Microsoft's group policy objects (GPO) let administrators centrally manage, customise and lock down desktop and server settings based on a set of policies maintained in the directory.

GPO's promise is less expensive, faster and easier management; the ability to prevent end users and administrators from twisting operating system knobs they shouldn't; and a chance at the Holy Grail: a standardised desktop and server configuration.

GPOs can contain any number of customer settings. The GPO is crafted in Microsoft's Group Policy Editor, then linked to various levels of the network topology - organisational unit, domain or site. The GPOs are assigned to individual end users and servers or groups of end users and servers. Agents on those machines "pull down" GPOs when they sign onto the network and at various intervals while they are running.

Group policy is one of the rewards given to IT execs for their hard work in cracking the complex deployment of Active Directory - and that includes the bulk of Windows users, according to IDC.

But Microsoft officials say only 50 percent to 60 percent of users take advantage of group policy technology, which means there's a cost-slashing tool available that's not being fully utilised.

Imagine how much time and money IT could save by rolling out a tool that makes it easier to configure the 1,300 settings in Windows XP SP2 and the 1,800 in Windows Server 2003 SP1, not to mention the hundreds more slated to ship with Vista next year.

Microsoft also has added the Group Policy Management Console (GPMC), which now allows users to manage group policy from a single console. In Longhorn, which is slated to ship in 2007, GPMC will be integrated into the server.

Third-party tools are an option
A collection of third-party tools ratchet up the number of extensions and settings, add features, such as preventing the use of USB drives, and fill in the gaps in native Windows administrative tools around tasks such as access control, reporting, change management and security auditing.

"I couldn't do what I am doing without group policy," says Rick Neubauer, CTO of Itility, a Chicago-based service provider that remotely manages desktops for clients. Neubauer's favourites are settings that ensure that off-line folders, folder redirection and roaming profiles are activated on desktops. Those settings help synchronise the data stored on servers and desktops, with the result that PCs infected with a virus can be fixed by reloading a new copy of the operating system.

"Now I don't have to go to 20 machines and make changes. I make it once with group policy and it is applied," says Neubauer, who is now testing software from FullArmor that will allow him to set up a group-policy portal where his customers can manage some of their own settings.

FullArmor is one of a handful of companies that develop extensions to group policy. Others include NetIQ, Desktop Standard, ScriptLogic and Quest Software. Vendors with group policy tools include Centrify, NetPro, Special Operations Software and SysPro.