Using group policy: GPOs good, scripts much better

Get on your training wheels

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Sysadmin blog We're nearing the end of GPOs part two, so I want to take the time to review the state of GPOs on Windows in general, and the lessons I have learned.

I have worked with policy-based systems management for more than a decade. I have worked with implementations from Novell, Likewise and Microsoft. Running a network with Windows clients and a Microsoft Active Directory (AD), the majority of my exposure to policy-based management has been working with Microsoft’s Group Policy Objects (GPOs).

To get right to it: GPOs are training wheels for sysadmins. GPOs are able to modify a limited subset of configurations on a limited number of operating systems and applications. As such, they are only really useful in maintaining a network “by the book” - Microsoft’s book. There are plenty of situations where it simply isn’t feasible to manage your network by white paper. Your constrained budgets are an example of this, as white papers tend to assume unlimited resources.

Due to their nature, GPOs are limited. They can form part of an effective systems management strategy and I would argue that they should. If you want to configure time synchronisation or timezone settings then GPOs are exactly the thing for you. They are quick and simple, with enough structure to make long term management and maintenance easy.

There are, however, systems administration tasks for which they aren't enough. Microsoft’s acquisition and integration of Group Policy Preferences (GPP), combined with tools such as WMI filters, go a long way towards making group policy useful in more situations. Unfortunately, it doesn’t go nearly far enough.

The first problem is that Microsoft’s various GPO elements need even more flexibility than GPP already has. The critical bit is extensibility; the ability to build true GPOs - not just scripting through GPP - for non-Microsoft products.

Microsoft also needs to incorporate proper versioning, change control, and the ability to revert an entire system to a “known good” set of configurations through something other than system restore. Single-button reversion of system-wide configuration, pushed from the active directory, should not be optional. Are you listening Microsoft? Puppet does all of this right.

Despite my current disillusion with Microsoft, I still believe that GPOs are a necessary part of any Windows administrator’s toolkit. But grown-ups use scripts. Look at the Unix world to see how things could be done: virtually everything can be configured through a human-readable text file.

Almost everything; there are some examples of applications which can be configured from a text file, but anyone who can read those files isn’t something I’d call human. Sendmail is a perfect example; attempt to read the config file and you’ll pull something. Generally it is insanity to configure sendmail without using M4 to generate the active configuration. Even so, I still won’t administer the thing without Webmin.

A completely opposite example is my good friend iptables. I simply adore iptables. I can write my entire firewall ruleset in a single text file. Better yet, it will work on pretty much any Unix system in existence - provided of course that I know where that particular flavour of Unix keeps it firewall config; but that's all in my previous article about why group policy is useful in the first place.

Thanks to GPP, I can finally write my Windows firewall rules out as a text file. It’s not nearly as easy as working with iptables, but I would consider it passably usable. I'd even say that the ability to manipulate both the Task Scheduler and Windows Firewall via GPPs are revolutionary advances in Windows systems management.

Doing this is still a royal pain. But using powershell scripts, combined with the GPP's ability to manage task scheduler, I suddenly have the power of grown-up scripting available to me in Windows.

It’s too little, too late. I can now script anything I want, but managing these scripts - the whole point of using a tool like GPOs in the first place - is still needlessly complex. GPPs exist because DesktopStandard saw a huge gap in how Microsoft dealt with systems management. They tried to bring grown-up management tools to Windows, and largely did a good job. They were excellent extensions to Windows five years ago but, compared to the competition available today, they fall short.

So what are my recommendations for using group policy in your environment? First, don't abandon it; in fact, embrace it. GPOs provide easy fire-and-forget tools for administrators. Outside of the simple tasks, though, they simply aren’t worth your time.

Next, powerful as the advanced features like GPP are, there isn’t anything they can do that I can’t do with a script for the same amount of effort. Scripting offers me more flexibility for the difficult, detailed administrative tasks that regular GPOs don’t support.

Puppetlabs has been promising to bring administrators Puppet for Windows some time this year. Given the incredible feature set Puppet provides for scripting on Unix, I expect that when Puppet comes to Windows, it will take Microsoft to school. If Puppet for Windows is half as good as Puppet for Unix then it’s going to be worth the budget.

I can’t see a way to get away from scripting. I’m locked into Microsoft at both the desktop and the server level; I’m not getting away from using Microsoft’s AD. I am wedded to both Microsoft and Red Hat, and have determined that a combination of GPOs and Puppet are what I will be using to get me through the next few years.

Still, after weeks researching policy and script-based management, I find myself thinking only one thing: Damn it. I should have used Zenworks.

Internet Security Threat Report 2014

More from The Register

next story
Docker's app containers are coming to Windows Server, says Microsoft
MS chases app deployment speeds already enjoyed by Linux devs
IBM storage revenues sink: 'We are disappointed,' says CEO
Time to put the storage biz up for sale?
'Hmm, why CAN'T I run a water pipe through that rack of media servers?'
Leaving Las Vegas for Armenia kludging and Dubai dune bashing
'Urika': Cray unveils new 1,500-core big data crunching monster
6TB of DRAM, 38TB of SSD flash and 120TB of disk storage
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
SDI wars: WTF is software defined infrastructure?
This time we play for ALL the marbles
Windows 10: Forget Cloudobile, put Security and Privacy First
But - dammit - It would be insane to say 'don't collect, because NSA'
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.