NetIQ best at moving Microsoft group policy along

For better or worse, Microsoft's Active Directory frequently serves as a central repository for security policy information for organizations that widely deploy Windows 2000 and 2003 as a core server operating system. Yet Microsoft's out-of-the-box policy administration tools are limited in scope and do not meet the rigorous security auditing requirements of today's compliance-driven corporate atmosphere.

In this Clear Choice test, we examine sets of tools that greatly expand Active Directory Group Policy administration, providing assistance with access control, reporting, change management and security auditing functionality.

Of the four vendor submissions to this test -- GPOVault from Desktop Standard; Group Policy Guardian (GPG) and Group Policy Administrator (GPA) from NetIQ; Group Policy Manager and Intrust for Active Directory from Quest Software; and Active Administrator from ScriptLogic Corp. -- NetIQ's package is our Clear Choice winner based on its breadth of features, with specific prowess in auditing and change management.

Quest was our runner-up because it was easier to use than the NetIQ products, but lacked some of the major components, such as what-if analysis for offline/test policies and snapshot-in-time reports.

Our testing honed in on how well these products assisted with policy administration and tracking security compliance via change management, reporting, auditing and administration functions. Our assessment of change management focused on how well the products maintained a controlled, trusted state for each policy with mechanisms such as version control, approval workflow, change notification and rollback.

We looked for format flexibility in reporting tools beyond what Microsoft offers with its Microsoft Management Console (MMC) snap-in. For example, we wanted the ability to create comparisons between Group Policy versions, view current policy settings and run Resultant Set of Policies (RSoP) reports, analysis information showing the full implementation of a policy.

A successful audit for this test meant we could see a complete trail of changes. We also wanted the ability to see what policy was in effect at a specific point in time. Administration focused on core functionality to manage Group Policy, including detailed access control, offline or what-if analysis, policy backup/archive and overall ease of use.

Each product contains similar base reporting, change history and change control functionality, but all were implemented differently. Some, such as DesktopStandard, add directly onto Microsoft administration tools, while others, such as NetIQ, provide a completely different administration console. NetIQ watches existing audit logs while Quest watches the Active Directory events directly. NetIQ uses its own internal access-control system, while ScriptLogic relies on native Active Directory permissions. Finally, ScriptLogic makes changes directly to Active Directory, while Desktop Standard implements a proxy. No approach is right or wrong, but each has a different effect on an environment.