When Darren Mar-Elia talks to groups about GPExpert Desktop Policy Manager, he says, "The first thing I ask is 'Do you do things with Group Policy?' I get a rolling of the eyes or a nervous chuckle." IT people, says Mar-Elia, CTO of SDM Software, "look at Group Policy with over 6,000 settings and their heads spin."
Then, "I'd show them the Web interface and they got it."
GPExpert Desktop Policy Manager is a Web-based solution that lets admins select types of Group Policy configurations and target them at users or computers. SDM Software offers templates for the most commonly used Group Policy Objects (GPOs) based on talking to IT pros, standard Microsoft guides for security, industry best practices, and Mar-Elia's own experience as an IT guy, a Microsoft MVP for Group Policy technology, and a Windows IT Pro magazine contributing editor and writer.
User templates include those for commonly used for restricting applications, browser security, locking down the desktop, printer mapping, and device restrictions. Computer templates include those for security configuration, power management, and group membership control. "We anticipate that we'll get input—'hey, we'd like to see this setting in the UI'," Mar-Elia says, and the company would then oblige—"'Here's a new template.'" He adds, "If Microsoft makes additional template options, we pick them up automatically."
The policies are put into categories, with a subset of most frequently used policies, "the day-to-day stuff," Mar-Elia calls it. "If you need to get access to the 20 percent of policies that aren't exposed to the regular UI, you can use Windows PowerShell." However, you're not alone there either. "Scripting is the biggest barrier for folks," he says. "They want to know 'How do I do X?'--We provide the X's."
The company will provide a forum where it'll post snippets of code. "Let's say I want to create a Windows Firewall exception. I can select the Custom Settings template. It opens a dialog that lets you insert PowerShell commands into that window and it becomes part of that profile."
The reality of Group Policy is that "implementers aren't necessarily creators," he says. Using GPExpert Desktop Policy Manager, a separate group can approve and create, and a user can implement. Approval-based workflow ensures compliance with company and industry regulations, and the solution supports Service Modeling Language (SML) to describe configuration definitions.
The solution consists of a server piece and the Web portal piece for UI changes, and it leverages existing technology, which is important, he says. "When I was an IT guy, I would ask vendors, 'How locked in am I?' We're not a proprietary infrastructure. We simplify the native technology. If you stop using us, all that we've done is place some Group Policy Objects (GPOs) which you can still manage using Group Policy Editor (GPE)."
By summer he hopes to have a release incorporating Group Policy Preferences templates—Microsoft's new feature in Windows Server 2008. GPExpert Desktop Policy Manager is licensed per desktop--$625 for 25 desktops--and volume licensing is available.