Feeds

Why group policy management works

Easier than scripts for tiny tots

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

Blog They give me a certain flexibility in writing the desktop management blog. The next six articles are marked in my calendar as “something to do with Group Policy Objects (GPOs).”

The topics I write tend to line up with the research I am doing for my day job, and lo and behold, the next couple of weeks I will be deep into GPOs. I’ve spent a few days deciding exactly how to split the topic up, trying to find a non-controversial way to approach it.

The idea of role and policy based management is at the heart of Windows. Windows server and desktop operating systems are designed for it; it is simply the way you do things in a Windows world. Where the topic has the potential for conflict is that it (generally) isn’t the way you do things in the Unix world. I'm choosing the first article to be about why group policy matters, but that has the potential to ruffle a few feathers.

Having managed systems using scripts as well as using policies, I find that there is elegance to the policy approach to management. Policy management systems are usually, (but not always,) integrated into a directory system. The basic idea behind these directory services is to provide a form of Single Sign On (SSO). This isn’t new. Unix operating systems have had them for ages, they range from simple services like NIS to OpenLDAP and Samaba.

The example I am most familiar with is Microsoft’s Active Directory (AD), but I have worked with several others. The bit that makes AD, or Novell’s eDirectory and Zenworks combo, unique is an excellent integration of policy management.

What makes role and policy based management so different from scripts? Being most familiar with AD, I will use the example of Windows clients attached to a Windows domain.

GPOs are all about giving systems administrators a centralized way to modify configurations on groups of systems simply, and all at once. The systems you are managing are “joined to the domain.” This is a process in which these systems are configured to use the AD as a SSO authentication point as well as a repository of system configuration changes which they periodically poll. If they detect a change, the change is analysed to determine at what point it should be applied - now, at logoff, at logon, at system start - and queued up.

Sticking to the script

So far, so much like managing a computer using scripts. The difference lies not so much in how these changes are applied by the systems, but in how easy the process is to manage.

When a computer is joined to a domain, a computer object is created in the directory. This object contains information such as levels of privilege and which policies are applied in what order. Similarly, a user object contains all information about the user context of individuals who authenticate against the domain’s directory. Both these objects can be placed into organizational units or different types of groups.

To illustrate, let’s look at an example of managing the time settings on my network. I have five locations in three timezones, and both domain controllers and edge time servers at each location. I place all computers in a given location into their own group, and configure them to synchronize their clocks against the domain controller local to that site. By default they also share the site local timezone settings.

The domain controller, any virtual servers and all non-Windows devices are configured to synchronize against the edge time server. The edge time server synchronizes against pool.ntp.org, and so the clocks on all devices on the network are kept in sync.

I have a roaming user who has asked me to do him a favour: he visits sites around the country, but keeps himself on the timezone of his native province. He asked if there was a way to make sure that any computer he was logged into would reflect the timezone he chooses.

The Essential Guide to IT Transformation

More from The Register

next story
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
EU's top data cops to meet Google, Microsoft et al over 'right to be forgotten'
Plan to hammer out 'coherent' guidelines. Good luck chaps!
US judge: YES, cops or feds so can slurp an ENTIRE Gmail account
Crooks don't have folders labelled 'drug records', opines NY beak
FLAPE – the next BIG THING in storage
Find cold data with flash, transmit it from tape
Seagate chances ARM with NAS boxes for the SOHO crowd
There's an Atom-powered offering, too
Intel teaches Oracle how to become the latest and greatest Xeon Whisperer
E7-8895 v2 chips are best of the bunch, and with firmware-unlocked speed control
prev story

Whitepapers

Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Mobile application security vulnerability report
The alarming realities regarding the sheer number of applications vulnerable to attack, and the most common and easily addressable vulnerability errors.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.