Not long ago, it seemed that every Microsoft shop was setting up Active Directory and collapsing their NT domains....
Shortly after, they started discovering Group Policy, a Windows component that lets administrators manage desktop configurations for groups of users. The problem is, most enterprises didn't put much thought into it, said Danny Kim, chief technology officer at Full Armor Corp., a Boston-based technology company with Group Policy expertise.
For many, it seemed that the more they looked at Group Policy, the more it frightened them. "Companies either locked it down and didn't do anything, or moved forward," he said. And it's just a matter of time before many of them hit a catastrophic event, Kim said.
Group Policy is at the center of Microsoft's change and configuration management system. It offers a lot of options, which is what's both good and bad about it. In an interview, Kim offered tips for getting the most out of this feature.
Exactly what is so hard about Group Policy?
Danny Kim: [With the latest version], they really threw the kitchen sink at it. Microsoft took everyone's feedback and tried to put it all into the product. With Windows Server 2003, there are 1,000 settings users can have. It's a daunting task to figure out where to start.
So one of the difficulties is it has everything. It's not logically organized, nor intuitive, so you have to fish around to find what you want. And the fact that there are so many things you can do means there are a lot of ways to hurt yourself.
With Windows NT, there were a lot of domains with only a few administrators each. [With Windows Server 2003 and Active Directory] there is one big domain and hundreds of administrators with no controls over Group Policy.
So, when a company moves from NT to Windows Server 2003, they find that instead of having a few administrators, they've got lots of administrators who are only experienced working in smaller domains.
Give an example of what you mean by needing to control Group Policy.
Kim: In a large bank, one Group Policy administrator had all the proxy settings for Internet access. The administrator, who was using a beta copy of Group Policy Management Console, decided after modifying a Group Policy Object that there was a bug, so he cleared out all the values.
Specifically, what happened was that the Group Policy administrator was using a setting called 'log on locally.' He didn't know what that setting was, really, but he didn't want all the administrators logging on locally. By shutting it off, all the applications that require log-on locally went down. No one could access the Internet for several hours.
So it's not Group Policy that is a problem, it's all the settings it exposes that create potential mistakes that can have a catastrophic effect.
At seminars, people always [approach] me. It's like a confessional. But they see the value [in Group Policy]. It's a huge ROI for Active Directory and Group Policy to centrally manage desktops. Still, companies are afraid of it.
What has Windows 2003 done to improve on Group Policy?
Kim: It added more settings, which compounds the issue, but also makes Group Policy more attractive. Microsoft with Windows Server 2003 released the Group Policy Management Console [which works with Windows 2000 as well]. That was a big improvement.
Has Microsoft's Trustworthy Computing security initiative had any impact on Group Policy?
Kim: Not directly. Except that Trustworthy Computing gives a corporation the mindset that you need to protect the desktop. [Companies] need to protect their end-point assets: Group Policy and the settings, managing the desktop, denying access to things you shouldn't access and configuring and controlling virus applications. A lot of control that administrators didn't have around their desktop and end points, Group Policy gives you today.
What are some of your favorite tips for Group Policy administrators?
Kim: Be careful when you set the registry and NTFS [Windows NT File System] ACLs. ACLs are associating access control lists, which control access to objects. It tattoos. They are permanent.
Also, be careful with any Group Policy Object with a domain-wide effect. Use tight controls around any domain setting, so only two or three people can access.
What do you see for the future of Group Policy?
Kim: You have all the settings. What can make a Ferrari into a flying machine is its extensibility. Vendors are extending Group Policy to do more if you want it to, but you can't take advantage of this unless you have a good process around it.
One example of this is in software deployment. Group Policy provides this natively, but there are holes in Group Policy that other vendors can fill. It is a huge cost savings to companies when they can target users in a group built into the Active Directory. Of course, Microsoft has a dilemma because it has its own solution with [Systems Management Server], but there is some merging of the two.