Policy Commander is extremely robust in how it filters and applies policies to computers in your Active Directory (AD) domain. Note that these polices aren't Group Policy settings—they are custom solutions that use an agent on each computer. If your SOX, SAS-70, or HIPAA auditors are hounding you for proof that your network is secure, then Policy Commander is worth a look.
GPOADmin with NetPro NetControl
I previously reviewed an earlier version of GPOADmin in "3 Tools to Manage Group Policy." Back then the product was just called GPOADmin (before Quest Software acquired NetPro Computing). NetPro's GPOADmin had one missing component compared with the competing products at the time (NetIQ's Group Policy Administrator and ScriptLogic's Active Administrator): The product lacked a Group Policy repository. When you made changes to Group Policy settings, you were actually changing the production objects. The new version of GPOADmin has an offline repository, as well as other useful features.
GPOADmin with NetPro NetControl
PROS: New workflow functionality makes it a true enterprise-class product; easily fit into my new GPO process
CONS: Complex installation
RATING: 4 out of 5
PRICE: $12/enabled user account
RECOMMENDATION: Use this product to create a Group Policy workflow approval process.
CONTACT: Quest Software • 800-306-9329 • www.quest.com
|
As in my previous review, I ran GPOADmin through a scenario that you might see in a typical large company trying to manage Group Policy changes. I created the following Group Policy change-management process, then used GPOADmin to implement Group Policy within the process:
- A request is made to create or alter Group Policy.
- The request is reviewed by peers and tested in a lab.
- Implementation is approved.
- The original GPO (if applicable) is backed up for rollback purposes.
- An offline GPO is created, edited, then verified by peers.
- The approved GPO is linked to the appropriate organizational unit (OU), and the old GPO is unlinked, if applicable.
- Verification that the new GPO is in production is made.
- Changes made to GPOs are audited periodically to ensure that the rules are being followed.
Installation. Like Privilege Manager and Policy Commander, GPOADmin requires the .NET Framework 2.0. In addition, GPOADmin requires Microsoft's free Group Policy Management Console (GPMC) and either Microsoft SQL Server or SQL Server Express. To install GPOADmin, you need to invoke four separate installation routines: NetPro Server, NetPro Console, GPOADmin Extensions, and the NetPro GPOADmin tool. The NetPro Server installation prompts you for a license file and for the name of the SQL Server machine that will store the Group Policy repository. I had some trouble with the license file that I was given for the review, as well as some questions about the many applications that had to be installed and configured. A call to Quest tech support quickly resolved my problems.
Configuration and use. After the product was installed, I opened NetPro NetControl and finished the configuration process, specifying the database, versioning, cloaking, offline editing, and logging (all features that were missing from the product when I reviewed it two years ago). The interface walked me through each process and even helped me create a connection to the SQL Server machine and create a new database.
GPOADmin is an extension of Microsoft's GPMC, so you invoke this familiar tool to create or edit a Group Policy setting. When you click the domain, a window on the right-hand pane shows four tabs titled Monitoring, Reports, Deleted Items, and Lineages. A fifth tab called Standard simply shows the GPMC window you'd see if GPOADmin weren't installed.
The Access and Monitoring tab lets you compare two or more Group Policy settings. This feature is useful in troubleshooting when one GPO is performing as you expect, while another isn't. The Reports and Deleted Items tabs are self explanatory, although their features are welcome additions to the standard GPMC. The Lineage tab helps you roll out new Group Policy settings in stages, as well as quickly roll back GPOs that don't work as expected. This new functionality fulfills steps 4 through 8 in the Group Policy change-management process that I outlined earlier. But what really makes GPOADmin an enterprise-level product is the workflow functionality included in the NetControl portion of the product.
Workflow in NetControl consists of four steps: Request, Review, Approve, and Commit. Permissions for these four steps are set in the NetControl application, which Figure 3 shows. You can give users or groups permission to request, review, or approve Group Policy settings. When it comes time to commit, you can set GPOADmin to immediately commit the policy after it's approved, or wait until a specified time (e.g., after work hours). Once the GPO is committed, an email message can be sent to a user or distribution group to let them know that the new policy was applied.
Other useful features in GPOADmin are Cloak and Lock. Cloak lets you hide a Group Policy setting that you aren't yet ready for anyone else to see. Lock prevents other administrators from changing your Group Policy setting. Even though these features are unique to the GPOADmin GUI, they both use security groups as the backbone of their functionality. If another administrator uses Windows Server's built-in GPO editing tools, these rules will still apply and the Group Policy settings will remain protected.
Different Problems, Different Solutions
Managing network computers is a full-time job. Privilege Manager, Policy Commander, and GPOADmin each fill gaps that exist in a standard Windows installation. If you need to remove users from the local administrators group, or if you need to lock down all your PCs and be able to prove it with online reports, or if you need to create a Group Policy workflow approval process, you should take a look at these three products. One of them just might be what you're looking for.