The first subfolder stores Active Templates, which are similar to the Delegation Wizard that first debuted in Windows 2000. The ADBackups folder stores exactly what it describes: AD backups. GPO History is a feature that displays the names of everyone who changed a Group Policy and the date the changes were made. Both Group Policy Administrator and GPOADmin have a similar structure, but I liked how Active Administrator made the information easy to find.

Like Group Policy Administrator, Active Administrator has a GPO repository, which Figure 3 shows. But the Active Administrator Group Policy Offline Repository is stored in a folder structure, rather than on a database. This is the KISS (Keep It Simple Stupid) principle at its best—no database requirement or additional administrative overhead.

Testing Active Administrator
I read the “Administrators Guide,” familiarized myself with the product, and then ran through the mock change-management process. When I took a backup of the default domain policy, I immediately noticed a difference with this tool: When you right-click the policy name in the GUI and choose Backup, you have a number of choices:

  1. Backup Security Group Filters
  2. Backup Group Policy Links
  3. Save a GPO Report
  4. Generate Log File
  5. Add additional Group Policies to backup
  6. Schedule the backup

A simple backup and restore mechanism is a necessity for products of this type, but these advanced features set Active Administrator apart from the others.

I then copied the GPO to an offline area by using the Add to Offline Repository menu item. Once the GPO is in the repository it can be checked out, edited, and checked back in. The process is almost identical to Group Policy Administrator except that Active Administrator doesn’t prompt you to add notes.

When it comes to auditing what has happened with Group Policy, Active Administrator has a clear lead on the competition. By using an Active Administrator agent on each DC, you can keep a close eye on who’s doing what with Group Policy. In addition to Group Policy changes, Active Administrator will let you know who has reset a password, deleted a user, and performed other administrative actions. You can capture, track, and report on more than 80 security events. If your company requires you to audit whether Group Policy follows your change-control process, then Active Administrator is the clear choice for your environment.

Active Administrator’s tabbed interface is extremely easy to master. Each area is clearly labeled, and I found Active Administrator the easiest tool to hit the ground running with. However, added features that are outside the scope of Group Policy management make Active Administrator an expensive option.

Reviewing the Pros and Cons
All three products do a good job of improving the Group Policy management process, but each does so in a different way. Group Policy Administrator and Active Administrator both use an offline repository to let you work on GPOs in an offline environment. Group Policy Administrator stores its repository in a SQL Server database. Active Administrator uses a file system as an offline repository. GPOADmin, in contrast, is an extension of GPMC and doesn’t use a repository at all. Instead, GPOADmin backs up a GPO automatically before you start editing and after you finish editing. This tool is geared toward customers who don’t want to modify existing GPOs by following the model that says you replicate an existing GPO, make changes to it, and when you’re ready to deploy it, link it where the existing GPO is and then remove the links to the old GPO. GPOADmin’s approach is different because the product satisfies a different set of customer requirements.

All three products require a back-end database. Group Policy Administrator’s repository is in SQL Server. GPOADmin’s database stores backups and old versions of live, production GPOs in its database. Active Administrator’s database stores security events such as editing, adding, or deleting GPOs, as well as other security-related events.

The look and feel of each product is unique. Group Policy Administrator looks like an extension of GPMC, whereas GPOADmin really is an extension of this Microsoft tool. Active Administrator doesn’t look like either Group Policy Administrator or GPOADmin but resembles the properties of a User object in AD with its tabbed layout.

The reporting capabilities of each product were similar. All three of these tools will help you find the similarities and differences between GPOs.

My Bottom Line
If you administer Group Policy in a medium to large company, then you’re probably familiar with the frustration of not having the tools you need to manage Group Policy in a change-control environment. All three of these products can help you get your GPOs organized in a structure that you can easily manage. NetIQ’s Group Policy Administrator and NetPro’s GPOADmin are both strong products. But because ScriptLogic’s Active Administrator had the best look and feel, was the most intuitive, and includes extra features to help manage Group Policy, I designate it my Editor’s Choice.

End of Article

Prev. page     1 2 [3]     next page -->



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

Great article Eric!

There is not a wasted line of text… Meaning, you explain and lay things out so that an Admin at my level (knows enough to be dangerous) can easily follow along; as well as someone at say, Mark Minasi’s level.

There is great info for everyone, regardless of their skill level. Keep them coming!

Tim Bolton

jsclmedave- November 14, 2007

Article Rating 5 out of 5

 
 

ADS BY GOOGLE