Change and Configuration Management for AD

Go a step beyond basic AD auditing

EDITOR'S NOTE: The Buyer's Guide summarizes vendor-submitted information. To find out about future Buyer's Guide topics or to learn how to include your product in an upcoming Buyer's Guide, go to

Out of the box, Windows Server 2003 and Windows 2000 let you perform basic auditing of Active Directory (AD)—related machines. For example, you can determine who logged on to AD and who manipulated a file on a server. You can even determine when someone created a new Group Policy Object (GPO) or granted AD privileges to a new user.

AD's out-of-the-box auditing capabilities come up short, however. Some sensitive areas, such as the Default Domain Policy GPO and the Default Domain Controllers Policy GPO, need to be handled with kid gloves. If someone manipulates either of these GPOs, your entire domain could be at risk. Getting to the heart of who made the change, what the change was, and when the change was made are paramount to getting that domain back to its normal functioning state.

At times, the out-of-the-box functionality can't give you all the answers, and you'll require more advanced functionality. To take the GPO example a bit further, AD auditing tells you when a specific GPO has changed but not which part of the GPO changed. (For more information about AD auditing, see "Group Policy Logging," March 2002,, InstantDoc ID 23832.)

Being able to determine when AD changes occur and—more importantly—who made them can help you quickly and easily restore the system should you need to. That's where Change and Configuration Management (CCM) products come in.

AD CCM Products
CCM products for AD go a step beyond simply auditing the directory. These tools provide a way to locate errant changes and implement sanctioned changes to your environment. This Buyer's Guide lists products that perform CCM for AD.

Because AD comprises so many functions, each vendor—and thus each product—has a slightly different idea of what the goals of AD CCM should be and implements that vision in its own way. If your primary objective is to comprehensively manage your environment through Group Policy and prevent inadvertent changes from being applied to AD, consider a tool that performs check-in/check-out to stage proposed GPO configurations. The idea behind a tool such as this is simple: First, someone creates a proposed GPO to use in the domain or within an organizational unit (OU). That person then simply checks in the GPO to the library of potential GPOs. Then, after a corporate approval process (ideally through some centralized authority), the GPO is set to go live. In addition, some GPO management tools can help you determine who changed a GPO and the precise changes that person made—an especially valuable function if a user bypasses the approval process.

AD maintains user accounts and delegated security settings. Many corporations have corporate computing standards that stipulate user- and group-naming standards, OU naming standards and structure, and delegation of security rights. But AD's out-of-the-box toolset doesn't ensure that objects or attributes conform to your standard corporate configuration or naming standards. If you want to ensure that your AD deployment is consistent, look for a tool that can help flush out objects and security rights that don't match your corporation-developed naming and configuration standards. If you want to go the extra mile, consider a tool that can enforce corporate configuration and naming standards and adjust and reset those misconfigured objects to your company's standards.

When you evaluate CCM for AD tools, look for products that can help you determine AD's current state as well as identify changes that have been made to it. Throughout your deployment and ongoing AD maintenance, the best tool is one that works hand in hand with your ongoing processes. You'll want to wrap all the changes you make around a renewable process that makes sense for the way you work.

Corrections to this Article:

  • The toll-free number published for ManageSoft in the January 2004 Buyer's Guidewas incorrect. The correct toll-free number is 617-532-1600. We apologize for any inconvenience this might have caused.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.