Using group policy: GPOs good, scripts much better

Get on your training wheels

  • alert
  • submit to reddit

Combat fraud and increase customer satisfaction

Sysadmin blog We're nearing the end of GPOs part two, so I want to take the time to review the state of GPOs on Windows in general, and the lessons I have learned.

I have worked with policy-based systems management for more than a decade. I have worked with implementations from Novell, Likewise and Microsoft. Running a network with Windows clients and a Microsoft Active Directory (AD), the majority of my exposure to policy-based management has been working with Microsoft’s Group Policy Objects (GPOs).

To get right to it: GPOs are training wheels for sysadmins. GPOs are able to modify a limited subset of configurations on a limited number of operating systems and applications. As such, they are only really useful in maintaining a network “by the book” - Microsoft’s book. There are plenty of situations where it simply isn’t feasible to manage your network by white paper. Your constrained budgets are an example of this, as white papers tend to assume unlimited resources.

Due to their nature, GPOs are limited. They can form part of an effective systems management strategy and I would argue that they should. If you want to configure time synchronisation or timezone settings then GPOs are exactly the thing for you. They are quick and simple, with enough structure to make long term management and maintenance easy.

There are, however, systems administration tasks for which they aren't enough. Microsoft’s acquisition and integration of Group Policy Preferences (GPP), combined with tools such as WMI filters, go a long way towards making group policy useful in more situations. Unfortunately, it doesn’t go nearly far enough.

The first problem is that Microsoft’s various GPO elements need even more flexibility than GPP already has. The critical bit is extensibility; the ability to build true GPOs - not just scripting through GPP - for non-Microsoft products.

Microsoft also needs to incorporate proper versioning, change control, and the ability to revert an entire system to a “known good” set of configurations through something other than system restore. Single-button reversion of system-wide configuration, pushed from the active directory, should not be optional. Are you listening Microsoft? Puppet does all of this right.

Despite my current disillusion with Microsoft, I still believe that GPOs are a necessary part of any Windows administrator’s toolkit. But grown-ups use scripts. Look at the Unix world to see how things could be done: virtually everything can be configured through a human-readable text file.

Almost everything; there are some examples of applications which can be configured from a text file, but anyone who can read those files isn’t something I’d call human. Sendmail is a perfect example; attempt to read the config file and you’ll pull something. Generally it is insanity to configure sendmail without using M4 to generate the active configuration. Even so, I still won’t administer the thing without Webmin.

A completely opposite example is my good friend iptables. I simply adore iptables. I can write my entire firewall ruleset in a single text file. Better yet, it will work on pretty much any Unix system in existence - provided of course that I know where that particular flavour of Unix keeps it firewall config; but that's all in my previous article about why group policy is useful in the first place.

Thanks to GPP, I can finally write my Windows firewall rules out as a text file. It’s not nearly as easy as working with iptables, but I would consider it passably usable. I'd even say that the ability to manipulate both the Task Scheduler and Windows Firewall via GPPs are revolutionary advances in Windows systems management.

Doing this is still a royal pain. But using powershell scripts, combined with the GPP's ability to manage task scheduler, I suddenly have the power of grown-up scripting available to me in Windows.

It’s too little, too late. I can now script anything I want, but managing these scripts - the whole point of using a tool like GPOs in the first place - is still needlessly complex. GPPs exist because DesktopStandard saw a huge gap in how Microsoft dealt with systems management. They tried to bring grown-up management tools to Windows, and largely did a good job. They were excellent extensions to Windows five years ago but, compared to the competition available today, they fall short.

So what are my recommendations for using group policy in your environment? First, don't abandon it; in fact, embrace it. GPOs provide easy fire-and-forget tools for administrators. Outside of the simple tasks, though, they simply aren’t worth your time.

Next, powerful as the advanced features like GPP are, there isn’t anything they can do that I can’t do with a script for the same amount of effort. Scripting offers me more flexibility for the difficult, detailed administrative tasks that regular GPOs don’t support.

Puppetlabs has been promising to bring administrators Puppet for Windows some time this year. Given the incredible feature set Puppet provides for scripting on Unix, I expect that when Puppet comes to Windows, it will take Microsoft to school. If Puppet for Windows is half as good as Puppet for Unix then it’s going to be worth the budget.

I can’t see a way to get away from scripting. I’m locked into Microsoft at both the desktop and the server level; I’m not getting away from using Microsoft’s AD. I am wedded to both Microsoft and Red Hat, and have determined that a combination of GPOs and Puppet are what I will be using to get me through the next few years.

Still, after weeks researching policy and script-based management, I find myself thinking only one thing: Damn it. I should have used Zenworks.

Combat fraud and increase customer satisfaction

More from The Register

next story
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Kingston DataTraveler MicroDuo: Turn your phone into a 72GB beast
USB-usiness in the front, micro-USB party in the back
Dropbox defends fantastically badly timed Condoleezza Rice appointment
'Nothing is going to change with Dr. Rice's appointment,' file sharer promises
BOFH: Oh DO tell us what you think. *CLICK*
$%%&amp Oh dear, we've been cut *CLICK* Well hello *CLICK* You're breaking up...
AMD's 'Seattle' 64-bit ARM server chips now sampling, set to launch in late 2014
But they won't appear in SeaMicro Fabric Compute Systems anytime soon
Amazon reveals its Google-killing 'R3' server instances
A mega-memory instance that never forgets
Cisco reps flog Whiptail's Invicta arrays against EMC and Pure
Storage reseller report reveals who's selling what
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.