Capability: Identity and Access Management

On This Page

Introduction Introduction
Requirement: Centralized Directory-based Configuration and Security Requirement: Centralized Directory-based Configuration and Security


Identity and Access Management is a Core Infrastructure Optimization capability and the foundation for implementing many capabilities in the Infrastructure Optimization Model.

The following table lists the high-level challenges, applicable solutions, and benefits of moving to the Rationalized level in Identity and Access Management.




Business Challenges

Difficult to enforce IT policies required by the organization or regulations

No way to enable a known, stable, and secure state for client PCs

IT Challenges

No centralized policy control for identity and access management—implementing broad policy changes requires modification of each identity

Identities are centrally administered, but difficult to manage users and resource settings, configurations


Identify and define configuration standards requiring enforcement

Implement a centralized, directory-based policy solution for administration of desktops, servers, configuration, and security

Business Benefits

Enforced, known state of environment

Consistent user experience across PCs based on business role

Easier to modify system and add functionality

Reduced operations and desktop support costs

Reduced user downtime and disruption

IT Benefits

Reduced workload due to introduction of role-based administration/group policy

Improved security by implementing policy-based patch management and security lockdown

Profile management allows user system and data recovery

Ongoing Identity and Access Management focuses on the following capabilities as outlined in the Microsoft Identity and Access Management Series:

Note that the capabilities outlined above are all key parts of the Identity and Access Management service in any organization. For more information, please see the Microsoft Identity and Access Management Series.

The Rationalized level of Identity and Access Management in the Infrastructure Optimization Model addresses the need for centralized control of configurations and security.

Requirement: Centralized Directory-based Configuration and Security


You should read this section if you do not have a directory-based tool to centrally administer configurations and security on 80 percent or more of your desktops.


Administrators face increasingly complex challenges in managing their IT infrastructures. You must deliver and maintain customized desktop configurations for many types of workers, including mobile users, information workers, or others assigned to strictly defined tasks, such as data entry. Changes to standard operating system images might be required on an ongoing basis. Security settings and updates must be delivered efficiently to all the computers and devices in the organization. New users need to be productive quickly without costly training. In the event of a computer failure or disaster, service must be restored with a minimum of data loss and interruption.

Phase 1: Assess

The primary goal of the Assess phase is to examine which tools and procedures you currently have in place to maintain standard security and user configurations. Your current policies may be managed manually or be automated through patch management, required software installation, or inclusion of required configurations in standard disk images. Through these and other activities in the Standardized level, your organization is maintaining a standard foundation; implementation of configuration control will help you move to the Rationalized level of infrastructure optimization.

Phase 2: Identify

During the Identify phase you examine current configuration standards as executed by configuration management policies, patching, and disk imaging procedures, and then you look beyond current practices to identify the total number of security and configuration controls requiring enforcement. These configurations can be:

  • Components required on PCs, such as patches, service packs, or applications.

  • Services or applications required to run on PCs, such as desktop firewall or antivirus applications.

  • Data access and transfer rules, such as not allowing file transfers in instant messaging applications.

The exercise of defining the configuration and settings as candidates for policy control are the initial steps to configuration management. Configuration management was also covered briefly in the Core Infrastructure Optimization Implementer Resource Guide Basic to Standardized. Read more about Configuration Management as part of Microsoft Operations Framework.

Phase 3: Evaluate and Plan

Your goal during the Evaluate and Plan phase is to determine the level of control for identified configuration and security settings. The level of control will vary from having the ability to simply monitor out-of-compliance configuration to actively automating compliance enforcement.

Configuration monitoring tools are available to provide reports for out-of-compliance configuration. In many cases, your organization may want to report on out-of-compliance and then determine the correct course of action to bring the PC back into compliance. For example, if you want to enforce that an application is installed on all PCs, but that application requires drivers that do not exist for certain hardware types in your desktop environment, the best option may be to monitor these out-of-compliance instances and determine the best way to resolve them on an individual basis. The Rationalized level in Core Infrastructure Optimization requires implementation of a directory-based configuration management infrastructure using Group Policy and recommends—but does not require—stand-alone configuration monitoring tools.

Configuration Monitoring Tools

Microsoft offers two types of tools to monitor configuration compliance. The first type, called Best Practice Analyzers or BPA, contains Microsoft pre-defined best practice settings and reports. There are BPA tools available as free downloads for Microsoft server products: Microsoft Exchange Server, Microsoft Internet Security and Acceleration Server, and Microsoft SQL Server. The second type of configuration monitoring tool enables your organization to define desired configuration settings or rules specific to your organization and monitor compliance. This tool, Systems Management Server 2003 Desired Configuration Monitoring, is also a free download and enables you to define customized configuration standards for desktops and servers. You use Systems Management Server 2003 Desired Configuration Monitoring to perform compliance audits, and included reports notify you of specific out-of-compliance cases. In addition to these tools, there are a number of software applications available from Microsoft partners to define and manage standard configuration.

Group Policy in Windows Server

The next stage of control is automated configuration enforcement. A large portion of required configuration and security settings can be defined with standard policies. Group Policy enables you to automate the step to bring many out-of-compliance instances back into compliance.

Group Policy is an infrastructure used to deliver and apply one or more desired configurations or policy settings to a set of targeted users and computers within an Active Directory environment. This infrastructure consists of a Group Policy engine and multiple client-side extensions responsible for writing specific policy settings on target client computers.

Group Policy and Active Directory

Administrators use Group Policy to define specific configurations for groups of users and computers by creating Group Policy settings. These settings are specified through the Group Policy Object Editor tool and contained in a Group Policy object (GPO), which is in turn linked to Active Directory containers. Group Policy settings are applied to the users and computers in those Active Directory containers. Administrators can configure the user’s work environment once and rely on the system to enforce the policies as defined.

Active Directory organizes objects by sites, domains, and organizational units (OUs). Domains and OUs are organized hierarchically, making the containers and the objects within them easy to manage. The settings defined in a GPO can only be applied when the GPO is linked to one or more of these containers.

By linking GPOs to sites, domains, and OUs, you can implement Group Policy settings for as broad or as narrow a portion of the organization as you want. GPO links affect users and computers in the following ways:

  • A GPO linked to a site applies to all users and computers in the site.

  • A GPO linked to a domain applies directly to all users and computers in the domain and by inheritance to all users and computers in child OUs. Note that policy is not inherited across domains.

  • A GPO linked to an OU applies directly to all users and computers in the OU and by inheritance to all users and computers in child OUs.

The figure below shows how GPOs are applied to sites, domains, and the OUs beneath them.

Figure 3. Applying GPOs

Figure 3. Applying GPOs
Group Policy Capabilities

Through Group Policy, administrators define the policies that determine how applications and operating systems are configured and keep users and systems secure. The following sections describe the key features of Group Policy.

Registry-based Policy

The most common and the easiest way to provide policy for an application or operating system component is to implement registry-based policy. With Group Policy you can define registry-based policy settings for applications, the operating system, and its components.

Security Settings

Group Policy provides options for administrators to set security options for computers and users within the scope of a GPO. Local computer, domain, and network security settings can be specified. For more information on Group Policy security and settings, see the Windows Server 2003 Security Guide, Windows XP Security Guide, Windows Vista Security Guide, and Threats and Countermeasures Guide.

Software Restrictions

To defend against viruses, unwanted applications, and attacks on computers running Windows XP, Windows Vista, and Windows Server 2003, Group Policy includes software restriction policies.

Software Distribution and Installation

Group Policy can manage application installation, updates, and removal centrally.

Computer and User Scripts

Administrators can use scripts to automate tasks at computer startup and shutdown and user logon and logoff.

Roaming User Profiles and Redirected Folders

Roaming user profiles provide the ability to store user profiles centrally on a server and load them when a user logs on. As a result, users experience a consistent environment no matter which computers they use.

Offline Folders

When a network is unavailable, the Offline Folders feature provides access to network files and folders from a local disk.

Internet Explorer Maintenance

Administrators can manage and customize the configuration of Microsoft Internet Explorer® on computers that support Group Policy.

Phase 4: Deployment

The Deployment phase focuses primarily on defining Group Policy objects with the Object Editor. GPOs should reflect what was identified during the Assess and Identify phases. Operations has been added to this capability and focuses on the Group Policy Management Console and ongoing operations.

Before implementing Group Policy in your organization, we recommend that you become familiar with the key concepts for Group Policy, how to use the Group Policy Object Editor, and how to configure Group Policy settings. See the Group Policy Overview for detailed information on the following Group Policy activities:


Operations of Group Policy are characterized by all tasks executed through the Group Policy Management Console (GPMC) user interface. The following list contains links to information on using the Group Policy Management Console:

Further Information

For more information on Group Policy, visit Microsoft TechNet and search for “Group Policy.”

To see how Microsoft manages Group Policy, go to

Checkpoint: Centralized Directory-based Configuration and Security



Identified which configurations should be monitored or enforced.


Selected tools for monitoring and enforcing configuration compliance.


Defined Group Policy objects for settings managed through Group Policy.


Implemented Group Policy Management Console to manage Group Policy objects.


Applied Group Policy to at least 80 percent of your desktops.

If you have completed the steps listed above, your organization has met the minimum requirement of the Rationalized level for Centralized Directory-based Configuration and Security capabilities of the Infrastructure Optimization Model. We recommend that you follow the guidance of additional best practice resources for configuration and security management.

Go to the next Self-Assessment question.