2

We seem to be having a lot of problems related to "forgetting some mundane detail" while managing our Group Policy settings in Active Directory, so I am curious as to whether there are any well-regarded tools available for applying source control style practices to Active Directory configurations.

It seems like there should be a way to quickly and easily run a diff against a known-good configuration to figure out what setting changed (or did not replicate to a remote server) and is thus causing problems.

HopelessN00b
  • 53,385
  • 32
  • 133
  • 208
Tim Lara
  • 187
  • 2
  • 8

3 Answers3

4

Take a look at Microsoft Advanced Group Policy Management which offers GPO change management. It's a pretty good tool that they bought from Policymaker a few years ago.

Steve Evans
  • 260
  • 1
  • 5
  • 16
  • +1 This is becoming the officially supported solution for this situation. It does cost extra though I think. – Ryan Bolger May 04 '09 at 19:22
  • Thanks! This looks like exactly what we need to be using. I only wish the licensing / purchase options weren't so darn confusing. – Tim Lara May 05 '09 at 04:22
  • AGPM is very nice. It takes dedication because you cannot enforce its usage (thus domain admins have to play the game), but it's a very nice addition if you want to have serious change control in place. It's often overlooked and seen as a concept useful only to developers, but it's really worth it for group policies. If I'm not mistaken, it's part of the MDOP suite that is 'free' if you have a software assurance – dSebastien Jun 13 '12 at 14:39
0

NetIQ Change Guardian for Active Directory

I know nothing about it. Years ago we evaluated it( probably its predecessor) but never actually use it.

Igal Serban
  • 1,575
  • 10
  • 6
0

Out of the box there is no undo (although ntdsutil allows some recovering of deleted objects with an authoritative restore), or version control on AD. There are quite a few third party tools that will allow "undelete".