Feeds

Why group policy management works

Easier than scripts for tiny tots

  • alert
  • submit to reddit

Boost IT visibility and business value

Blog They give me a certain flexibility in writing the desktop management blog. The next six articles are marked in my calendar as “something to do with Group Policy Objects (GPOs).”

The topics I write tend to line up with the research I am doing for my day job, and lo and behold, the next couple of weeks I will be deep into GPOs. I’ve spent a few days deciding exactly how to split the topic up, trying to find a non-controversial way to approach it.

The idea of role and policy based management is at the heart of Windows. Windows server and desktop operating systems are designed for it; it is simply the way you do things in a Windows world. Where the topic has the potential for conflict is that it (generally) isn’t the way you do things in the Unix world. I'm choosing the first article to be about why group policy matters, but that has the potential to ruffle a few feathers.

Having managed systems using scripts as well as using policies, I find that there is elegance to the policy approach to management. Policy management systems are usually, (but not always,) integrated into a directory system. The basic idea behind these directory services is to provide a form of Single Sign On (SSO). This isn’t new. Unix operating systems have had them for ages, they range from simple services like NIS to OpenLDAP and Samaba.

The example I am most familiar with is Microsoft’s Active Directory (AD), but I have worked with several others. The bit that makes AD, or Novell’s eDirectory and Zenworks combo, unique is an excellent integration of policy management.

What makes role and policy based management so different from scripts? Being most familiar with AD, I will use the example of Windows clients attached to a Windows domain.

GPOs are all about giving systems administrators a centralized way to modify configurations on groups of systems simply, and all at once. The systems you are managing are “joined to the domain.” This is a process in which these systems are configured to use the AD as a SSO authentication point as well as a repository of system configuration changes which they periodically poll. If they detect a change, the change is analysed to determine at what point it should be applied - now, at logoff, at logon, at system start - and queued up.

Sticking to the script

So far, so much like managing a computer using scripts. The difference lies not so much in how these changes are applied by the systems, but in how easy the process is to manage.

When a computer is joined to a domain, a computer object is created in the directory. This object contains information such as levels of privilege and which policies are applied in what order. Similarly, a user object contains all information about the user context of individuals who authenticate against the domain’s directory. Both these objects can be placed into organizational units or different types of groups.

To illustrate, let’s look at an example of managing the time settings on my network. I have five locations in three timezones, and both domain controllers and edge time servers at each location. I place all computers in a given location into their own group, and configure them to synchronize their clocks against the domain controller local to that site. By default they also share the site local timezone settings.

The domain controller, any virtual servers and all non-Windows devices are configured to synchronize against the edge time server. The edge time server synchronizes against pool.ntp.org, and so the clocks on all devices on the network are kept in sync.

I have a roaming user who has asked me to do him a favour: he visits sites around the country, but keeps himself on the timezone of his native province. He asked if there was a way to make sure that any computer he was logged into would reflect the timezone he chooses.

Boost IT visibility and business value

More from The Register

next story
Pay to play: The hidden cost of software defined everything
Enter credit card details if you want that system you bought to actually be useful
HP busts out new ProLiant Gen9 servers
Think those are cool? Wait till you get a load of our racks
Shoot-em-up: Sony Online Entertainment hit by 'large scale DDoS attack'
Games disrupted as firm struggles to control network
Community chest: Storage firms need to pay open-source debts
Samba implementation? Time to get some devs on the job
Like condoms, data now comes in big and HUGE sizes
Linux Foundation lights a fire under storage devs with new conference
Silicon Valley jolted by magnitude 6.1 quake – its biggest in 25 years
Did the earth move for you at VMworld – oh, OK. It just did. A lot
prev story

Whitepapers

Gartner critical capabilities for enterprise endpoint backup
Learn why inSync received the highest overall rating from Druva and is the top choice for the mobile workforce.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.