What do Group Policy Change Management Tools “do”?
Tools like Microsoft AGPM, Quest GPOADmin, Quest Active Administrator, and/or NetIQ GPA are all similar tools with the same function and all fall into the category of “Group Policy Change Control” tools.
These Group Policy Change Control tools attempt to solve a few problems:
- Check In/ Check out of a GPO
- Offline Creation
- Workflow management around a GPO lifecycle
- Quick restore a GPO if it goes wrong or gets deleted
- History / Comparison of a GPO over time
These tools require a database (or something similar) to store GPOs and their backups, and the history of what has transpired.
What does PolicyPak do?
PolicyPak on the other hand has different goals with a tiny overlap. PolicyPak’s goals are:
- More management of each endpoint
- Removing local admin rights
- Better management of USB / removable devices
- Windows 10 / 11 management advances
- Reporting on if a GPO “Made it there” to your endpoints
- Using PolicyPak Cloud or and MDM service if you don’t want to use Group Policy at all
PolicyPak works alongside these Group Policy Change Management tools. When you make PolicyPak directives inside a GPO, PolicyPak writes the same data that Microsoft would. So PolicyPak nicely tucks into any existing Group Policy Change Management tool you already use.
You can see examples of PolicyPak working nicely alongside Group Policy Change Management tools here:
1. https://kb.policypak.com/kb/article/1028-policypak-and-agpm/
2. https://kb.policypak.com/kb/article/1029-policypak-and-quest-s-gpoadmin-tool/
3. https://kb.policypak.com/kb/article/1037-policypak-integrates-with-netiq-gpa/
4. https://kb.policypak.com/kb/article/1030-04-policypak-and-quest-scriptlogic-activeadministrator/
Where do Group Policy Change Management tools and PolicyPak overlap?
However, one area of PolicyPak and Group Policy Change Management tools overlap is in expressing the history of changes in a GPO.
When PolicyPak data is written to a GPO we nicely store:
- WHO changed something in a PolicyPak GPO and
- WHICH computer was used to change something in a PolicyPak GPO
- WHEN something changed in a PolicyPak GPO and
What PolicyPak doesn’t store is:
- WHAT changed in a PolicyPak GPO
- DIFFERENCES of what changed in a PolicyPak GPO over time
You can see two examples of PolicyPak items which some changes where you can see WHO, WHEN and WHAT COMPUTER these changes were made from.
and another example from another PolicyPak component...
You can see how PolicyPak stores WHO, WHICH and WHEN details in this video: https://kb.policypak.com/kb/article/1236-policypak-mmc-showing-history-of-items-you-create/
PolicyPak isn’t trying to compete with a Group Policy Change Management tool, like Microsoft AGPM or Quest GPO Manager because those tools are able to:
- Check In/ Check out a GPO.
- Offline Creation of the policy first.
- Quick restore a GPO if it goes wrong or gets deleted
- Demonstrate History / Comparison of those changes over time
Using Netwrix Auditor to determine Group Policy Changes Over Time
That being said if you wish to use a Netwrix product to show you changes to Group Policy over time you should use Netwrix Auditor which is able to capture changes to any GPO including Microsoft and PolicyPak changes. An example can be seen below from Netwrix Auditor: