If you’re like most companies of any substantial size, you probably have an extensive GPO environment. Maybe you have it mostly under control; maybe you need some help getting it under control. Either way, I challenge you to think about the potential gaps and challenges you have in your GPO environment.
Ask Yourself: Do I need help?
I talk to customers all the time who believe that controlling, managing, tracking, and auditing GPOs aren’t real needs/challenges in their environment. I hear statements like, “we only have a couple people who do anything with GPOs” or “ we don’t change or create GPOs that often.” But, that’s not the thoughts they should be having or the questions they should be asking. The questions are “How many people have access to manage GPOs?” and “Do those people understand GPOs well enough to create or manage them”?
Think about it, there are few things that can nearly immediately destroy your end user environment, applications, servers, desktops, and even AD faster than an inappropriately configured and applied GPO.
The Real World
For a large part of my 19 year IT career, I’ve supported, implemented, engineered, and architected large, global AD environments, including the GPO design and implementation. Because of the potentially devastating nature of GPOs, I did my best to keep an eye on my GPO environment.
Of course, tribal knowledge existed that dictated the rule “only I was supposed to manage them”. However, as with most IT shops, there were people who had enough access that they COULD manage them if they chose too. And, of course, there were times that “bad things” happened from GPO modifications.
Beyond the potential hazards, there were other challenges I faced. Auditing season was never fun because other than submitted/approved change requests in our ticketing system, I had no proof that changes to GPOs followed process. And, as any of us that are part of audit season know, auditors are all about the proof.
Finally, I faced the enormous challenge of managing a giant environment that heavily relied on GPOs to configure the majority of the employee population with GPOs. Our GPOs changed often and we were also constantly “ramping” projects, which required new GPOs. The entire process was extremely time consuming and a bit of bottleneck to production, because I was the only one that managed them to avoid all that potential risk.
The Answer to the Challenge
So, this of course, leads me to what I feel is an exceptional answer to the challenge: Quest Software’s GPOAdmin. At this end of this article, there will be some quick links to the product’s web page so you can review it and even trial it. But, I’m going to give you the quick highlights.
The underlying basis of GPOAdmin that makes it possible to truly control, manage, track, and auditing (prove) your environment is the offline versioning feature. GPOAdmin sorta works like software development systems. What I mean by that is, it literally makes a copy of your GPO environment and stores it offline. The power this gives you is incredible.
- It allows you to version your GPOs. With version control comes:
- Check GPOs in and out for safe, offline, change.
- Create new GPOs that aren’t in the live environment until testing, validation, and approval are obtained.
- Comparison reporting that allows you to see the differences between versions of GPOs as well as live GPOs.
- The ability to easily roll back even the minutest GPO change (essentially rolling back a version).
- Safe offline testing and validation of GPO settings.
- A varied and effective set of reporting and modeling reports.
- Workflow controls for GPO changes and creation to ensure proper peer review.
- In addition, you can report on changes: who changed it, when, was it reviewed, tested, and approved… ALL THINGS AUDITORS LOVE!
Along with the offline versioning, GPOAdmin sports a myriad of features that we’ve added to the product.
- Complete delegation that does not change the native permissions in AD.
- You can even control what they can and can’t change in the GPO settings and values.
- A watcher service that allows for changes made outside of GPOAdmin. You can configure it to either:
- Immediately roll back the change made outside of GPOAdmin
- Just report on “out of compliance” GPOs, which are GPOS that were changed outside of GPOAdmin.
- With this configuration, you then have options on how to deal with the “out of compliance” GPOs to bring the offline and live versions in sync.
- The ability to schedule an approved GPO for automatic implementation during “off peak” change hours.
These are just the highlights.
Let’s wrap it up
Potential risk is mitigated with the offline versioning feature of GPO admins as well as by the granular delegation capabilities of this product. Beyond the potential risk reduction, safely allowing others to manage GPOs and parts of GPOS increases productivity by reducing the burden on 1 or just a few people and eliminating the bottleneck.
GPOAdmin tracks the changes being made, even GPOs that are modified outside of the product (remember, you can allow GPOAdmin to automatically and immediately reverse changes outside of the tool). Because of this, you have proof to show auditors and also information that gives you a complete picture of your GPO environment.
Finally, the reporting and modeling wizards allow you to intelligently understand what’s in your GPOs and the impact of new GPOs and changes to existing to GPOs. When I managed these environments (in the real world), I wasn’t lucky enough to have this product. But, looking back, I wish I knew about it and could have implemented it.
GPO control, management, tracking, and auditing isn’t a “nice to have.” It’s a real challenge for any company, and GPOAdmin is the answer to that challenge.
