Hardware
* Dial-Up Connection
* Portable Computer
* Battery Present
* PCMCIA Present
* CPU Speed
* Disk Space
* RAM Available
* MAC Address Range

Identity
* IP Address Range
* AD/LDAP Query
* Domain/Workgroup
* Organizational Unit
* Site Membership
* Computer/DNS Name
* Security Group
* User Match

Software
* Operating System
* Service Pack
* Terminal Session
* System/User Language
* File match
* Registry Match
* Environment Variable

Other
* Filter Group
* Message Box
* MSI Packages
* Recur Every
* Run Once
* Time Range
* WMI Query

Additionally, Group Policy provides a rich delegation and hierarchical management model so that organizations can make the system support the way they do business. All in all Group Policy has practically unlimited potential and tremendous ROI. It’s well integrated, extensible, hugely scalable and by far the most widely deployed desktop management system for Active Directory networks.

Eric

Anonymous User 4/27/2005 10:27:26 PM

Adam,

These are the extensions that are available when you install the PolicyMaker suite. Native (Microsoft) Group Policy extensions make up just 1/3 of these. The Administrative Templates extension includes hundreds of individual security and other operating system configuration parameters. Software Update provides Group Policy patch management using SUS/WUS data. Printers provides mapping of shared printers or connection of IP printers. The solutions possible with these extensions and the numerous policy types they include are innumerable.

*Environment Variables
*Local Users and Groups
*Application Security
*Device Restrictions
*Wireless
*Network Options
*Drive Maps
*Folder Redirection
*Administrative Templates
*Microsoft Disk Quota
*QoS Packet Scheduler
*Scripts
*Security
*Internet Explorer Branding
*EFS recovery
*Software Installation
*Software Update
*IP Security
*Folders
*Files
*Data Sources
*Ini Files
*Windows Services
*Folder Options
*Scheduled Tasks
*Registry
*Applications
*Printers
*Shortcuts
*Mail Profiles
*Internet Settings
*Start Menu Settings
*Regional Options
*Power Options

One of the strengths of Group Policy is its ability to target groups of settings in a GPO to users and/or computers by site, domain, and organizational unit. Additionally, GPOs can be filtered by security group and WMI filters. PolicyMaker extensions add to this flexibility by implement per-setting targeting using a graphical drag and drop filter interface common to all extensions and settings. This allows administrators to create a much smaller number of GPOs and target contained settings more granularly. Filter classes include:

Anonymous User 4/27/2005 10:21:01 PM

Adam,

Thanks for your thoughtful response. Having worked with IT Pro (and predecessors) for many years, this is the type of in-depth discussion I would expect readers to appreciate the most. Group Policy is an expansive and valuable topic, and it’s hard to get enough depth even in a feature article. Generating discussion on the topic of what’s missing is a great approach to this problem.

Please forgive me if I got the wrong impression regarding sponsorship of the article, but it’s easy to come to this conclusion given the contents of the “Interact” section at the top of the article (in both print and online versions). I assumed that was a paid position associated with the article – which of course was the cover story for the April print edition. My mistake.

I don’t know a lot about the SL product, but from what I understand it’s dependent on KiXtart scripting, not Group Policy. There are many ways to accomplish management tasks in a distributed network – scripting, script generators, various utility products and tools, infrastructure investments such as ZENworks, SMS, Tivoli, Altiris, etc. Some of these claim to have association with Group Policy. However to actually provide new Group Policy features requires implementing Microsoft’s extensive specification for Group Policy Extension, including Group Policy Object Editor extensions, Resultant Set of Policy snap-in extensions, GPMC integration, and Client Side Extensions. This is how the Microsoft extensions work.

It’s hard for me to come up with an example of desktop management functionality that cannot be managed easily using a Group Policy extension. Of course there is not a Group Policy extension to cover every conceivable management task, yet this is true of all management products. Should holes in native functionality be filled by non-Group Policy utilities if there are capable extensions available? That’s an individual decision, but one that should be made with an understanding of the options.

In fairness, Brian did state that third party products (presumably extensions) are required to fill the holes in Group Policy – but that’s by design. Reusing my own analogy, one wouldn’t argue that IE was “too limited” because Microsoft didn’t provide all of the plug-ins. Just the opposite is true. Group Policy is practically *unlimited* because it’s extensible and the extensibility model is supported. This isn’t true of most other desktop management systems.

Brian missed an opportunity to point out a legitimate limitation of Group Policy – it doesn’t support Windows NT 4 or Windows 9x desktops. As I understand SL predates Group Policy and supports these platforms. I assume he has a good product and I’m sure it can fill some of the holes left by native Group Policy even on current platforms. However, people looking for Group Policy solutions should be aware that there are in fact true Group Policy extensions that more than handle the issues raised.

Therefore, I guess I should answer the other part of your question, “What are some specific examples of desktop management functionality that … can be done easily with a Group Policy extension?” That’s a mighty long list, and this is already getting too long – so I’ll follow up a little later.

Regards,

Eric


Anonymous User 4/14/2005 5:37:16 PM

Eric,

None of our editorial articles are sponsored. We do talk to both Microsoft and other vendors regularly though. Both ScripLogic (Brian’s company) and DesktopStandard have made markets for themselves by providing functionality above and beyond what Group Policy can do out of the box. Since customers are paying for both of these products (as well as others), I think that’s clearly an indication that some users want more from Group Policy.

That being said, our editorial purpose in posting the argument from Brian Styles is to start a discussion about Group Policy’s limitations. Your point about Group Policy extensions vs. ScriptLogic’s approach is a good one. Clearly, DesktopStandard solves many additional desktop management problems by extending Microsoft’s existing architecture. Brian obviously feels that Microsoft’s architecture isn’t flexible enough for his customers’ needs though.

So, I pose this question to both Brian and Eric: What are some specific examples of desktop management functionality that either can’t be done using Group Policy extensions or can be done easily with a Group Policy extension?


Adam4/14/2005 7:14:16 AM

Whoever you are... You have a right to your opinion. However, given that the article appears to be sponsored by Brian's company, and that his "comments" were fed in by the editors, it was more than appropriate to point out that the deficiencies in Group Policy that he raises are either non-existent or properly addressed by third party *Group Policy* plug-ins. Apparently Bob felt the same way.

Eric

Anonymous User 4/8/2005 9:04:15 PM

Dude you're lame - this is an article comment section, not your opportunity for a personal shameless plug.

Anonymous User 4/8/2005 11:50:01 AM

Bob,

Thanks for the plug. Clearly Group Policy is the most widely utilized desktop management technology system – and the beast feature of Active Directory. As far as I know the only scoping limitations are that machines must be Windows 2000 or later, and for central management they must be joined to AD. Everyone with an Active Directory network is already using Group Policy. Unfortunately some people miss out on the rich possibilities by focusing entirely on the extensions that are provided with Windows. That’s like complaining that IE can’t view a PDF file.

Group Policy is an extensible architecture by design. The 11 extensions that ship with Windows XP include security settings, software deployment and more. However, when we introduced the first product based on this specification, a whole new world of true Group Policy was opened up. Our PolicyMaker suite includes a total of 23 extensions (e.g. printers, drive maps, patching, local users and groups management, power options, least privilege security, Outlook profiles, and much more), and each supports the full specification – including GPMC integration, backup and restore, planning and logging modes, delegation, and more. There are no servers or services to install, it all works inside the existing architecture.

We implement a number of common features in our extensions, including drag-and-drop XML import/export, 25 categories of graphical per-setting filters (no limit to granularity), per-setting documentation, environment variable integration, extension-level delegation, and much more. Our customers find that Group Policy provides the ideal combination of flexibility, power, control, and operating system integration – a combination that cannot be found in scripting, script generators, or utility products.

This article is a great introduction, and for more information on Group Policy, extensions, architecture, third party products, etc., check out the following wiki site:

http://www.grouppolicy.org

For more information on PolicyMaker, see:

http://www.desktopstandard.com/policymaker

Eric Voskuil, CTO
DesktopStandard Corporation
MVP (Windows Server – Management)


Anonymous User 4/7/2005 1:25:46 PM

I believe that GPOs (and DFS) are some of the most under utilized, most powerful options in AD.

I have recently begun using a product which has made GPOs signicantly more powerful! Policymaker by Desktopstandard. I did look at some competing products which will go unnamed.

If you have not looked at this product you should, as it includes a BUNCH of functionality that by definition, should have been included in the GPOs. Outlook settings, Word settings, pushing out printers, mapping drives etc. It has absolutely blown me away. AND the per seat is not that much.

seriously check it out,
Bob

Robert4/6/2005 9:36:15 AM

Brian Styles of ScriptLogic also has some thoughts about Group Policy. He hopes to hear your thoughts and share more of his with this article.

Brian's comments:

Policy based control over desktop settings are a great starting point to standardize and streamline the user's environment. They employ the ability to make changes on multiple machines with a single administrative change. However, Group Policies are simply not enough for comprehensive desktop administration for two reasons:

(1) limited scope of administrative ability and

(2) limited granularity of distribution.

The scope of administration Group Policies master are limited to OS- and
(some) application-specific settings. Third party solutions are required
to handle the multitude of other aspects that are required by the administrator to control the users environment. Like the administrative
scope, granularity of policy distribution is also extremely limited in that you have only users, groups, computers and OUs to use to differentiate policy deployment. OUs and object types are only a few of the long list of methods you can use to categorize and identify users.

It should come as no surprise to IT professionals that ScriptLogic would have an opinion on Group Policies given that ScriptLogic has made a business out of developing intuitive management solutions in the areas of desktop administration, Active Directory and Group Policy management. Now it's your turn to give us your feedback. Share with us your experiences of using Group Policies to manage Windows clients and feel free to post your questions. We'll be monitoring your feedback and posting replies.

- Brian Styles

Adam3/29/2005 9:24:17 PM