3 Tools to Manage Group Policy

These products vary in approach, but all function well when change management is integral to the environment

Eric B. Rux

October 29, 2007

16 Min Read
ITPro Today logo in a gray background | ITPro Today


Microsoft is good at giving systems administrators cool product features that make our lives easier. Take Group Policy, for example. What started as simple (yet problematic) Windows NT 4.0 System Policies has turned into an enterprise solution for managing desktop settings and deploying software. You can use Group Policy to do things like remove the Run command from the Start menu (to help prevent users from gaining a command prompt), display a logon message that users must acknowledge before logging on, and run scripts for logon, logoff, and even start-up and shut-down. If a policy isn’t available to do something you want, you can very often create your own by using an Administrative (.adm) template. If you’re not using Group Policy in your infrastructure, you’re missing out on one of Active Directory’s (AD’s) most important features.

But unfortunately, for large environments, Microsoft doesn’t always provide the best tools to manage Group Policy. Group Policy Management Console (GPMC) was released in 2003 and was a great improvement over the original tools that came with the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. But GPMC lacks robust features for a complex AD environment, such as change-management capability, an offline repository, and version control. Here’s where the products in this review enter the picture. NetIQ Group Policy Administrator, NetPro GPOADmin, and Script- Logic Active Administrator all seek to fill voids in the Microsoft tools. The products take varying approaches to Group Policy management, but they all give administrators tools to keep track of Group Policy in an environment that requires change management.

Two products that fit the criteria for this comparative review are missing from it. Quest Software, which recently purchased ScriptLogic, requested that we include Script- Logic Active Administrator here, rather than Quest’s Group Policy Manager. And Microsoft’s recent acquisition of DesktopStandard has resulted in the former DesktopStandard product GPOVault being unavailable for review at this time.

The Testing Environment
To test the products, I used VMware Server 1.0.3 to set up a simple AD domain. Each domain controller (DC) was a Windows 2003 Server machine running SP1 with up-to-date security patches. I used each product to edit existing policies as well as to create new ones.

In addition, I ran each product through a typical change-management scenario that might be found in a structured IT department. Specifically, I altered the password requirements in a default domain policy. Unlike a small shop, where one or two administrators can freely make changes at will, a large, structured, enterprise IT department will demand a formal process whenever network settings are changed. I’ve worked in both situations, and I learned that, at first, change management can seem stifling and unnecessary. However, you quickly come to understand that the processes are in place not only to protect the network but also to protect you. Imagine the consequences of changing password policy without proper approval in an enterprise environment.

So, based on my experience, I created the following typical Group Policy changemanagement process, then I used each of the products I reviewed to implement Group Policy within the process:

  1. A request is made to create or alter Group Policy.

  2. The request is reviewed by peers and tested in a lab.

  3. Implementation is approved.

  4. The original Group Policy Object (GPO) (if applicable) is backed up for rollback purposes.

  5. An offline GPO is created, edited, then verified by peers.

  6. The approved GPO is linked to the appropriate organizational unit (OU), and the old GPO is unlinked, if applicable.

  7. Verification that the new GPO is in production is made.

  8. Changes made to GPOs are audited periodically to ensure that the rules are being followed.

In addition to observing how each product fit into a change-management process, I looked at how easy it was to work with the product. Did the installation make sense? Was the interface intuitive and easy to navigate? And, were there any compelling features that set oneproduct apart from the others?

NetIQ Group Policy Administrator
I had a lot of trouble installing NetIQ’s Group Policy Administrator, but not because there was a problem with the NetIQ product. Rather, the instructions for installing the application were incorrect. The “Trial Guide” clearly states that you can use Microsoft Data Engine (MSDE) to store the Group Policy Repository (Group Policy Administrator’s offline version of your GPOs), which Figure 1 shows. I read and reread the Trial Guide (i.e., Group Policy Administrator Trial Guide.pdf) but couldn’t get the product to install. I eventually called NetIQ technical support and learned that the Trial Guide was a rewrite (dated February 10, 2006) of the earlier 4.0 product version, that some important information has been left out, and that this is a known issue at NetIQ. I expressed to the technician my opinion that a Trial Guide with known misinformation from 2006 should have been updated by now. I was told that it would be updated when the next version of the software comes out. The technician was friendly and extremely knowledgeable about the product. I just wish the Trial Guide had been correct so that I hadn’t had to call him in the first place. If you decide to give Group Policy Administrator a try, be sure to review the hardware, software, and network requirements for NetIQ Group Policy Administrator 5.0 at www.netiq.com/support. Look for Knowledge Base article 70246. In the end, I had to install Microsoft SQL Server 2000 SP3 to evaluate Group Policy Administrator.

Testing Group Policy Administrator
The Group Policy Administrator Roles and Delegation wizard lets you specify who can create, edit, and link GPOs (as well as many other permissions) from within the GP Repository. You can designate a Group or User, what kind of permissions they will have, and which repository or specific Group Policy within the repository the permissions apply to. Keeping a tight leash on the repository will help prevent it from becoming a mess of half-used and obsolete GPOs.

To change the password policy within the change-management process I described earlier, I first located the default domain policy and backed it up by right-clicking the GPO under the GP Explorer node in the administrative interface and choosing Backup. Group Policy Administrator stores backups as regular folders, so you need to save them on a file server that’s backed up regularly. If you need to restore a GPO from a backup, a Group Policy Administrator wizard walks you through the procedure.

The next step was to edit an offline version of the default domain Group Policy. Editing the “live” version of a GPO can be risky because any changes you make can be immediately seen by the objects (i.e., User, Computer) that are affected by that Group Policy. To protect the production AD, you shouldn’t directly edit GPOs from within the NetIQ tool. Instead, edit them from within the GP Repository. The repository is empty by default. When you create a new GPO in Group Policy Administrator, it will originate in the repository and then be imported into the production AD. You must import existing GPOs (those you created before you installed Group Policy Administrator) into the repository if you want to edit them.

Once a GPO has been copied to the repository, you can check it out of the repository, edit it, then check it back in to the repository (multiple GPOs have to be mass imported via a script that Group Policy Administrator provides). I like the fact that Group Policy Administrator prompts the administrator to enter a comment when checking GPOs in and out of the repository. This kind of feature can be extremely valuable whenever a change management process is audited. After you edit a GPO from within the repository, you can run a report that compares the GPO in the repository to the one currently online in AD. Another useful report differentiates the two GPOs, pointing you to exactly where the differences are. Although the comparison report and the differential report sound as if they give the same information, they do not. The Group Policy Comparison report compares all the settings in the repository GPO to the online GPO’s settings. The Differential report shows only the settings that differ between the two GPOs. These are powerful reports that can help you identify problems immediately. The reports also help meet the next-to-last requirement in the change-management process I outlined earlier: verifying that the new GPO is in production.

The only feature Group Policy Administrator lacks is built-in audit functionality. The tool tracks the changes you make to the GPOs in the repository but doesn’t track the GPOs that are in production. NetIQ has a product available for separate purchase called Group Policy Guardian that integrates with Group Policy Administrator and keeps track of production GPOs.

NetPro GPOADmin
NetPro’s GPOADmin takes a different approach from the other two products in this review. Rather than creating a brandnew interface, GPOADmin extends GPMC. If you’re already using GPMC, then you’ll feel comfortable with GPOADmin, which Figure 2 shows. Like Group Policy Administrator, in order to use GPOADmin you must have SQL Server 2000 installed, and you’ll also need the .NET Framework 2.0.

There are two setup applications on the GPOADmin CD-ROM: GPOADminExtensions. msi and GPOADminSetup.msi. GPOADmin-Setup.msi is the complete setup package to get your enterprise up and running. I chose to run it on my DC, but an enterprise would probably want to run it on a dedicated server in a production environment. Once GPOADmin is set up and running, you can use GPOADminExtensions. msi to extend the GPMC installations on your administration PCs.

Installing GPOADmin went smoothly and presented no problems. After the installation is complete, you are prompted to install a license file, which is a simple .txt file that you receive from NetPro. The import process for the license file took only a few seconds and went off without a hitch.

When you run GPOADmin the first time, you’re prompted to install the following three components via a wizard: GPOADmin Database, GPOADmin Service, and the optional Monitoring Agent. I had no problems creating the database on SQL Server or creating the service that keeps track of the Group Policy activity. In the wizard, I chose to enable Comments are required with GPO Version because I wanted to see this functionality in action.

Testing GPOADmin
To begin my testing, I found the default domain policy and backed it up. The process in GPOADmin is nearly identical to Group Policy Administrator’s process.

The next step presented my first problem: I couldn’t find a way to edit the GPO offline. A quick review of the “Admin Guide” showed me what I was doing wrong: I was looking for a repository, or the word “offline” in the tool. But GPOADmin uses a “Lineage,” which is a version history of each Group Policy. This way of rolling out new GPOs took a bit of getting used to because I didn’t find it very intuitive.

The reporting in GPOADmin consists of numerous default reports that give such useful information as a listing of “Ineffective GPOs” (i.e., GPOs that aren’t linked to an OU), Group Policy with “Cross-domain linked GPOs,” and GPOs with duplicate links. You can also compare and contrast different GPOs to identify the differences between them. According to NetPro, GPOADmin “is the only solution with the ability to compare between two backups made with Microsoft GPMC so that organizations can leverage their investment with existing GPO backups.” This is a useful feature for organizations that are already using GPMC.

One of the most intriguing features that I found while evaluating these products is GPOADmin’s “GPO Cloaking.” It allows you to stage new GPOs in production yet keep them hidden from administrators who don’t have permission to see them. This feature prevents junior administrators from linking to and using a new GPO before it has been approved.

Extending GPMC is a slick idea and one that has paid off for NetPro. The only feature that I found to be frustrating was the implementation of Lineages. Given a choice, I would much prefer to have a separate repository to work from. Repositories give you a clear understanding of which GPOs are in production and which are not. Other than that, GPOADmin is a solid, clean product.

ScriptLogic Active Administrator
ScriptLogic’s Active Administrator is the most expensive solution I evaluated, but it’s also the most robust. It has most of the features the other products have, plus some additional ones. This product’s tabbed interface was my favorite to work with.

Product setup, including standard installation questions, went off without a hitch. Active Administrator can use an MSDE back end to store its Security Event Database. However, MSDE has a maximum limit of five simultaneous connections. ScriptLogic recommends that you use SQL Server if “the combination of domain controllers and the number of users accessing the information will be greater than five.” So, if you had two DCs and only three administrators simultaneously accessing data via Active Administrator, the MSDE database would work just fine.

Active Administrator stores non-security– related Group Policy data in an easily accessible folder structure. You are prompted to create this structure during the setup routine. I chose to install it on the root of the C drive: C:aadata. This folder is automatically shared as ActiveAdministrator with a security setting of EVERYONE - FULL CONTROL. ScriptLogic recommends that you “modify the permissions of the share to only allow access by the service accounts used by the Active Administrator services, and by the users who will run the Active Administrator console.” Doing so protects the data in these folders from being accessed by unauthorized users. I recommend that you create a security group called Role Active Administrators and assign this group Modify permission on the ActiveAdministrator folder. (To learn more about how to use role-based security, see “Let’s Get Organized: File Server Basics,” May 2007, InstantDoc ID 95354.) Don’t forget to double-check your corporate backup settings to ensure that these folders are backed up regularly.

The folder structure of the ActiveAdministrator share looks like the following:

C:aadata

ActiveTemplates
ADBackups
GPOHistory
GPORespository

The first subfolder stores Active Templates, which are similar to the Delegation Wizard that first debuted in Windows 2000. The ADBackups folder stores exactly what it describes: AD backups. GPO History is a feature that displays the names of everyone who changed a Group Policy and the date the changes were made. Both Group Policy Administrator and GPOADmin have a similar structure, but I liked how Active Administrator made the information easy to find.

Like Group Policy Administrator, Active Administrator has a GPO repository, which Figure 3 shows. But the Active Administrator Group Policy Offline Repository is stored in a folder structure, rather than on a database. This is the KISS (Keep It Simple Stupid) principle at its best—no database requirement or additional administrative overhead.

Testing Active Administrator
I read the “Administrators Guide,” familiarized myself with the product, and then ran through the mock change-management process. When I took a backup of the default domain policy, I immediately noticed a difference with this tool: When you right-click the policy name in the GUI and choose Backup, you have a number of choices:

  1. Backup Security Group Filters

  2. Backup Group Policy Links

  3. Save a GPO Report

  4. Generate Log File

  5. Add additional Group Policies to backup

  6. Schedule the backup

A simple backup and restore mechanism is a necessity for products of this type, but these advanced features set Active Administrator apart from the others.

I then copied the GPO to an offline area by using the Add to Offline Repository menu item. Once the GPO is in the repository it can be checked out, edited, and checked back in. The process is almost identical to Group Policy Administrator except that Active Administrator doesn’t prompt you to add notes.

When it comes to auditing what has happened with Group Policy, Active Administrator has a clear lead on the competition. By using an Active Administrator agent on each DC, you can keep a close eye on who’s doing what with Group Policy. In addition to Group Policy changes, Active Administrator will let you know who has reset a password, deleted a user, and performed other administrative actions. You can capture, track, and report on more than 80 security events. If your company requires you to audit whether Group Policy follows your change-control process, then Active Administrator is the clear choice for your environment.

Active Administrator’s tabbed interface is extremely easy to master. Each area is clearly labeled, and I found Active Administrator the easiest tool to hit the ground running with. However, added features that are outside the scope of Group Policy management make Active Administrator an expensive option.

Reviewing the Pros and Cons
All three products do a good job of improving the Group Policy management process, but each does so in a different way. Group Policy Administrator and Active Administrator both use an offline repository to let you work on GPOs in an offline environment. Group Policy Administrator stores its repository in a SQL Server database. Active Administrator uses a file system as an offline repository. GPOADmin, in contrast, is an extension of GPMC and doesn’t use a repository at all. Instead, GPOADmin backs up a GPO automatically before you start editing and after you finish editing. This tool is geared toward customers who don’t want to modify existing GPOs by following the model that says you replicate an existing GPO, make changes to it, and when you’re ready to deploy it, link it where the existing GPO is and then remove the links to the old GPO. GPOADmin’s approach is different because the product satisfies a different set of customer requirements.

All three products require a back-end database. Group Policy Administrator’s repository is in SQL Server. GPOADmin’s database stores backups and old versions of live, production GPOs in its database. Active Administrator’s database stores security events such as editing, adding, or deleting GPOs, as well as other security-related events.

The look and feel of each product is unique. Group Policy Administrator looks like an extension of GPMC, whereas GPOADmin really is an extension of this Microsoft tool. Active Administrator doesn’t look like either Group Policy Administrator or GPOADmin but resembles the properties of a User object in AD with its tabbed layout.

The reporting capabilities of each product were similar. All three of these tools will help you find the similarities and differences between GPOs.

My Bottom Line
If you administer Group Policy in a medium to large company, then you’re probably familiar with the frustration of not having the tools you need to manage Group Policy in a change-control environment. All three of these products can help you get your GPOs organized in a structure that you can easily manage. NetIQ’s Group Policy Administrator and NetPro’s GPOADmin are both strong products. But because ScriptLogic’s Active Administrator had the best look and feel, was the most intuitive, and includes extra features to help manage Group Policy, I designate it my Editor’s Choice.

Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like