| Executive Summary:|
BeyondTrust Privilege Manager, New Boundary Technologies' Policy Commander, and Quest Software's GPOADmin each fill Group Policy–Management gaps that exist in a standard Windows installation. Take a look at these three products if you need to remove users from the local administrators group, or you need to lock down all your PCs and be able to prove it with online reports, or you need to create a Group Policy workflow approval process.
Ever since two PCs were first connected to one another in a business environment, systems administrators have been trying to find easier ways to manage networked computers. In Windows 2000 Microsoft introduced group policies that laid a foundation for PC management that's still in use today. In this article I review three Group Policy products that all play a different role in how you manage the computers on your network. Two of the products either use or integrate heavily with Group Policy, whereas the other product relies on a custom solution.
BeyondTrust Privilege Manager
BeyondTrust Privilege Manager's aim is simple: to remove the requirement that users must be local administrators on their PCs in order to run software. This goal seems simple at first—until you actually try to accomplish it. In addition to not being able to run software, regular users can't change the time zone or run the built-in disk defragmenter utility. Privilege Manager lets you easily grant permissions on an application-by-application basis.
BeyondTrust Privilege Manager
Installation. I followed the Privilege Manager Installation Guide PDF, which walked me through the simple installation procedure. You can install Privilege Manager on Windows Server 2003 SP1 or better, or on Win2K SP4. You need to install the program on the same machine that you use to edit Group Policy. Be sure to install the Microsoft .NET Framework 2.0, which you can download from Microsoft's website. Installation is fast, taking only a few minutes—and it doesn't require any user intervention. The installation is also clean; it doesn't add any desktop shortcuts or Start menu items. Instead, Privilege Manager adds itself into Group Policy Object Editor as a Group Policy extension, as Figure 1 shows. Privilege Manager comes in both a 32-bit and a 64-bit version. Of the three solutions that I tested, Privilege Manager was by far the easiest to install and configure.
In addition to the administration portion of Privilege Manager, you must install a client for each PC that you want to manage. Because the client is in MSI format, you can easily deploy it through Group Policy. The client also comes in both 32-bit and 64-bit versions.
Configuration and use. Configuring a new Privilege Manager policy to allow users to run software is just like creating a new Group Policy setting. The new policy can be applied to users and computers during computer startup or user logon, or at 90-minute intervals. I started with a new Group Policy setting and navigated to the Group Policy Object (GPO) extension called Computer Security, which is added when Privilege Manager is installed. Next, I right-clicked and created a new Privilege Manager policy. You can choose from nine types of rules, including Path Rule (allow an application based on its path); Hash Rule (allow an application based on its hash); and rules for folders, MSI files, and certificates. An "everything rule" (called a Shell Rule) lets users run any application they want, while keeping a strict audit on the activity. This rule is useful for "power users" (e.g., developers) whose application-running privileges can't be restricted, but who need to be reminded that they are responsible for what happens on their machine. You can even set a rule to prompt the user to enter a justification for running an application.
Privilege Manager's configuration and capabilities are flexible. For example, you can create a Self-Service Installation Point, which is a read-only network share with a Folder Rule applied to it and that includes software you want users to be able to install. If a user requests a specific application, you can simply drop the setup files into the network share, and the user can then install the application.
Although you can set up a rule for any application that you want users to be able to run, Privilege Manager also has some built-in rules for common tasks. For example, you can give users permission to change their time zone, run a disk defrag, set the power options, or configure accessibility options.
Sometimes the exact process and variables a program uses aren't obvious. For these situations, Privilege Manager includes a cool troubleshooting tool called Policy Monitor (PolMon.exe). Policy Monitor displays the specific commands used when a user tries to change the time or defragment the hard drive. If you have a custom application that you need to give a user elevated privileges to, this handy tool will give you the information you need.
Each Privilege Manager rule can be filtered by an unlimited number of rules that you can define. For example, you can filter by computer name, IP address range, OS, user or security group, and approximately 22 other filter objects. If these rules don't meet your needs, you can even write your own Windows Management Instrumentation (WMI) query.
Privilege Manager makes the daunting task of removing users from the local administrators group much easier. If your security policy requires this change, consider using Privilege Manager rather than trying to tackle the job yourself.
Policy Commander lets you secure the computers on your network, based on industry standards such as HIPAA. Email alerts and reports help you keep track of your computers' security status.
Installation. Policy Commander has four components (not including the client agent). These components can be installed on one central server or workstation, or separated onto multiple machines for extremely large organizations. For my tests, I installed everything onto the domain controller (DC).
First you must install the .NET Framework 2.0. Next, install the setup.exe file, which will prompt you for the license serial number and the options you want to install. Unless you're running Microsoft SQL Server 2000 SP3 or later, the setup routine will automatically install and configure SQL Express.
Installation took about 10 minutes but went off without a hitch (after a brief call to Boundary Technologies' technical support). After the installation completed, a Help window opened that explained how to use the product.
Configuration and use. My first configuration task was to set the polling interval. For this evaluation, I chose to poll continuously. In a production environment, however, you would poll much less often—maybe hourly or daily, depending on your security requirements.
Next, I added the computers I wanted to use Policy Commander to manage. You can add computers manually through the console or with a Group Policy logon script. The Group Policy method ensures that all new PCs added to the domain are automatically added to the Policy Commander console. Because the console method requires the client PC to reboot, you should let users know before pushing the client out to everyone.
Once the client was installed, I was ready to jump in and start locking down the PCs. Policies can be assigned to individual computers or to computer groups within Policy Commander. There are two kinds of groups: organizational groups and configuration groups. Organizational groups are static and let you organize the computer structure in any way that makes sense to you. Configuration groups are dynamic—computer objects are added and removed automatically, based on specific criteria. Some built-in configuration groups are Microsoft Office Version, OS Version, and Security Groups. You can also build your own configuration group based on values such as free disk space, registry value, etc. You can even build these groups based on a WMI value. For example, if you wanted to deploy a policy to all the computers in the accounting department, you could create an organizational group and manually move the PCs you wanted the policy to apply to. Alternatively, you could create a configuration group that dynamically created a group of PCs in the accounting department based on a specific rule.
After you define how you want to group your computers, you can assign policies to them. Policy Commander includes 12 predefined policies to get you started, or you can create your own policies. Figure 2 shows Policy Commander's graphing and reporting capabilities, which your manager or compliance auditors will likely be interested in. This figure shows a total of five policies, three of which are compliant and being enforced, one of which isn't in compliance, and one that isn't applicable. To determine which machines are out of compliance, you can select the Policy Commander console's Policy Compliance tab. In addition, you can receive email alerts about PCs that have fallen out of compliance, so that you can take swift action.
If Policy Commander's 12 predefined policies aren't sufficient for your needs, you can use the Policy Editor to create your own custom policies. You can also download industry-standard policies from New Boundary Technologies' Policy Knowledge Base. For example, if you manage PCs in a hospital or medical environment, you might want to implement the HIPAA policies. Or, if you work in a military or other highly secure network, you might want to download the NSA security policies. Downloading and installing these policies is simple and automatic.
Policy Commander is extremely robust in how it filters and applies policies to computers in your Active Directory (AD) domain. Note that these polices aren't Group Policy settings—they are custom solutions that use an agent on each computer. If your SOX, SAS-70, or HIPAA auditors are hounding you for proof that your network is secure, then Policy Commander is worth a look.
GPOADmin with NetPro NetControl
I previously reviewed an earlier version of GPOADmin in "3 Tools to Manage Group Policy." Back then the product was just called GPOADmin (before Quest Software acquired NetPro Computing). NetPro's GPOADmin had one missing component compared with the competing products at the time (NetIQ's Group Policy Administrator and ScriptLogic's Active Administrator): The product lacked a Group Policy repository. When you made changes to Group Policy settings, you were actually changing the production objects. The new version of GPOADmin has an offline repository, as well as other useful features.
GPOADmin with NetPro NetControl
As in my previous review, I ran GPOADmin through a scenario that you might see in a typical large company trying to manage Group Policy changes. I created the following Group Policy change-management process, then used GPOADmin to implement Group Policy within the process:
- A request is made to create or alter Group Policy.
- The request is reviewed by peers and tested in a lab.
- Implementation is approved.
- The original GPO (if applicable) is backed up for rollback purposes.
- An offline GPO is created, edited, then verified by peers.
- The approved GPO is linked to the appropriate organizational unit (OU), and the old GPO is unlinked, if applicable.
- Verification that the new GPO is in production is made.
- Changes made to GPOs are audited periodically to ensure that the rules are being followed.
Installation. Like Privilege Manager and Policy Commander, GPOADmin requires the .NET Framework 2.0. In addition, GPOADmin requires Microsoft's free Group Policy Management Console (GPMC) and either Microsoft SQL Server or SQL Server Express. To install GPOADmin, you need to invoke four separate installation routines: NetPro Server, NetPro Console, GPOADmin Extensions, and the NetPro GPOADmin tool. The NetPro Server installation prompts you for a license file and for the name of the SQL Server machine that will store the Group Policy repository. I had some trouble with the license file that I was given for the review, as well as some questions about the many applications that had to be installed and configured. A call to Quest tech support quickly resolved my problems.
Configuration and use. After the product was installed, I opened NetPro NetControl and finished the configuration process, specifying the database, versioning, cloaking, offline editing, and logging (all features that were missing from the product when I reviewed it two years ago). The interface walked me through each process and even helped me create a connection to the SQL Server machine and create a new database.
GPOADmin is an extension of Microsoft's GPMC, so you invoke this familiar tool to create or edit a Group Policy setting. When you click the domain, a window on the right-hand pane shows four tabs titled Monitoring, Reports, Deleted Items, and Lineages. A fifth tab called Standard simply shows the GPMC window you'd see if GPOADmin weren't installed.
The Access and Monitoring tab lets you compare two or more Group Policy settings. This feature is useful in troubleshooting when one GPO is performing as you expect, while another isn't. The Reports and Deleted Items tabs are self explanatory, although their features are welcome additions to the standard GPMC. The Lineage tab helps you roll out new Group Policy settings in stages, as well as quickly roll back GPOs that don't work as expected. This new functionality fulfills steps 4 through 8 in the Group Policy change-management process that I outlined earlier. But what really makes GPOADmin an enterprise-level product is the workflow functionality included in the NetControl portion of the product.
Workflow in NetControl consists of four steps: Request, Review, Approve, and Commit. Permissions for these four steps are set in the NetControl application, which Figure 3 shows. You can give users or groups permission to request, review, or approve Group Policy settings. When it comes time to commit, you can set GPOADmin to immediately commit the policy after it's approved, or wait until a specified time (e.g., after work hours). Once the GPO is committed, an email message can be sent to a user or distribution group to let them know that the new policy was applied.
Other useful features in GPOADmin are Cloak and Lock. Cloak lets you hide a Group Policy setting that you aren't yet ready for anyone else to see. Lock prevents other administrators from changing your Group Policy setting. Even though these features are unique to the GPOADmin GUI, they both use security groups as the backbone of their functionality. If another administrator uses Windows Server's built-in GPO editing tools, these rules will still apply and the Group Policy settings will remain protected.
Different Problems, Different Solutions
Managing network computers is a full-time job. Privilege Manager, Policy Commander, and GPOADmin each fill gaps that exist in a standard Windows installation. If you need to remove users from the local administrators group, or if you need to lock down all your PCs and be able to prove it with online reports, or if you need to create a Group Policy workflow approval process, you should take a look at these three products. One of them just might be what you're looking for.