Saturday, August 13, 2005

Active Directory Group Policy

I’ve already opined that we technologists have had the wrong focus on AD for the past several years. Based on my extensive background in providing outsourcing services, my methodology for designing and implementing Active Directory has always been based on how AD will be managed. Anyone who has managed an enterprise with hundreds of servers probably has a similar focus. But when you’ve managed multiple customers with hundreds of servers each, constantly honing administrative efficiencies becomes a calling. So after the initial challenge of learning Active Directory design basics, I quickly moved on to focus on using AD as a tool to streamline administrative work. And that is where I believe we should all be focusing now.

The most obvious means of gaining administrative efficiency is by managing users and objects through the use of Group Policy Objects. Yet I find that within most organizations, defining and managing Group Policy is considered a tremendous chore. Many administrators strive to minimize the number of GPOs in the environment, instead relying heavily on manual or scripted methods of managing users. When Group Policy can provide such tremendous administrative efficiencies, why aren’t more of us using it extensively?

I believe administrators shy away from Group Policy because they view it in an incomplete context. Group Policy should be seen as only one expression in a larger mathematical statement that ultimately equates to Policy Based Administration. Group Policy is the technology component of the equation, and will never equate to Policy Based Administration (PBA) by itself. We also require a clearly articulated model and corresponding policy definitions to make the equation add up. To prevent Group Policy Objects from becoming an additional administrative burden, we must first define the model we’ll use to achieve PBA and then define the policies that enable us to achieve the model. Group Policy is simply the technology, or tool, that enables us to deliver the model.