Editor's Choice: Active Directory Management and Migration
<b>Winner:</b> Full Armor Software FAZAM 2000 3<br>
<b>Honorable Mention:</b> <a href="#aelita">Aelita Controlled Migration
3 $9 per user, plus 18 percent annual support and maintenance
Full Armor Software; 617-457-8100; www.fullarmor.com
- By Bill Boswell
- December 01, 2002
One of the best parts of having Windows 2000 fully deployed is the ability
to exercise centralized control of desktops, servers and users via group
policies. From security to software deployment, scripts to granular configuration
settings, you can’t beat Group Policy for simple, fast and orderly control
of a large number of network entities.
The only problem with group policies is the sheer number of possible
settings and the ways those settings can be applied. You can link Group
Policy Objects (GPOs) to sites, domains and any number of Organizational
Units (OUs). The settings in each GPO in the hierarchy apply to users
and computers in the linked containers, unless an OU has been set to block
inheritance. Even then, a GPO can be set to override inheritance blocking.
Within a hierarchy of containers, a particular GPO can be targeted at
specific groups of users or computers. Also, a particular GPO can have
policy settings that affect computer configurations and user configurations,
with precedence rules that can be overridden with loopback settings.
All in all, things can get very confusing very quickly. That’s where
Full Armor Software’s FAZAM 2000 comes into play. It’s a suite of tools
that simplifies the deployment and analysis of group policies. Using FAZAM
2000, you can ask questions such as, “What kind of group policies will
user Margaret get if she logs onto desktop A22-2301 in the Phoenix site?
Will that change if Margaret is a member of the Sales group?” This analysis
yields a report called a Resultant Set of Policies (RSoP) that details
the result of Group Policy precedent and loopback calculations for the
given scenario. This can be compared to the actual group policies applied
when Margaret logs on to help diagnose problems.
If that’s all FAZAM did, it would still be worth the license fee—but
it does a whole lot more. If you have a large number of administrators
who make changes to group policies, it’s important to track the changes.
This not only adds accountability to the process, it gives you important
information for performing diagnostics if something goes wrong. FAZAM
2000 Version 3 has extensive change-tracking functionality. An administrator
must check GPOs in and out for editing. The changes can be evaluated prior
to putting them into production. There’s even the ability to make backups
and restores of individual GPOs to avoid the need for a System State restore
Wait, there’s more! Proper Group Policy functionality relies on an intricate
ballet between GPO elements in Active Directory and GPO elements stored
in Sysvol. Two separate services are responsible for AD and Sysvol replication,
and it’s possible for the GPO elements to get out of synch. FAZAM 2000
has features for checking Group Policy health throughout an enterprise
and making full reports of what it finds. It’ll even check local event
logs for Group Policy events and display them on a central console.
Controlled Migration Suite
$13 per managed user account
But Group Policy can only be truly effective if you’ve fully migrated
to Win2K and AD. If you’re still in the process of deploying Win2K, you
might want to look at domain migration tools. My favorite set of tools,
based on getting the best bang for the buck, is the Controlled Migration
Suite from Aelita. The suite includes Enterprise Directory Reporter for
gathering information about your domains, domain controllers, member servers
and member desktops; the Domain Migration Wizard for moving users, groups,
computers, and servers to a new domain; and the Exchange Migration Wizard
for migrating mailboxes to Exchange 2000. You’ll save hours and hours
of work with these tools.
Contributing Editor Bill Boswell, MCSE, is the principal of Bill Boswell Consulting, Inc. He's the author of Inside Windows Server 2003 and Learning Exchange Server 2003 both from Addison Wesley. Bill is also Redmond magazine's "Windows Insider" columnist and a speaker at MCP Magazine's TechMentor Conferences.