Feeds

Why group policy management works

Easier than scripts for tiny tots

  • alert
  • submit to reddit

Boost IT visibility and business value

Blog They give me a certain flexibility in writing the desktop management blog. The next six articles are marked in my calendar as “something to do with Group Policy Objects (GPOs).”

The topics I write tend to line up with the research I am doing for my day job, and lo and behold, the next couple of weeks I will be deep into GPOs. I’ve spent a few days deciding exactly how to split the topic up, trying to find a non-controversial way to approach it.

The idea of role and policy based management is at the heart of Windows. Windows server and desktop operating systems are designed for it; it is simply the way you do things in a Windows world. Where the topic has the potential for conflict is that it (generally) isn’t the way you do things in the Unix world. I'm choosing the first article to be about why group policy matters, but that has the potential to ruffle a few feathers.

Having managed systems using scripts as well as using policies, I find that there is elegance to the policy approach to management. Policy management systems are usually, (but not always,) integrated into a directory system. The basic idea behind these directory services is to provide a form of Single Sign On (SSO). This isn’t new. Unix operating systems have had them for ages, they range from simple services like NIS to OpenLDAP and Samaba.

The example I am most familiar with is Microsoft’s Active Directory (AD), but I have worked with several others. The bit that makes AD, or Novell’s eDirectory and Zenworks combo, unique is an excellent integration of policy management.

What makes role and policy based management so different from scripts? Being most familiar with AD, I will use the example of Windows clients attached to a Windows domain.

GPOs are all about giving systems administrators a centralized way to modify configurations on groups of systems simply, and all at once. The systems you are managing are “joined to the domain.” This is a process in which these systems are configured to use the AD as a SSO authentication point as well as a repository of system configuration changes which they periodically poll. If they detect a change, the change is analysed to determine at what point it should be applied - now, at logoff, at logon, at system start - and queued up.

Sticking to the script

So far, so much like managing a computer using scripts. The difference lies not so much in how these changes are applied by the systems, but in how easy the process is to manage.

When a computer is joined to a domain, a computer object is created in the directory. This object contains information such as levels of privilege and which policies are applied in what order. Similarly, a user object contains all information about the user context of individuals who authenticate against the domain’s directory. Both these objects can be placed into organizational units or different types of groups.

To illustrate, let’s look at an example of managing the time settings on my network. I have five locations in three timezones, and both domain controllers and edge time servers at each location. I place all computers in a given location into their own group, and configure them to synchronize their clocks against the domain controller local to that site. By default they also share the site local timezone settings.

The domain controller, any virtual servers and all non-Windows devices are configured to synchronize against the edge time server. The edge time server synchronizes against pool.ntp.org, and so the clocks on all devices on the network are kept in sync.

I have a roaming user who has asked me to do him a favour: he visits sites around the country, but keeps himself on the timezone of his native province. He asked if there was a way to make sure that any computer he was logged into would reflect the timezone he chooses.

The essential guide to IT transformation

More from The Register

next story
The Return of BSOD: Does ANYONE trust Microsoft patches?
Sysadmins, you're either fighting fires or seen as incompetents now
Microsoft: Azure isn't ready for biz-critical apps … yet
Microsoft will move its own IT to the cloud to avoid $200m server bill
US regulators OK sale of IBM's x86 server biz to Lenovo
Now all that remains is for gov't offices to ban the boxes
Flash could be CHEAPER than SAS DISK? Come off it, NetApp
Stats analysis reckons we'll hit that point in just three years
Oracle reveals 32-core, 10 BEEELLION-transistor SPARC M7
New chip scales to 1024 cores, 8192 threads 64 TB RAM, at speeds over 3.6GHz
Object storage bods Exablox: RAID is dead, baby. RAID is dead
Bring your own disks to its object appliances
Nimble's latest mutants GORGE themselves on unlucky forerunners
Crossing Sandy Bridges without stopping for breath
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.
Rethinking backup and recovery in the modern data center
Combining intelligence, operational analytics, and automation to enable efficient, data-driven IT organizations using the HP ABR approach.
Next gen security for virtualised datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.