Technology Centers

Third-party Tools and Extensions for Group Policy

Published: July 15, 2005 | Updated: February 13, 2008

Group Policy allows administrators to efficiently implement security settings, enforce IT policies, and distribute software consistently across a given site, domain, or range of organizational units. The third-party tools and extensions listed in the table below extend Group Policy functionality and manageability even further. (Note that following the links will take you to Web sites outside of Microsoft.com.)

Note Microsoft neither endorses nor provides support for these third-party products. Please contact the specific software provider for support issues.

ProductDescriptionCompany

DirectControl Suite

The Centrify DirectControl suite seamlessly integrates your UNIX, Linux, and Macintosh systems with Microsoft Active Directory's Group Policy services. Through Group Policy, you can enforce consistent security and configuration policies across these heterogeneous systems using the same familiar tools and processes you use to manage your Windows systems. DirectControl provides a wide range of group policies designed specifically for individual platforms that enable you to apply consistent updates to the sudoers file and maintain consistent automount settings for groups of users or systems. With DirectControl's innovative Zone technology you can create management groups for granular control over related sets of systems. These Group Policy features are integrated into the core DirectControl product, which also extends Active Directory's authentication and access control services to these non-Microsoft platforms.

Centrify

PolicyMaker Share Manager

DesktopStandard's PolicyMaker Share Manager is a Group Policy extension that provides the ability to centrally manage network shares both on servers and workstations. It enables you to leverage Windows Server 2003's built-in Access-Based Enumeration (ABE) for shared folders, empowering you to restrict the visibility of shared resources to those who end-users who have read permission. You can also remove and prohibit all unauthorized shares on the network as a matter of policy.

DesktopStandard
A Microsoft Subsidary

GPOVault Enterprise

In 2007, GPOVault Enterprise from DesktopStandard will be transformed into Microsoft Advanced Group Policy Management (AGPM), part of the Microsoft Desktop Optimization Pack for Software Assurance. AGPM integrates enhanced Group Policy management features into the Microsoft Group Policy Management Console (GPMC), adding comprehensive change control, offline editing, role-based delegation, difference reporting, and GPO templates.

DesktopStandard
A Microsoft Subsidary

BeyondTrust Privilege Manager

BeyondTrust Privilege Manager, from BeyondTrust Corporation, is a Group Policy extension that provides a least-privilege security model for Windows. Organizations can now give restricted users elevated permissions for selected tasks and applications. At the same time they can reduce permissions of applications such as Internet Explorer and Microsoft Outlook when launched by administrators.

BeyondTrust

PolicyMaker Registry Extension
(Free Product)

DesktopStandard's PolicyMaker Registry Extension adds full registry management capabilities. The administrator can simply launch the Registry Wizard and select one or more existing settings of any type from the local computer or another computer on the network. Tattooing is eliminated by using the standard PolicyMaker option to automatically remove a setting if it is no longer being applied, and each setting may be independently targeted using the graphical filtering system.

DesktopStandard
A Microsoft Subsidiary

PolicyMaker Standard Edition

DesktopStandard's PolicyMaker Standard Edition is a suite of 21 Group Policy extensions for desktop standardization—security and compliance management—complimenting the native extensions provided with Microsoft Windows. Using PolicyMaker, organizations can eliminate scripts, reduce system imaging, standardize management, and better secure their networks.

DesktopStandard
A Microsoft Subsidiary

GPAnywhere

GPAnywhere, from Full Armor, makes Group Policy "portable" to reach beyond Microsoft Active Directory directory services to remote VPN, mobile, kiosk, point-of-sale, and other disconnected computers.

Full Armor

IntelliPolicy for Clients

Full Armor's IntelliPolicy for Clients provides an array of settings to enhance the management of the Windows desktop. It eliminates the use of scripts and manual configuration, and gives administrators the ability to centrally manage desktops. Using IntelliPolicy for Clients, administrators can:

Enhance internal security controls

Simplify desktop configuration

Centralize application configuration

Increase return on investment (ROI) by leveraging Active Directory and Group Policy

Consolidate Group Policy Objects (GPOs)

Provision new desktops and laptops

Full Armor

Group Policy Administrator

NetIQ's Group Policy Administrator assists in planning, managing, troubleshooting, and reporting on Group Policies. Group Policy Administrator offers:

Live and offline resultant set of policies (RSoP)

Replication and synchronization across domains and forests

Microsoft GPMC-compliant GPO back up, restore, and import

Check-out, check-in, and approval

Point-in-time analysis reports

Rollback

Offline mirror

GPO difference and comparison reports

Health and status checking of GPOs

Built-in GPO knowledge

Administration delegation

Search for GPO settings

Scripting

NetIQ

Group Policy Guardian

NetIQ's Group Policy Guardian helps reduce risks associated with Group Policy Object (GPO) change management and provides the visibility you need to help protect your Windows infrastructure from security exposures and service disruptions. Features include:

Real-time alerts for Group Policy changes, security filters, and links

Reports that show what was changed, by whom, and when

Alert notifications delivered through e-mail or pager

Rules-based monitoring with more than 100 pre-defined alert rules for each GPO

Integration with event and alert monitoring systems

Comprehensive reporting, including detailed reports linked to each alert

Queries from the auditing database that present all activities that meet user-defined criteria

Audit reports that show pre- and post-change values

Audit database that retains a complete and detailed historical record of Group Policy changes

NetIQ

GPOAdmin

GPOADmin provides extended GPO management capabilities from within GPMC. The product requires no script-writing or manual processes, saving time and reducing the risk of outages. The design provides easy access to the details and information required for the largest Active Directory deployments. GPOADmin extends the capabilities of GPMC and GPO Editor by simplifying the use and administration of such critical tasks as GPO version control, auditing and comparison. GPOADmin enables verification of changes made to a GPO over time or the consistency of GPO settings between different GPOs (such as test and production GPOs).

Automatic Version Control: Reduces the risk of GPO changes by ensuring versions are automatically created.

GPO Lock: Allows administrators to lock production GPOs to prevent unwanted changes.

GPO Cloak: Hides a GPO so that only specified users can see and edit before it is put into production.

Comparison: Examines changes between different versions of GPO settings.

GPO Auditing: Captures who is making changes to what settings. The monitoring agent will also capture and audit changes being made outside the GPOADmin integrated console to provide complete coverage.

GPO Reporting: Extends GPMC’s capabilities and provides advanced reporting features required in larger AD deployments including search for what GPO(s) has a particular setting, unlinked GPOs within the environment, cross-domain linked within the forest, ineffective GPOs Linked but Disabled or not linked

NetPro

PolicyPak Suite

PolicyPak is a collection of tools which enables you to control your existing desktop and server application settings directly with Group Policy. Deploy and manage all settings for supported applications as if they were natively Group-Policy enabled. Each PolicyPak looks and acts just like the application you want to manage. Adobe Reader, Adobe Acrobat 7.0, and Microsoft Exchange Server 2003 are examples of supported applications.

PolicyPak Software

Quest Group Policy Manager

Quest's Group Policy Manager uses GPMC as its foundation technology, to give you GPO editing, import and export, reporting, and resultant set of policy (RSoP) functionality. Group Policy Manager also provides version control, enhanced RSoP reporting, rapid rollback, and reporting.

Quest Software

GPExpert Backup Manager for Group Policy

GPExpert Backup Manager for Group Policy provides a complete solution for managing Group Policy backups, rollback, and recovery. It provides at-a-glance management of Group Policy backups from a central console; lets you back up and roll back changes to GPOs and GPO Links; lets you schedule automated backups, log backup, and recovery events to the event log; and provides a quick check feature to ensure that live GPOs always have a current backup. It also provides a “Backup-on-Edit” feature that triggers an automatic backup of a GPO when you go to edit it. A free, fully functional trial version is available for evaluation.

SDM Software

GPExpert Troubleshooting Pak

The GPExpert Troubleshooting Pak provides a set of tools for ensuring that Group Policy is functioning efficiently in your environment. In addition, if there are problems, the Troubleshooting Pak lets you explore problem areas and provides expert help for a speedier resolution. The Troubleshooting Pak includes:

Health Reporter, which provides quick "red" or "green" status of Group Policy processing.

Log Analyzer, which lets you explore problem systems, perform diagnostic tests, and analyze all supported Group Policy logs.

Group Policy Spy, which helps you track down any policy settings that are conflicting with your applications and systems.

Status Monitor, which is a desktop agent that constantly monitors Group Policy processing. It records event log messages that show whether processing succeeded or failed and how long it took to process.

SDM Software

GPExpert Scripting Toolkit for PowerShell

The GPExpert Scripting Toolkit for PowerShell allows you to automate the management of Group Policy settings. The Scripting Toolkit exposes the actual settings within Active Directory-based Group Policy objects (GPOs) and local GPOs via PowerShell, .NET, or VBScript, so you can fully automate the reading, writing, and deletion of the settings within a GPO.

SDM Software

Specops Command

Specops Command combines Group Policy and PowerShell, thus enabling system administrators to distribute and execute PowerShell and PowerShell scripts and cmdlets on remote machines using Group Policy.

Specops Command includes:

Simplified script management.

Scripts executed at every Group Policy interval.

Support for PowerShell and VBScript.

Automatic Windows PowerShell deployment.

Automatic management and deployment of PowerShell cmdlets.

Special Operation Software

Specops Deploy

Specops Deploy, from Special Operations Software, is a Group Policy client-side extension (CSE) that replaces the built-in Group Policy software installation (GPSI) functionality in Microsoft Windows. With Group Policy, Specops Deploy adds the following functionality:

Installation over slow network links including VPN links (using BITS technology)

Support for Windows installer packages or legacy setups such as setup.exe

Live feedback when a software update, patch, or security fix was installed correctly, and alerts about those that didn't install correctly

Reporting that makes it possible to follow the entire software deployment process

Support for installations in the background during runtime or as usual during boot/login

Advanced software targeting mechanism using optimal client-side evaluation

Extended end user interaction features

Scheduling of installations

Ability to prioritize installations when software must be deployed quickly

No reboots needed on target machine when deploying software

Microsoft Operations Manager (MOM) integration

Intuitive Setup Assistant that enables set up of Specops Deploy in under 30 minutes

Special Operations Software

Specops Gpupdate (Free Product)

Specops Gpupdate provides commonly needed operations such as refresh of Group Policy Objects (gpupdate), restarts, wake-on-lan and shutdowns of computers directly from within the native Active Directory Users and Computers user interface.

Perform the following operations remotely with Specops Gpupdate:

Refresh Group Policy

Start computers using Wake-On-Lan

Restart computers

Shut down computers

Real time graphical reporting

Special Operations Software

Specops Inventory

Inventory Asset management and Software License Compliance Management:

Inventory 13 computer categories and 6 user categories

Categories are inventoried AS the computer (system) or AS the user (Logged on user).

Dynamic HTML based reporting featuring drag and drop, grouping, sorting, filtering, graphs

License compliance console for administering Software License Compliance

As scalable as Active Directory and Group Policy, thus suitable for all sizes of organizations

Subscription functionality will notify you when your licenses or maintenance contracts are about to expire

Intuitive Setup Assistant that enables set up of Specops Inventory in under 30 minutes

Use GPMC as your administration console

Special Operations Software

Specops Password Policy 2.0

Specops Password Policy – Multiple password policies in a single Active Directory domain.

Specops Password Policy greatly enhances security in Active Directory domains by adding the possibility to have an unlimited number of different password policies in a single domain, removing the current obstacle of having to rely on a single password policy. This creates an environment that does not rely on a single rule that has to be weak enough to work for all users.

Relying on the Group Policy model it is possible to have a separate password policy for any OU, security group or even single user. Specops Password Policy also adds a large number of advanced new security settings for creating password policies, to strengthen the passwords in the domain even further.

The Specops Password Policy Sentinel is implemented as a password filter and need only to be installed on the domain controllers to work. In addition there is an optional client included that can be installed on member servers and desktops that informs the users about the password policy they are currently affected by when selecting new passwords.

Additional features:

Full support for Windows PowerShell which increases automation possibilities in Specops Password Policy 2.0.

Specops Password Policy 2.0 introduces a Group Policy delegated security model.

Special Operations Software

ADM Template Editor

SysPro's ADM Template Editor uses wizards to simplify the ADM template editing process. Features include:

Graphical interface to create, edit, and report ADM templates

Support for all components including Text, Textbox, Checkbox, Numeric, ListBox, Combo, and DropList

Tabular reports of registry keys used in the ADM template

Full support for Explain and Supported fields

Creates syntactically correct ADM files

Helps eliminate the common coding errors in ADM templates not detected by GPMC or GPEDIT

Detects when two policies control the same registry key

Detailed search facilities

SysPro

PolMan

PolMan, from SysPro, reports on, tracks changes to, and checks integrity of policies, and monitors implementation on workstations. Specific functionality includes:

Overview of all settings across all policies

Graphical display of all OU-to-GPO links and all Site-to-GPO links, together with the link properties

GUI-based editor for ADM templates

Synchronization check of both Sysvol and Microsoft Active Directory components of all GPOs on all domain controllers

Audit of all policies on all workstations to check which policy is being applied, and where policy processing is failing

User-friendly display of the UserEnv.Log

Resultant set of policies (RSoP) including comparisons

Ability to compare current policies with previous snapshots, and the ability to check two current GPOs for differences

Checks for orphan entries in ADM templates, such as settings no longer reflected in the ADM template

Easy launch of GPEDIT to edit a GPO

Extensive reporting of all components together with direct export to Microsoft Excel

Reports of Apply/Deny Security settings across all GPOs

Extensive help and wizards to assist new users of Group Policies

Search facilities to find specific registry keys or values

SysPro


Top of pageTop of page