IT managers can expect more Group Policy functions and shortcuts now that Microsoft has acquired DesktopStandard Corp.'s enterprise desktop management tools.
Microsoft said after the acquisition this week that DesktopStandard's tools will help IT managers perform Group Policy Object lifecycle management in "a manner" integrated with Microsoft's Group Policy Management Console. The company did not specify whether DesktopStandard's tools would be built into the Windows operating system, integrated with its existing Group Policy technology or offered as standalone tools.
For now, the tools will be sold under the DesktopStandard brand until Microsoft starts shipping replacements. A timetable has not been set for this ship date, said Praerit Garg, senior director for the Windows Enterprise Management division at Microsoft.
As it stands, Microsoft has about 18 Group Policy tools for IT administrators out of the box, while DesktopStandard's tools add another 21 Group Policy functions, said Jeremy Moskowitz, an independent consultant and trainer who runs community forum GPanswers.com.
"There are a lot more shortcuts that can be zapped down into the desktop [using DesktopStandard's products]," Moskowitz said. "You can create an IE shortcut for the sales guy that you can't do today or set it so Sally's Outlook setting goes wherever she goes."
Moskowitz said such policy settings proved to be a challenge with the out-of-the-box Microsoft offering.
And while IT managers gain what Moskowitz calls more "wish categories" for policies through the acquisition, they are also granted more processes around Group Policy management.
Group Policy management is a popular add-on, and now Microsoft has it, said Moskowitz, adding that the acquisition is also Microsoft's recognition that Group Policy needs to live up to its promise of making life easier for IT administrators in charge of managing Windows machines.
DesktopStandard's PolicyMaker Standard Edition is aimed at reducing the need for manual processes and logon scripting. It has management capabilities for 10,000 Active Directory objects and gives IT managers access to 21 policy extensions for desktop standardization, security and compliance. Windows ships with only 11 extensions, DesktopStandard said.
"PolicyMaker provides a set of extensions to GPMC that we have not had by default in Windows, so it increases the surface area that is now manageable through Group Policy," said Garg.
DesktopStandard's standardization extensions run the gamut, from management of Microsoft Outlook and associated mail profiles and automated TCP/IP printer deployment, to Registry and ini file settings, drive maps, file transfers, shortcuts, start menu settings and scheduled tasks.
As for security, IT managers can disable hardware devices, such as USB drivers and floppy drives, manage Windows services and configure VPN connections.
Burton Group analyst Diana Kelly said that DesktopStandard's tools add more Group Policy Object granularity and will close the loop for Microsoft when it comes to compliance management changes made to devices.
For GPO granularity, for example, the PolicyMaker Standard Edition includes 25 categories of graphical per-setting filters to target individual settings within a GPO.
A hot button issue for IT managers that is not being addressed by existing technologies, however, is Group Policy management of wireless devices, Kelly said. "I don't know what DesktopStandard or Microsoft has in that area, but from what I've heard, there are some issues with GPO granularity concerning wireless," she said.
Monitoring access for least privilege users
Another question is end user security policy management. Microsoft acquired all of DesktopStandard's PolicyMaker line, except its PolicyMaker Application Security tool, which enforces least privilege user access.
Microsoft chose not to buy Application Security because it said the company is already developing such technology for Vista. The upcoming OS, for example, will include User Account Control capability to drive least privilege, said Garg.
DesktopStandard's Application Security tool was renamed Privilege Manager and was spun off as a separate, privately owned company called BeyondTrust Corp.. The company remains in Portsmouth, N.H., headed by former DesktopStandard CEO John Moyer.
Moyer said he decided not to sell Application Security to Microsoft because it was DesktopStandard's fastest growing product line.
The number of companies now using Application Security is nearing 1,000, Moyer said, and added that such customers are not mom-and-pop shops but companies with at least 500 seats.
"Most of the products out there focus on external threats such as anti-spyware or anti-virus," Moyer said. "Meanwhile, all their users are sitting on the network and are, to a large degree, running as administrators on their machine," he said. "Anytime you have that, a hole opens up -- whether it's intentional or unintentional -- for malicious users."
BeyondTrust's Privilege Manager is a Group Policy extension that gives IT administrators the ability to assign the least privileges required for end users to do their jobs. Permission is granted by the tool on a per-application or per-task basis when a user tries to do something outside of what was originally set by the administrator.
Although Microsoft did acquire DesktopStandard's PolicyMaker Software Update tool, Microsoft has opted to no longer sell it and suggests using Windows Server Update Services as an alternative. Patches will be provided for the Software Update tool for the next six months, according to a Microsoft acquisition FAQ sheet.
The other tools acquired include GPOVault, PolicyMaker Standard Edition and Share Manager, all of which will be available both through Microsoft and DesktopStandard partners. ProfileMaker, however, will only be available through existing DesktopStandard resale partners and will no longer be sold by Microsoft.
Enterprise IT managers have for some time been asking Microsoft for technology that helps them better control changes to Group Policy Objects, which is now addressed by GPOVault, Garg said.