back and include, exclude or recapture specific settings. The big drawback to the product is that deploying policy settings for a particular extension is an all-or-nothing proposition. We couldn't just deploy one setting to turn off file sharing, for example, without deploying all the Explorer folder options.

DesktopStandard GPOVault Enterprise 2.2, PolicyMaker 2.5 + Application Security Bundle

The raison d'etre of Group Policy management products is to fill the gaps left by Microsoft tools, such as the GPMC. But rather than reinvent the wheel, as other products have done, DesktopStandard's approach is to add plug-ins into the GPMC to give it the functionality it's lacking. The result? GPOVault Enterprise is tightly integrated with the GPMC, and if your administrators are well-versed in the tool, they will warm up to GPOVault nicely. Although this is a nifty idea and results in one less UI to contend with, the product is also somewhat limited by the kludginess of the GPMC.

GPOVault has a structured workflow system with pre-defined notification for given tasks, such as create, deploy or delete, notifying only the reviewer role. As a result, it's not possible to receive a notification when a user checks out a GPO. Furthermore, all notifications are sent to the same group of users. The version-control system does have some intelligence built in; for example, if you create a repository GPO as an administrator, there's no need to approve the changes. And GPOVault has a recycling bin, a feature no other product had. This adds an extra layer of redundancy to the delete operation, and is useful when there are many hands in the pot.

Of the three Group Policy extensions products we tested, DesktopStandard's PolicyMaker Standard + Application Security Bundle is by far the most expensive, but also the most robust and feature-rich, giving it a high bang-to-buck ratio.

During our tests, we were pleased to find each of the policy-settings extensions typically found in the Windows control panel--including printers, folder options, power options, scheduled tasks, Internet options and mail profiles, to name a few--were displayed as they would appear in their corresponding Windows control-panel applets. This made configuring settings, such as power management, folder options and Start menu options, over the computers in Fudgeco's research and development OU a breeze. The problem with using a direct-manipulation interface for this task, however, is that there were settings we wanted to configure in the dialog, and others where we'd like Group Policy to defer to the default settings on the workstation. PolicyMaker solves this issue elegantly with its property-underlining feature. If the property is underlined in green in the dialog, it's considered enabled and will be enforced in the GPO; if the property is underlined in red, it's disabled and hence ignored. Each underlined property in the dialog may be individually toggled, or the set may be enabled/disabled as a whole.

The (pricey at $21 per seat) Application Security product let us use Group Policy to permit certain applications to run with elevated or reduced privileges. Although NetIQ's IntelliPolicy could accomplish this as well, DesktopStandard does it without the need to use a secondary account or the Windows RunAs service; instead, the application's security token is modified when the program is launched. Note that some security products look for this type of behavior and block it--a potential problem. The machines we used in testing had McAfee EPO 8.0i and Windows Defender beta on them, and we didn't run into difficulties. On the plus side, this methodology allows for increased flexibility in the security model, letting any number of security groups be added or removed from the security token. We had fun putting this to the test by letting non-administrators access regedit.exe as if they were a local administrator and blocking everyone on a workstation, including local administrators, from running Solitaire.

We targeted more than just files with the application security product; we also configured the same security settings on entire folders, SHA1 hashes of programs, MSI installs, even ActiveX installs. To help with those pesky ActiveX installs, a template included with the product contains a policy setting which, when enabled, displays a dialog containing the proper ActiveX install settings when a user visits a Web page requiring the control, which they do not have permissions to install. This information can then be easily e-mailed to the administrator for inclusion into a GPO, which will elevate the user's rights to install the control.

NetIQ Group Policy Administrator 4.6, FullArmor IntelliPolicy 1.5.1

Group Policy Administrator has the heaviest requirements of the products we tested, calling for at least IIS 5.0 and Microsoft SQL Server/MSDE to be installed on our test server. When we set up the console on a few administrative workstations, we had to install MSDE as well, even though we were connecting to a central database.

Group Policy Administrator is designed to be a complete replacement for the GPMC, and the product's administrative console re-creates and, in several cases, improves on the features found in Microsoft's native tools. The GP Explorer tool is for administering live GPOs and copies much of its functionality from the GPMC. The GP Repository is the tool for offline GPO version control and management.

When compared with the other products we tested, Group Policy Administrator has a few unique qualities but is missing some key features. On the plus side, its e-mail notification system is just as good as Quest's, letting us set up notifications to any user for any object and any operation, and we managed all notifications from the same screen, which was convenient. NetIQ's product is the only one capable of editing the repository GPO from within the same console window, without the need to open Microsoft's Group Policy object editor, a handy time-saver that helped keep the GPO we were editing in context with its place in the repository. One of the neatest features we tested was the GPO health check, which, as the name suggests, confirms that everything is copasetic. The GPO health check verifies that the GPO in AD, the Sysvol folder and the corresponding security settings are consistent with what's in the repository. Because the repository contains a copy of what's in AD, if any inconsistencies are found, you could always redeploy the repository version or an earlier version of the GPO. We only wish the product was able to help repair possible corruption errors.

GP Administrator is missing some key features that are available in the competition, such as the ability to sort and filter GPO history, create templates and add labels to repository GPOs. Even though repository users add comments as they perform operations on GPOs, we had to view those comments individually in the GPO history. Further, the GPO history can't be sorted by user or date, and comments cannot be added to a GPO without checking the GPO out first. And the biggest of cons, the product has no template features, so you can't help other administrators by packaging policy settings for Windows firewalls, software deployments or Windows Server Update Services, for example.

Similar to PolicyMaker, the IntelliPolicy product allows for configuration of its extensions from inside the Group Policy object editor, and includes scope-filtering capabilities as well. Although IntelliPolicy doesn't have as many policy settings as its competitors--notably missing the Start menu and folder configuration options--it does one-up Quest with its ability to run applications under elevated and restricted privileges.

Client-side extensions enabled within the GPO can increase the overall processing time of a policy refresh by a considerable margin. This is the primary reason each Group Policy extension product we tested includes some form of filtering capability. We really liked IntellliPolicy's ability to place policy extensions into categories and then let us apply the filter to the category. This made it easy for us to run a test where we deployed a file, added a Start-menu shortcut to that file for all computers in the Project Management Group OU, then used filtering to target only XP workstations. Features like this help keep the number of deployed GPOs down, which improves GPO refresh time.

Michael Fudge Jr. is a systems administrator at Syracuse University's School of Information Studies. Write to him at [email protected].

WISH LIST

We asked for products that would help our fictional Fudge Co. candy maker create, test, manage, troubleshoot and deploy policies and settings to computers and users in Active Directory. Specific wants:

» Enhanced change control, management and testing of policies » Ability to build and test policies offline, without Active Directory » Policy template management and the inclusion of default policy templates for compliance » Support for deployment of policies to clients not supported by AD, such as Mac OS or Windows ME. » Extended policy capabilities to describe and organize policies » Tools to assist in the debugging and troubleshooting of policy deployments » Extensions to Microsoft Group Policy functionality to enhance desktop security, application, and printer deployments

How We Tested

We tested three Active Directory administrative suites at our Syracuse University Real-World Labs®. Each product was evaluated in its own AD network environment, isolated from the other products. The network and AD layouts were designed to accommodate the administrative structure of our fictitious candy-making company, Fudge Co.

The Fudge Co. network consists of two AD single-forest/single-domain structures for production and test, named fudgeco.com and fudgeco.test, respectively. The fudgeco.com domain computers consist of a Windows 2003 SP1 domain controller running at Windows 2003 functional level, one Windows 2003 SP1 member server for each OU (Organizational Unit), and three Windows XP Professional SP2 workstations.

The fudgeco.com domain layout consists of two OUs for Fudge Co.'s Product Management Group (PMG) and Research & Development (RAD) business units (see diagram at right). Because fudgeco.com uses a single domain model, we delegated administration at the OU level, having separate admins for both PMG and RAD. Inside each OU were sub-OUs for admin, user, computer and server objects. This OU structure let us test each product's ability to delegate roles from the security model, such as permitting an OU admin to modify repository GPOs, and test them but not deploy them live to fudgeco.com. It also let us granularly determine where each GPO was applied, so that a GPO with just server settings would be applied only to the servers OU, for example.

Fudge Co.'s test domain was a subset of the production domain containing an identical AD OU and object structure, but only one Windows 2003 member server and one Windows XP workstation. We used this fudgeco.test domain to test GPO changes prior to deploying them live on fudgeco.com.

We installed each Group Policy management product onto the domain controller and each member server in the domain. To practice what we preach, we used Group Policy's software installation policy setting to deploy any admin console utilities and client-side extensions to the appropriate workstations.

To test the workflow and change control functionality of each product, we ran a set of test cases that followed the lifecycle of each GPO. Each test case evaluated the desired feature set of the product, including checkout, edit, check-in and import/ export to our fudgeco.test domain, as well as the security model and reporting aspects of the product. Each GPO was modified several times by different users so we could effectively evaluate the notification process, history and logging detail, undo/rollback features, and the products' ability to compare different GPO versions. If a product supported GPO templates, we tested those features as well by creating a template and deriving several GPOs from it.

We then put each product's security model to the test by repeating our test cases, but limiting the RAD and PMG OU administrator's access to the modification of repository GPOs only. Where possible, we organized it so each OU admin could edit only their own GPOs and were careful to check that users could do what they expected to do and no more.

Besides the typical Resultant Set of Policy reports, we evaluated the products' reporting and monitoring capabilities by running difference reports among repository GPO versions as well as between a repository and the live GPO version. Because all three products maintain a separate GPO repository outside of AD, it was important to evaluate how they responded to live changes to production GPOs.

Client extensions to Group Policy were tested by deploying policy settings to our XP workstations, verifying those settings were actually present, disabling the GPO, then verifying they were removed. Because you can purchase Group Policy client extensions separate from the Group Policy change-management tools, we tested each vendor's GPO management tool with all three extensions ... just for kicks, of course.

All Network Computing product reviews are conducted by current or former IT professionals in our Real-World Labs® or partner labs, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. Network Computing schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.

Executive Summary

Active Directory is gaining popularity, yet its dearth of native change-management and version-control capabilities, limited software deployment functionality and Windows focus are problematic. Luckily, the Group Policy framework is extensible, so products are available to increase functionality. We brought DesktopStandard's GPOVault Enterprise and PolicyMaker + Application Security Bundle, NetIQ's Group Policy Administrator and IntelliPolicy, and Quest Software's Group Policy Manager and Group Policy Extensions to our Syracuse University Real-World Labs®.

Although individual pieces performed acceptably, we weren't pleased with the big picture. We couldn't get management offerings to play nice with extension products and we couldn't do basic things; for example, searching GPOs by setting ain't rocket science--it's just an XML file. And we couldn't customize workflows, a pet peeve. In the end, we decided not to award an Editor's Choice. It's not that we wouldn't recommend these packages, just that no one product has it all.

R E V I E W

Ad Policy Administration Suites Interactive Report Card

Sorry,your browseris not Javaenabled

Welcome to NETWORK COMPUTING's Interactive Report Card, v2. To launch it, click on the Interactive Report Card ® icon above. The program components take a few moments to load.

you

Click here for more information about our Interactive Report Card ®.