We released a new product last month called Group Policy Auditing & Attestation (GPAA), which provides Group Policy change auditing, rollback, and a cool feature called “GPO Attestation”. If you work for a company that is regulated by one of the various government standards, such as SOX, HIPAA or GLB, you are probably familiar with this term. Attestation, in this context,is the process by which resource owners can attest that a resource they’re responsible for is still valid and still configured correctly in the environment. It makes perfect sense for resources like Active Directory security groups, which potentially grant access to critical and sensitive resources. You want those security group owners to periodically attest to the fact that those critical groups still have the appropriate access to the resource and that their membership list is still appropriate (i.e. the right people have the right access). The same hold true for Group Policy Objects (GPOs) that might configure critical security lockdown on servers or desktops, or which grant user rights to critical systems. As a result, we’ve developed an attestation feature in our GPAA product that let’s you assign owners to critical GPOs, as shown in the figure below:
Once an owner is assigned to one or more GPOs in GPAA, the product will periodically send the owners an email to attest to their GPOs. The interval these get sent varies as to your requirements, and could be anywhere from days to years. The email that owners get sent includes a GPO settings report, so that they can be reminded of what settings are contained in the GPO. They click a link in the email that takes them to a GPAA web page that lets them accept or reject the attestation, and if they reject it, they can provide a reason behind the rejection.
So how does this process help with GPO bloat? Well, how many times, as an IT person, have you had someone ask you to deploy a GPO for a specific use case, only to have that GPO hang around, well, forever? I know that when I managed Group Policy as part of my job, it happened all the time. The result, over years of that kind of thing, was lots of GPOs that may or may not have a purpose in the environment. Being able to assign owners to each new GPO you create, and have a built-in reminder to those owners to attest that they still need a given GPO, is a powerful way of combatting the dreaded GPO bloat! So, whether regulatory rules compel you to attest to GPOs, or you just want to keep your GPO environment from growing to enormous and troubling proportions over time, GPO attestation is a great feature.
I encourage everyone to visit our website and check out an evaluation of GPAA today, or email us at firstname.lastname@example.org to set up a web demo of this cool feature.