Feeds

Why group policy management works

Easier than scripts for tiny tots

  • alert
  • submit to reddit

Remote control for virtualized desktops

Blog They give me a certain flexibility in writing the desktop management blog. The next six articles are marked in my calendar as “something to do with Group Policy Objects (GPOs).”

The topics I write tend to line up with the research I am doing for my day job, and lo and behold, the next couple of weeks I will be deep into GPOs. I’ve spent a few days deciding exactly how to split the topic up, trying to find a non-controversial way to approach it.

The idea of role and policy based management is at the heart of Windows. Windows server and desktop operating systems are designed for it; it is simply the way you do things in a Windows world. Where the topic has the potential for conflict is that it (generally) isn’t the way you do things in the Unix world. I'm choosing the first article to be about why group policy matters, but that has the potential to ruffle a few feathers.

Having managed systems using scripts as well as using policies, I find that there is elegance to the policy approach to management. Policy management systems are usually, (but not always,) integrated into a directory system. The basic idea behind these directory services is to provide a form of Single Sign On (SSO). This isn’t new. Unix operating systems have had them for ages, they range from simple services like NIS to OpenLDAP and Samaba.

The example I am most familiar with is Microsoft’s Active Directory (AD), but I have worked with several others. The bit that makes AD, or Novell’s eDirectory and Zenworks combo, unique is an excellent integration of policy management.

What makes role and policy based management so different from scripts? Being most familiar with AD, I will use the example of Windows clients attached to a Windows domain.

GPOs are all about giving systems administrators a centralized way to modify configurations on groups of systems simply, and all at once. The systems you are managing are “joined to the domain.” This is a process in which these systems are configured to use the AD as a SSO authentication point as well as a repository of system configuration changes which they periodically poll. If they detect a change, the change is analysed to determine at what point it should be applied - now, at logoff, at logon, at system start - and queued up.

Sticking to the script

So far, so much like managing a computer using scripts. The difference lies not so much in how these changes are applied by the systems, but in how easy the process is to manage.

When a computer is joined to a domain, a computer object is created in the directory. This object contains information such as levels of privilege and which policies are applied in what order. Similarly, a user object contains all information about the user context of individuals who authenticate against the domain’s directory. Both these objects can be placed into organizational units or different types of groups.

To illustrate, let’s look at an example of managing the time settings on my network. I have five locations in three timezones, and both domain controllers and edge time servers at each location. I place all computers in a given location into their own group, and configure them to synchronize their clocks against the domain controller local to that site. By default they also share the site local timezone settings.

The domain controller, any virtual servers and all non-Windows devices are configured to synchronize against the edge time server. The edge time server synchronizes against pool.ntp.org, and so the clocks on all devices on the network are kept in sync.

I have a roaming user who has asked me to do him a favour: he visits sites around the country, but keeps himself on the timezone of his native province. He asked if there was a way to make sure that any computer he was logged into would reflect the timezone he chooses.

Choosing a cloud hosting partner with confidence

More from The Register

next story
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
NASA launches new climate model at SC14
75 days of supercomputing later ...
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
Cloud unicorns are extinct so DiData cloud mess was YOUR fault
Applications need to be built to handle TITSUP incidents
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Stop the IoT revolution! We need to figure out packet sizes first
Researchers test 802.15.4 and find we know nuh-think! about large scale sensor network ops
DEATH by COMMENTS: WordPress XSS vuln is BIGGEST for YEARS
Trio of XSS turns attackers into admins
prev story

Whitepapers

Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Designing and building an open ITOA architecture
Learn about a new IT data taxonomy defined by the four data sources of IT visibility: wire, machine, agent, and synthetic data sets.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?