Vous êtes sur la page 1sur 11

Extending Group Policy with

AutoProf Policy Maker

Two management technologies work hand-in-hand to


deliver on desktop management

White Paper

Abstract

By itself, Group Policy (predicated on Active Directory) can bring structure to an unstructured
environment. However, when paired with AutoProf® Policy Maker™, the management capabilities are
further extended to get total control of desktops and servers in an extensible way that is fully
sanctioned by Microsoft. AutoProf Policy Maker can make an excellent addition to fill in the gaps left by
Group Policy alone.
Contents Introduction .............................................................................................1

Feature Comparison Overview ..............................................................2

Naturally Extends Group Policy.............................................................3

Application Settings Management ........................................................4

Desktop Settings Management..............................................................5

Scope of Management Consistency......................................................6

Filters........................................................................................................7

Conclusion ...............................................................................................8

Author Profile ..........................................................................................9


Introduction The primary benefit in migrating to Active Directory is to get the power of Group Policy.
The power of Group Policy is quite compelling. Group Policy has an amazing set of
controls meant to help secure, strengthen, and configure client computers and servers.

The idea behind Group Policy is simple: set up desired configurations in Active Directory,
and corporate user accounts or computer accounts (or both) will follow the commands.
Because Active Directory is a hierarchy, it’s easy to set up and maintain a Group Policy
structure that fits most business needs.

Indeed, the “out of the box” functionality of Active Directory with the power of Group Policy
can make a good start of a managed environment. A Managed Environment is one in
which administration is performed logically and centrally, instead of having one or multiple
administrators manually install software, patches, configuration changes, or other items.

Note that because Group Policy is available only with Active Directory (Windows 2000 or
Windows 2003 domains - mixed or native) and manages only Windows 2000, Windows
XP, and Windows 2003 computers, companies that have a mixed environment including
earlier client operating systems (such as Windows NT, Windows 9X, Windows ME, or
earlier) should consider an alternate path to create a managed environment. AutoProf
provides Profile Maker®, a parallel product line for creating a managed environment on
such platforms. Profile Maker is fully compatible with Policy Maker (even supporting drag-
and-drop transfer of settings between the applications). AutoProf has a white paper that
can help you work toward a managed client computer plan for mixed environments. See
the AutoProf white paper Desktop Deployment with Profile Maker.

Since Microsoft’s implementation of Group Policy doesn’t address many configuration


requirements, administrators are still forced to either jump from computer to computer to
configure many popularly requested items from their user base, or turn to third-party tools
that might do the job but unfortunately warrant another, separate software management
infrastructure just to perform the task.

Microsoft’s implementation of Group Policy gets us a good start, but it doesn’t solve a
multitude of technical challenges that most corporations face. To that end, AutoProf Policy
Maker picks up where the basic functions of Group Policy leave off. Microsoft’s
implementation of Group Policy supports 9 major functions, or Client Side Extensions
(CSEs), on Windows 2000 and 11 on Windows XP and Windows 2003.

AutoProf Policy Maker adds an additional 11 major functions to the existing Group Policy
infrastructure, with upcoming plans for growth. This means the power of Group Policy is
roughly doubled in the number of possible configuration capabilities. And, since it just
snaps in to the existing Group Policy infrastructure already implemented inside Active
Directory, there is no separate management program or third-party infrastructure required.

This paper will help IT professionals learn how AutoProf Policy Maker extends Group
Policy to provide key functionality that is simply not available in any other way (short of
adding a third-party management infrastructure), thereby leveraging the existing Group
Policy system and enhancing it to be a more complete management system.

Extending Group Policy with AutoProf Policy Maker 1


Feature Comparison This table shows which features Microsoft provides for Group Policy, and where
Overview AutoProf Policy Maker fits in. Depending on the operating system, Group Policy
brings a certain number of baseline features. Policy Maker adds to that base
feature set, doubling it.

Group Policy Function Windows 2000 Windows XP Policy Maker


& Windows
Legend:
2003
Software Installation 9 9
9 Feature is
included in the Disk Quotas 9 9
product.
EFS Recovery 9 9
9+ Feature is
IP Security 9 9
improved in this
version of the QoS Packet Scheduler 9 9+
product.
Security Policies 9 9

Scripts 9 9

Registry Policies (ADM Templates) 9 9

802.1X Wireless Policies 9

Folder Redirection 9 9

Internet Explorer Maintenance 9 9

Internet Settings 9

Registry Settings 9

Ini/Inf File Settings 9

Application Settings 9

Outlook Profiles 9

TCP/IP and Shared Printers 9

Drive Mappings 9

Shortcuts 9

Environment Variables 9

Files Transfer/Delete 9

Folder Creation/Cleanup 9

Table 1. Summary of Group Policy features

Extending Group Policy with AutoProf Policy Maker 2


Naturally Extends Group Any management product that promises additional functionality should be as
Policy cleanly integrated as possible. Policy Maker simply couldn’t be any more
integrated into Group Policy; it is Group Policy. In the figure on the left, you can
see the regular Group Policy Object
Editor that administrators use daily to
configure the over 800 possible
settings included by default with Group
Policy once Active Directory is
deployed.
Once Policy Maker is made available
to administrators, their day-to-day
experience and interface with Group
Policy doesn’t change a bit. Indeed,
there is simply a wider range of
controllable functions at their fingertips.
Policy Maker is so integrated that
administrators with moderate Group
Policy experience might never even
recognize that the product was actually
installed!
The additional major functions are
seamlessly integrated into Group
Policy, and they are presented in the interface that administrators use every day.
There are no services to install on client computers or servers, or any true
server components. The new configurable items simply appear in the Group
Policy Object Editor (as seen in the figure on the left).
In order for client computers to process these new major functions (CSEs), a
very tiny piece of software needs to be installed. However, you needn’t run
around to each computer in order to ensure that the application is applied. The
delivery of the client component is performed the way hundreds of modern
packages are distributed -- by Group Policy Software Installation, as seen in the
figure below. Once the application is set up for delivery to computers in the
domain (or an Organizational Unit), the client computers need to be rebooted
only once. The CSEs will then be installed
and integrated into each client computer’s
existing Group Policy CSE list. Then all of
the major functions that Policy Maker
provides will be active -- immediately.

Extending Group Policy with AutoProf Policy Maker 3


Application Settings Group Policy has some capacity to configure existing applications, such built-in
Management support for Internet Explorer. Additionally, Group Policy can be extended
somewhat by “ADM templates” for applications that support them (such as
Office 2000 and higher). ADM templates provide only rudimentary registry
updates, cannot make logical decisions about the
environment, and are oriented around software
restrictions. Most ADM templates do not allow the
administrator to set a preference for users;
rather, most force the administrator’s only
allowable configuration.
Additionally, many applications cannot be
configured by simply making registry updates
alone. This is why Policy Maker builds upon the
success of Profile Maker, which has the ability to
go beyond registry settings and manage complex
API-based configuration requirements. Intricate
configurations such as Outlook profiles (seen in
the figure on the left) can be conditionally applied
based on user data, environment variables, VPN,
IP address, Terminal Session, etc.
The interface used to configure applications such
as Office, Outlook, Internet Explorer, and others all use an interface that is
identical the actual product (as seen in the figure below). This means that
administrators can perform multifaceted configuration changes without having to
worry about the detailed configuration being performed behind the scenes.

Extending Group Policy with AutoProf Policy Maker 4


Desktop Settings Group Policy alone has the ability to manipulate over 800 configurable points on
Management the desktop and underlying operating system behavior. However, even with that
power, most of the changes are security restrictions or restrictions in the “look
and feel” of applications like Internet Explorer and Control Panel.
Policy Maker again picks up where the default collection of Group Policy settings
leaves off in the desktop settings management area. Specifically, Policy Maker
can set up, configure, and manage what was heretofore impossible with just
Group Policy. Specifically, Policy Maker can assign printer settings for users or
computers (as seen in the figure on the left). That is, an administrator can
guarantee that a specific user maintains a connection to a specific printer
wherever he or she roams -- or that specific computers receive the
proper TCP/IP printer connections. Before Policy Maker, this was a
very difficult endeavor.
Historically, there were many configuration requirements formerly
outside of the realm of the built-in Group Policy settings. These
included mapping a new drive letter, copying of files, and copying
of folders. While it’s true that many of these configuration options
could be performed by using scripts, scripts have several
disadvantages.
First, an administrator must be versed in a scripting language (for
example, vbScript, Perl, or batch files). Second, the administrator
must be conscious of the specific time that the script runs. Many
users don’t ever log off their systems. However, since native
Group Policy scripts run only during startup, shutdown, logon, and logoff, it could
be quite some time before these scripts run and create the desired configuration
changes. Additionally, logon/logoff scripts are limited to the end user’s security
context. This severely limits the number of useful
actions that can be performed in the user’s environment.
Script settings also don’t support Group Policy’s “No
Override/Enforced” functionality, Group Policy planning
or logging modes, event logging, or any reporting
whatsoever. In other words, there are no guarantees
that the client computer will get the information and
configuration changes you want by using scripts alone,
and if it doesn’t you won’t know about it until something
goes wrong.
To overcome these limitations that are inherent to
scripts, Policy Maker sports a collection of configurable
options that are available only because of Policy
Maker‘s ability to extend Group Policy as Microsoft
intended. Doing so enables desktop changes (such as
the creation of a drive map as seen in the figure on the left) to be fully managed,
centrally performed, and logged accordingly.

Extending Group Policy with AutoProf Policy Maker 5


Scope of Management One of the many strengths of Group Policy is in the way changes to the “Scope
Consistency of Management” are handled. For instance, imagine that a user account is
moved from one OU to another OU (say, from “Sales OU” to “Marketing OU”).
Doing so will not cause the user account to maintain old and outdated Group
Policy settings from the Sales OU; rather,
Group Policy automatically determines that
the user account has been moved and
appropriately handles the changes. The
same principal applies to computer
accounts. That is, if a computer account is
moved from one OU to another (or a laptop
computer physically moves from one site to
another), the policy settings applied to the
user and computer are adjusted in real time.
In the figure on the left, the desktop
configuration changes will be applied only
when users are meant to process GPOs
based on the Scope of Management and will
be automatically reconfigured when the user
account is moved.
Because Policy Maker contains supported
CSE extensions of Group Policy, it performs in precisely the same manner as
the Microsoft CSEs. Therefore, in our example, Policy Maker can be used to
ensure that all settings are maintained using Group Policy: both Microsoft and
Policy Maker. For instance, consider a group of users in the Sales OU which are
set to receive a uniform mail configuration profile, drive mappings, environment
variables and application settings. When a user account is moved from the
Sales OU to the Marketing OU, those settings are automatically reconfigured for
when the user moves. The settings dictated in the Marketing OU will then
automatically take affect: both native Group Policy settings as well as the
settings that Policy Maker provides.

Extending Group Policy with AutoProf Policy Maker 6


Filters When applying Group Policy to collections of users or computers, often exceptions must
be made. For instance, imagine that everyone in the Sales OU were to be prohibited from
using Control Panel, However, two users in the Sales OU need to make presentations on
the road; hence, they might need access to Display in Control Panel to change screen
resolution settings. To perform exceptions in Group Policy, you would create what is
known as a “Group Policy filter.” Group Policy can be filtered to either specific user
accounts or particular security groups to which the user belongs.
Additionally, Group Policy supports
what is known as “WMI filters,” but
only when a Group Policy object
(GPO) is applied to Windows XP or
Windows 2003 client computers.
WMI filters allow administrators to
target only specific machines
based on particular WMI criteria,
such as amount of memory, hard
disk space, and other attributes of
installed hardware and software.
However, creating WMI filters
requires specialized knowledge of the WMI “Win32” namespace. When a WMI filter is
desired, it must be written expressly to locate the attribute desired, and is filtered on the
entire GPO (which may contain many potential policy settings) in a very particular
parlance, as seen in the figure above.
Policy Maker implements filtering on a per policy setting (vs. per entire GPO)
basis, and the filters are much more immediately available and flexible. There
are 24 different categories of filters, all managed graphically. The filterable
possibilities are logically presented and can be ordered in a manner
analogous to using parentheses. For instance, you can set up a Policy Maker
filter that will deploy a particular Policy Maker setting “Only if the
computer is a laptop computer that has 128 MB of RAM and a 1-
GHz processor, or if the operating system is Windows 2003” (as
seen in the figure on the left).
Policy Maker filters are available to the Windows 2000, Windows
XP, and Windows 2003 operating systems, whereas the native
WMI filters are available to only Windows XP and Windows 2003
client computers. Note, however, that Policy Maker filters apply
only to Policy Maker functions inside the GPO -- not the entire
GPO.
Using Policy Maker’s per-setting filtering allows more settings to
be applied via a single GPO than might otherwise be possible.
This factor reduces the number of GPOs required to manage
computers and users, and can simplify overall management.

Extending Group Policy with AutoProf Policy Maker 7


Conclusion Windows 2000 ships with 9 CSEs, and Windows XP and Windows 2003 both ship with 11
CSEs. However, Profile Maker immediately doubles your CSE feature set to 22 (with more
to come), and without having to upgrade your computers to get the new CSEs.

Policy Maker picks up where the built-in functions of Group Policy leave off. The most
requested desktop management features are included in Policy Maker, including printer
mappings, drive mappings, and Outlook profiles. The included Policy Maker graphical
filters can reduce administrative overhead by ensuring that just the right policy settings are
applied to just the right users or computers.

With Policy Maker, you can increase your power without having to increase your
management overhead. This is because Policy Maker simply adds new major functions, or
CSEs, to the existing Group Policy function set, in a Microsoft-sanctioned fashion. As
Policy Maker grows, the major functions that you can deploy via your existing Active
Directory and Group Policy infrastructure will grow as well.

Extending Group Policy with AutoProf Policy Maker 8


Author Profile

Jeremy Moskowitz, MCSE, MCSA is the Chief Propeller-Head for Moskowitz, Inc.
(www.moskowitz-inc.com) as independent consultant and trainer for Windows
technologies. He runs www.GPOanswers.com, a community forum for people to
get their toughest Group Policy questions answered.
He can be found speaking at IT conferences and inside corporations all over the
world. He has authored or co-authored six books, including Teach Yourself
Windows 2000 Server in 24 Hours (SAMS) (translated into a dozen languages),
the highly acclaimed Windows 2000: Group Policy, Profiles, and IntelliMirror
(Sybex), and Windows 2003: Active Directory Administration Essentials (Windows
& .Net Magazine).
His next book is Group Policy, Profiles, and IntelliMirror for Windows 2003,
Windows XP, and Windows 2000 (Sybex), due in February 2004.
Since becoming one of the world's first MCSEs on both Windows NT and
Windows 2000, he has performed Active Directory, Group Policy, Windows
infrastructure, and SMS planning and implementation for some of the nation's
largest organizations. Jeremy frequently contributes to both Windows and .Net
Magazine and Microsoft Certified Professional Magazine.

Extending Group Policy with AutoProf Policy Maker 9