Group Policy is a configuration management technology that is part of Windows Server Active Directory (AD). This article explores Microsoft’s own Group Policy tools and some of the best third-party Group Policy management tools.
Group Policy Management Console
The Group Policy Management Console (GPMC) is Microsoft’s out-of-the-box Group Policy management software in Windows Server. While there are other Microsoft and third-party management tools, you can’t do without GPMC. It is also included in the Remote Server Administration Tools (RSAT) for Windows client operating systems, so it can be used without logging in to a domain controller, and it includes a PowerShell module that enables you to automate many aspects of Group Policy management.
GPMC lets you create and edit Group Policy objects (GPOs) and link them to AD sites, domains and organizational units (OUs). The Group Policy Object Editor is a separate tool that opens from GPMC; it enables you to edit and import GPO settings and back up and restore GPOs. More advanced features of GPMC allow you to apply Windows Management Instrumentation (WMI) filters to GPOs, block inheritance and enforce GPO links.
System administrators can use GPMC to view which settings have been configured in GPOs without opening the Group Policy Object Editor. In more complex situations where multiple GPOs are applied to AD objects, the Resultant Set of Policy (RSoP) shows which GPOs and settings will apply in practice to users, computers or both. RSoP can be run in Logging or Planning mode: GPMC’s Group Policy Modeling feature is RSoP in Planning mode; Group Policy Results is RSoP in Logging mode, and it generates reports that you can save in HTML format.
Tools from SDM Software
SDM Software makes several tools for Group Policy management, including the following:
- GPO Migrator is ideal for organizations that need to clean up or consolidate GPOs. It allows you to pick which settings you want to migrate to other Group Policy objects and even migrate settings for use with PowerShell Desired State Configuration (DSC).
- GPO Policy Reporting Pak is an advanced reporting and analysis tool that lets you quickly search settings, analyze GPOs differences and duplicate or conflicting settings. It can also export GPOs across different Active Directory domains and generate reports in Excel or PDF format. Reporting Pak has a PowerShell module, so you can automate everything from the command line.
- Group Policy Auditing and Attestation (GPAA) tracks changes in real time and can roll back unwanted changes. Alerts provide before and after values so you can understand what changes were made, including the who, what, when and where information. GPAA automatically backs up GPOs that are changed so that you can easily roll back to the previous state. Role-based management lets organizations delegate which users can manage Group Policy. You can assign owners to GPOs and require them to attest to their GPOs as part of a workflow.
- Group Policy Compliance Manager checks that the settings you configured in GPOs are successfully applied to objects that fall in to scope of management. The product supports agent or agent-less collection and can centralize reports in a SQL database for multiuser access. There’s also a powerful search feature included for searching GPOs and individual settings, and a PowerShell module for automation.
Netwrix Auditor for Active Directory
Netwrix Auditor for Active Directory is a comprehensive auditing product for Windows Server Active Directory. It provides security intelligence so you can better understand what is happening in AD and Group Policy. Netwrix Auditor provides change and configuration auditing for AD and Group Policy, including who, what, when, and where information and the before and after values for each change. The Enterprise Overview dashboard provides a graphical representation of events over a configurable time period and enables you to drill down to get more specific information and generate reports.
Comprehensive GPO state-in-time reports enable you to document and review current and past Group Policy object settings. Using a series of built-in reports, you can drill down to get detailed information about GPOs. For example, you could run a report to find all current GPO settings that affect password policy in the domain and compare the results with a past point in time to see if any changes were made. Another report shows whether there are duplicate settings in GPOs. Tracking down redundant settings can help improve logon efficiency and simplify operations. All reports offer filters that let you narrow down the results so you can find exactly the information you need.
Netwrix Auditor can help you prove that your organization is compliant with security regulations like GDPR, PCI DSS and HIPAA. It also also integrates with other security systems and can send alerts on AD and GPO changes. The primary advantage Netwrix Auditor has over other policy management tools is that it doesn’t just help you manage Group Policy; it provides complete auditing for Active Directory. Group Policy relies on Active Directory for its security, so it is important to make sure that AD is secure and compliant; otherwise, Group Policy controls could be circumvented by a malicious actor.
Security Compliance Toolkit
Microsoft’s free Security Compliance Toolkit (SCT) contains baseline security templates for all supported versions of Windows and Windows Server that can be used to create Group Policy objects or configure local policy. SCT is updated regularly and includes comprehensive documentation of recommended Group Policy settings, along with spreadsheets that show you the differences between settings in the current and previous releases so that you can quickly understand what has changed.
SCT includes reports that help you navigate the settings in a more user-friendly way. GPOs are provided as backup objects you import using the Group Policy Management Console. You can choose which GPOs to apply according to the role of a device. For example, MSFT Windows Server 2019 – Domain Controller applies to domain controllers and MSFT Windows Server 2019 – Member Server applies to domain-joined servers.
SCT includes two useful tools. Policy Analyzer compares sets or versions of GPOs; it can compare GPOs against current local policy and registry settings and export the results to a spreadsheet. Local Group Policy Object (LGPO) is a command-line tool for automating the management of local policy on systems that aren’t joined to an Active Directory domain.
Advanced Group Policy Management
Advanced Group Policy Management (AGPM) is part of the Microsoft Desktop Optimization Pack (MDOP), which is available to Software Assurance customers only. It extends the features of the Group Policy Management Console with change control and better GPO management capabilities. AGPM 4.0 SP3 supports Windows 10 and it is based on a client/server architecture. The AGPM Service manages an archive, which is a central store of controlled GPOs and their history. Users connect to the AGPM Service using a Microsoft Management Console (MMC) snap-in.
AGPM users can check controlled GPOs in and out, much like you might check documents in and out of a document management system. Administrators can control who has permissions to check GPOs in and out of the archive, providing a robust change control solution for Active Directory Group Policy. To prevent users from circumventing AGPM, organizations must follow security best practices to ensure that IT staff cannot use their privileges to modify Group Policy objects in the domain without using AGPM.