WAIT ... DON'T I HAVE THAT ALREADY?
As larger vendors recognize, Microsoft's Active Directory provides built-in features to enable centralized management of endpoints. So why can't Group Policy, the native AD answer to policy and configuration management, get the job done?
Group Policy is a powerful tool for deploying policy settings--Microsoft has exposed thousands of configuration options in a relatively easy-to-use GUI, and hundreds of additional settings arrive with each new OS version. The underlying technology is fairly robust; defined controls can be applied to users or devices and refreshed at regular intervals.
But any number of issues can block proper Group Policy application, ranging from inadvertent corruption of local security policy files to intentional alteration by those trying to circumvent controls. These events are recorded locally on the desktop or server, so unless you're collecting logs and centrally analyzing them for errors--not likely on workstations, given the bandwidth and overhead required--IT is none the wiser. And event logs are useful only for detecting application problems; they won't validate control settings or report on deviations.
Complexity also is a concern. As policy counts increase, it's easy to make configuration mistakes, either in the policies themselves or in the priority ordering and inheritance that come into play as multiple layers of policies are applied.
"Remember that room in your house when you were growing up where there were two light switches that controlled the same light? One of the switches was always down and the other one was up, and it always felt weird to push the one that was up back down to turn the light on," says John Abraham, CEO of security auditor Redspin. "Group Policy settings in Active Directory are just like that, only there are hundreds, sometimes even thousands, of possible switches. How do you know if the light is on?"
Add another dose of complexity to the mix if you want your policies to include settings for many non-Microsoft applications. Most organizations are still running the Windows 2003 version of Group Policy, which lacks the ability to easily specify custom registry settings without developing templates.
Help for the most glaring omissions arrived with the release of Windows 2008. One key addition is Group Policy Preferences (GPP), which expands the available configuration options and plugs many of the gaps in older versions, such as the inability to manage registry settings without having to create custom administrative templates. GPP represents the latest iteration of the PolicyMaker technology acquired from DesktopStandard, a leader in Group Policy extensions until it was snapped up by Microsoft in late 2006. Thankfully, the powerful features of PolicyMaker survived the transition intact: Niceties include an expanded set of predefined configuration items that target pain points, such as local account passwords, power options, printers, drive mappings, and environment variables. The best part? It's practically free, and you don't have to upgrade your AD domain to Windows 2008 to begin taking advantage; all that's required is a single Windows 2008 server or Vista workstation, the Remote Server Administration Toolkit, and a small client update deployed to your existing machines.
Advanced Group Policy Management (AGPM) ups the ante with change management, rollback, and improved reporting. AGPM was ported from GPOVault, another DesktopStandard product. Unfortunately, Microsoft has enlisted the tool in its effort to drive adoption of Windows Vista--currently, the only way to get this compelling addition is through the Microsoft Desktop Optimization Pack with Software Assurance. If you can satisfy the licensing requirements, we highly recommend taking advantage of AGPM.
Key areas where even the new Group Policy tools don't measure up: auditing, endpoint validation, and support for non-AD computers. Sporadically connected workstations, such as those used by roaming sales staff or home-based VPN users, also present a challenge, since settings aren't always applied in a timely manner. Reporting is limited to single workstations and must be manually generated for each device.
The upshot: Group Policy can be a powerful weapon in your compliance efforts, but it won't satisfy all requirements.
