Microsoft Corp.s Group Policy provides enterprises using Windows with base-line functionality for running managed, locked-down client machines—as long as the target systems live within an Active Directory environment. GPAnywhere 2.0 is an ingenious product from FullArmor Corp. that bridges the Group Policy coverage gap.
Click here to read the full review of GPAnywhere 2.0.
2
Microsoft Corp.s Group Policy provides enterprises using Windows with base-line functionality for running managed, locked-down client machines—as long as the target systems live within an Active Directory environment. GPAnywhere 2.0 is an ingenious product from FullArmor Corp. that bridges the Group Policy coverage gap.
GPAnywhere 2.0, released in the spring, enables administrators to apply Group Policy configurations to machines that fall outside AD. The product is delivered in two modules: a console that plugs into Microsofts Group Policy Management Console and a client that must be installed on the machines targeted for management.
/zimages/3/28571.gifClick hereto read more about locking down Windows systems.
In eWEEK Labs tests, we were able to create policies using Microsofts standard Group Policy tools and to pack these policies up into an executable file using the GPAnywhere console. The console exists as an MMC (Microsoft Management Console) snap-in that shows up as a new tab in the Group Policy Management Console.
/zimages/3/120696.jpg
GPAnywhere was straightforward to use, and we recommend that organizations using Group Policy to manage their systems investigate GPAnywhere as a solution for extending these same controls to systems that live outside the reach of AD—such as kiosks, stand-alone servers and roving client machines.
GPAnywhere 2.0 is priced starting at $6 per managed machine and $1,250 for the GPAnywhere management console. Considering the time savings and additional management granularity that GPAnywhere can bring to Windows systems, we consider the product attractively priced.
Upgrading will not be easy, however. We noted from the product documentation that GPAnywhere 2.0 is not backward-compatible with earlier versions of the product—previous versions must be uninstalled from client machines before loading 2.0, and earlier-version templates must be rebuilt as well.
On the client side, GPAnywhere supports Windows 2000 Service Pack 3 and higher, Windows Server 2003 and higher, Windows XP SP1 and higher, and Windows XP Embedded for Point of Service.
We tested GPAnywhere with Windows XP SP2 on the client side and Windows Server 2003 on the console side. We could have used the console on a Windows XP box as well, as long as it was a member of an AD domain.
To address the slew of new Group Policy objects that came with Windows XP SP2, we had to first join an XP SP2 box to our test domain to add these objects to AD.
In addition, because SP2—rather helpfully—expanded the descriptive text that accompanies Windows Group Policy objects, we had to apply to our Windows Server 2003-based system the patch referenced at support.microsoft.com/kb/842933/#XSLTH3152120124120121120120 to accommodate the longer descriptive strings.
Next Page: Familiar surroundings.
3
Familiar surroundings
One of GPAnywheres prime strengths is the way it integrates with Microsofts existing Group Policy framework. The test policy we built for our GPAnywhere-enabled Windows XP SP2 client—and the process we used to build it—was no different than it would have been for a typical client living within AD.
Unlike Microsofts vanilla policy implementation, however, in which the local policy that governs a machine thats disconnected from AD applies to all users on that machine, GPAnywhere enables a more granular approach.
We could configure the policies we created to apply to particular local groups. For example, we were able to mandate a locked-down configuration for limited users but allow for more slack in the leashes of users in the administrator group. This flexibility is particularly important for the sorts of systems that are likely to live outside AD.
However, we found that GPAnywhere conforms a bit more closely to the standard Group Policy than wed like. We say this because there wasnt a way for us to configure GPAnyware-specific settings—those beyond the standard Group Policy options, such as which template to use by default—from the GPAnywhere console. Rather, we had to configure these settings separately, using the GPAnywhere client application. However, the settings we configured using the client were saved in an XML file, which we could then pack up with the GPAnywhere installer package for deployment to multiple machines.
In addition to the policy templates we could create ourselves, GPAnywhere ships with default medium- and high-security templates, which represent best-practice lockdown settings for managed systems. We could review these templates from our test system running the GPAnywhere client, but the templates did not show up in our management console alongside the default Windows Group Policy objects or the new policy objects wed created.
FullArmor officials told us that they plan to address this issue in a future release and that, for now, customers can request backup files of the default templates that they can integrate into AD and edit using the Group Policy Management Console.
GPAnywhere 2.0 is built to work along with a separate, although as-yet-unreleased, FullArmor product—the GPAnywhere Policy Portal, which will allow for centralized administration of these settings.
Next page: Evaluation Shortlist: Related Products.
Page 4
Evaluation Shortlist
DesktopStandard Corp.s ProfileMaker Professional Edition Offers companies a means to apply configuration profiles to machines outside of AD (www.desktopstandard.com)
Senior Analyst Jason Brooks can be reached at jason_brooks@ziffdavis.com.
Check out eWEEK.coms for Microsoft and Windows news, views and analysis.