Specops Software presents: WHY EXTENDING GROUP POLICY MAKES SENSE FOR YOUR WINDOWS ENTERPRISE By Derek Melber, MCSE, MVP
Why Extending Group Policy Makes Sense for Your Windows Enterprise... 3 Every Active Directory Installation Uses Group Policy...3 Everyone Understands Group Policy Already...3 Group Policy Extensions Use Existing Infrastructure and Technology... 4 Group Policy Extensions Use Existing Security Model... 4 Group Policy Extensions Increase Your Return on Investment... 4 Group Policy Extensions Decrease Administrative Costs... 4 About the author:... 5 Why Extending Group Policy Makes Sense for Your Windows Enterprise 2
Why Extending Group Policy Makes Sense for Your Windows Enterprise Microsoft designed Group Policy to be the centralized solution for securing and controlling all Windows desktops and servers in an Active Directory domain. Group Policy has proven to be stable, reliable, and capable of performing exactly as it was designed. Microsoft has placed a significant interest in Group Policy and continues to emphasize the value and use consistently. Every time Microsoft releases a new operating system or major service pack, Group Policy is enhanced and broadened. Microsoft has also asked all departments and products to contribute controls to increase the value and reach of Group Policy. Microsoft also designed Group Policy to be extensible. This is how Microsoft is able to enhance and broaden the capabilities of Group Policy so easily. Group Policy extensibility also allows you to include features, capabilities, and controls to your Active Directory enterprise by including extensions from third party Group Policy companies. Multiple passwords in the same Windows 2003 domain, end user password reset, desktop software and hardware inventory are just a few of the amazing features that you can include by extending Group Policy. Every Active Directory Installation Uses Group Policy Group Policy is installed, configured, and enabled during the installation of Active Directory. This means that if you have Active Directory installed, you already use Group Policy. Both the domain controllers and desktops have everything they need to take advantage of Group Policy. The core security for the domain controllers and basic user account passwords is controlled by the default installation of Group Policy. Extending Group Policy does not require any additional modifications to the existing Group Policy infrastructure. Extending Group Policy only requires that the new settings become available for administration and all clients are configured to receive them during the standard Group Policy application. Everyone Understands Group Policy Already Group Policy has been available since the release of Windows 2000 Active Directory. Active Directory administrators understand Group Policy and know how to configure the settings that are available within the default Group Policy. The standard interfaces for administering Group Policy are well known, as well as the configuration options such as linking, enforcing, and filtering. Administrators know what options are available within Group Policy, as well as which settings are missing. Group Policy extensions provide features and settings to the default Group Policy which are not provided by Microsoft. The settings from the extensions are administered in the same Group Policy tools as the default settings, making it easy and straightforward for administrators to configure the new settings. Why Extending Group Policy Makes Sense for Your Windows Enterprise 3
Group Policy Extensions Use Existing Infrastructure and Technology Since Microsoft designed Group Policy to support extensions and new features, additional settings and features provided by extensions do not require new technology, interfaces, or modifications to Active Directory. The Active Directory schema and other key structural components do not need to be modified, extended, or altered for Group Policy extensions to be installed and configured. Group Policy extensions use the Group Policy Management Console (GPMC) for the creation, configuration, and management of the new settings that are installed. For more control over tracking, offline editing, backup, and security, all extensions can also be managed using the Advanced Group Policy Management (AGPM) tool by Microsoft. Both the GPMC and AGPM are proven and stable tools that are both provided by Microsoft. Group Policy Extensions Use Existing Security Model Active Directory uses both user accounts and group accounts to manage security for resources within the domain. Group Policy relies on these users and groups to control administration, delegation, and deployment of the settings configured within Group Policy. Settings such as user rights, security group membership, and item-level targeting rely heavily on user and group configurations. Group Policy extensions that can leverage targeting and unique configurations based on user and group accounts leverage the existing users and groups that are configured and stored within Active Directory. This means that additional security databases, configuration interfaces, and synchronization of security objects are not required because Group Policy has been extended to include new settings and features. Group Policy Extensions Increase Your Return on Investment The bottom line to using Active Directory, Group Policy, and extending Group Policy is consistency of management tools, security configuration, and use of the core existing infrastructure. Since Group Policy extensions leverage what is already installed, the cost for configuration and management of the new settings introduced by the extensions is negligible. Active Directory environments that run mostly Windows computers should take advantage of Group Policy extensions to increase management efficiency and reduce overall cost for managing all computers in the domain. Solutions to add functionality and settings by using agents, extending Active Directory, customizing interfaces with scripts and coding, and creating custom interfaces is costly and very difficult to manage. For an environment that has a majority of the servers and desktops running Windows, these solutions are outdated. Group Policy Extensions Decrease Administrative Costs Microsoft provides default Group Policy administrative tools such as the GPMC and AGPM. These tools are installed and used by default for all Group Policy management. The GPMC is used to create, configure, manage, maintain, and troubleshoot Group Policy by default. Why Extending Group Policy Makes Sense for Your Windows Enterprise 4
Group Policy extensions also use the GPMC and AGPM, keeping the overall management and efficiency of Group Policy management consistent. Other custom solutions that use scripts, Active Directory extensions, or proprietary interfaces require that custom interfaces be used to manage the new settings. This additional interface causes increased education requirements, complexity, and administrative overhead. About the author: Derek Melber is President of BrainCore.Net, where he does authoring, speaking, and consulting for some of the largest companies in the world. Derek is author of the Microsoft Press Group Policy Resource Kit and one of only 8 Group Policy MVPs in the world. Derek evangelizes and educates on Microsoft Windows Active Directory, Group Policy, security, and desktop management. You can reach Derek at derekm@braincore.net. Why Extending Group Policy Makes Sense for Your Windows Enterprise 5