Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Review: AD Policy Administration Suites

Group Policy should be a no-brainer for organizations running Microsoft Active Directory. It lets IT control changes and a variety of settings for all users and computers in AD from a central console. But some IT pros shy away from Group Policy. Although it's been part of every Windows OS since Win2K, Group Policy is plagued by limitations that can cause major administrative agita. In large domains with multiple administrators, for example, special care must be taken because Group Policy lets you easily adjust settings that affect every computer or user in a domain in real time, yet it lacks true change-management and version-control capabilities. Talk about a recipe for disaster.


The good news is, Microsoft publishes the APIs associated with Group Policy, so a number of third-party applications are available to help fill the gaps left in the native utility. We set out to determine whether those apps could solve a few main problems. First, the lack of a facility in Group Policy to determine who changed what settings, and when, is problematic, especially when there are several administrative spoons in the pot. This problem is compounded by the fact that GPOs (Group Policy Objects)--the building blocks of Group Policy containing individual settings to be deployed to the user or computer--are stored at the domain level in AD and can be modified only within the live AD environment. Bottom line, we've seen people make what they thought were trivial domain-level changes, only to have their helpdesk flooded with calls minutes later.

Smart IT groups work around this by granularizing their GPOs with as few policy settings as possible, so they can quickly undo tweaks that cause mass hysteria without affecting other workable GPOs. The end result of this workaround is dozens, if not hundreds, of GPOs in the AD domain. Problem is, more applied GPOs in a domain means slower login and start-up times for users.

Desired Features-at-a-glance

Click to enlarge in another window

  • 1