Windows 2000’s Group Policy Objects (GPOs) place administrators in a difficult situation: GPOs simplify management of large and intricate networks, but the number and complex organization of GPOs make them a challenge to manage. Enter FullArmor’s Zero Administration for Windows 2000 (FAZAM 2000) 1.1, a Microsoft-certified product for use on Win2K Server that fills many of the gaps in Win2K’s GPO administration and makes Win2K Server easier to adopt.
I tested FAZAM 2000 on a 500MHz Pentium III processor with 256MB of RAM, and had no performance problems. Installation was easy and problem-free. FAZAM 2000’s main program is a Microsoft Management Console (MMC) snap-in; the interface will be familiar to Win2K administrators and convenient for administrators who want to combine and customize their snap-ins. I appreciated FAZAM 2000’s Launch GPO Tool option, which makes Win2K’s Group Policy Editor (GPE) easily accessible from the FAZAM 2000 snap-in. Rather than launching GPE through standard Win2K tools, I simply right-clicked a GPO’s Settings node and selected Launch GPO Tool.
FullArmor brags about FAZAM 2000’s Resultant Set of Policies (RSoP) feature, and with good reason. This feature let me preview the impact that applicable GPOs would have on users and computers if I assigned the GPOs to groups and organizational units (OUs). The analysis that this feature performs can be invaluable to managers of complex networks because different policies frequently have overlapping goals, and administrators can’t always determine which policy will end up in effect. However, the RSoP feature can’t work with site-level GPOs. Although administrators use site-level GPOs less frequently than domain-level GPOs, the exclusion of this capability is a shortcoming. In addition, you can’t generate RSoP analysis on GPOs that use loopback-processing mode, a mode that keeps policies consistent for a particular PC regardless of who logs on. (Usually a user’s GPO determines which policies apply.)
I used FADiag, another FAZAM 2000 diagnostic tool, to determine which policies will be in effect on a particular computer with a particular user logged on. The software requires that you run the FADiag program locally on the machine you want to analyze, which I found a tad inconvenient. However, according to FullArmor, an upcoming release of FAZAM 2000 will let you perform remote diagnoses (until then, you can use Group Policy to automate the diagnostic process). FADiag creates a policy display file, which I could access from the main FAZAM 2000 snap-in.
The standard way to back up your GPOs is to use Win2K Backup to store the system state. FAZAM 2000 lets you specify GPOs and back them up to a network directory or the location of your choice, as Figure 1 shows. For backup purposes, this feature is only slightly convenient. FAZAM 2000 also lets you use the backup feature to import or restore the backed-up policy to another domain, making the feature especially handy. However, you need to be careful about how you import; thoroughly consider which GPOs you import because the policies could have adverse effects in the network context you import them into. Importing GPOs, rather than rebuilding them, can save you a great deal of error-prone drudgery, especially if you maintain multiple domains or test domains. FAZAM 2000 includes a COM DLL that lets you script backups. This functionality lets you customize backups and schedule them to run as frequently as you want.
FAZAM 2000 also simplifies network support. The product lets you delegate policy administration to nonadministrators. This useful feature lets you give Help desk personnel support roles without giving them full administrator control in the network. In addition, you can restrict delegated authorities’ administrative capabilities to specific users and groups or give them read-only access. I especially like the fact that FAZAM 2000 uses Win2K’s standard .adm template files, which define the format of specific policies’ administrative interfaces.
Neither Win2K’s MMC Group Policy snap-in nor FAZAM 2000’s snap-in provides comprehensive views of a system’s GPOs, but FAZAM 2000 offers reporting features for this function. Therefore, the reports are simple reports of all GPOs. You can save the files as static HTML pages or in a more interesting format, as Microsoft Access 97 files, which gives you the opportunity for filtering and more complex analysis. FAZAM 2000 also adds the capability to search both Group Policy names and the associated settings. For example, you can search for the Group Policy name "Run these programs at user logon" and also the program name set in the policy. In Win2K, by default, it’s only possible to search policies and settings by first exporting them to a separate file.
FAZAM 2000 provides high-quality, comprehensive hard-copy documentation, which is rare in these times. The documentation explains the product’s features thoroughly and succinctly but assumes that you’re familiar with Active Directory (AD), OUs, and GPOs. FAZAM 2000 is an easy program to learn if you already understand these concepts; otherwise, the software’s functionality will be impenetrable to you.
By the time you read this, FAZAM 2000 1.2 should be available. FullArmor claims that version 1.2 will support site-level GPOs, enhanced reporting, and the ability to remotely connect to workstations to perform GPO diagnostics. Whereas the existing backup feature lets you import GPOs, FAZAM 2000 1.2 will let you migrate GPO settings, OU links, and GPO security filters to different domains in a forest. This feature will be useful for migrating GPOs from a test domain to a production domain.
Although FAZAM 2000 1.2 will improve functionality, FAZAM 2000 1.1 already provides Win2K network administrators with useful analysis and management features. Pricing depends on the number of systems in the network. At $15 per system for a 1000-PC network, FAZAM 2000 isn’t cheap. However, the amount of planning and troubleshooting time FAZAM 2000 will save those who manage and support extensive group policies justifies the cost.
|FAZAM 2000 1.1|
Contact: FullArmor * 617-457-8100 or 800-653-1783
Price: $15 per client for a 1000-PC network
Pros: Manages Group Policy Objects more easily than with standard tools; tests the impact of GPOs on specific users and computers before implementation; backs up GPOs and restores them to any domain; improves searching and reporting on GPOs; controls delegation of policy administration to nonadministrators.
Cons: Doesn’t support site-level GPOs or GPOs that use loopback-processing mode