Using group policy: GPOs good, scripts much better
Get on your training wheels
Sysadmin blog We're nearing the end of GPOs part two, so I want to take the time to review the state of GPOs on Windows in general, and the lessons I have learned.
I have worked with policy-based systems management for more than a decade. I have worked with implementations from Novell, Likewise and Microsoft. Running a network with Windows clients and a Microsoft Active Directory (AD), the majority of my exposure to policy-based management has been working with Microsoft’s Group Policy Objects (GPOs).
To get right to it: GPOs are training wheels for sysadmins. GPOs are able to modify a limited subset of configurations on a limited number of operating systems and applications. As such, they are only really useful in maintaining a network “by the book” - Microsoft’s book. There are plenty of situations where it simply isn’t feasible to manage your network by white paper. Your constrained budgets are an example of this, as white papers tend to assume unlimited resources.
Due to their nature, GPOs are limited. They can form part of an effective systems management strategy and I would argue that they should. If you want to configure time synchronisation or timezone settings then GPOs are exactly the thing for you. They are quick and simple, with enough structure to make long term management and maintenance easy.
There are, however, systems administration tasks for which they aren't enough. Microsoft’s acquisition and integration of Group Policy Preferences (GPP), combined with tools such as WMI filters, go a long way towards making group policy useful in more situations. Unfortunately, it doesn’t go nearly far enough.
The first problem is that Microsoft’s various GPO elements need even more flexibility than GPP already has. The critical bit is extensibility; the ability to build true GPOs - not just scripting through GPP - for non-Microsoft products.
Microsoft also needs to incorporate proper versioning, change control, and the ability to revert an entire system to a “known good” set of configurations through something other than system restore. Single-button reversion of system-wide configuration, pushed from the active directory, should not be optional. Are you listening Microsoft? Puppet does all of this right.
Despite my current disillusion with Microsoft, I still believe that GPOs are a necessary part of any Windows administrator’s toolkit. But grown-ups use scripts. Look at the Unix world to see how things could be done: virtually everything can be configured through a human-readable text file.
Almost everything; there are some examples of applications which can be configured from a text file, but anyone who can read those files isn’t something I’d call human. Sendmail is a perfect example; attempt to read the config file and you’ll pull something. Generally it is insanity to configure sendmail without using M4 to generate the active configuration. Even so, I still won’t administer the thing without Webmin.
A completely opposite example is my good friend iptables. I simply adore iptables. I can write my entire firewall ruleset in a single text file. Better yet, it will work on pretty much any Unix system in existence - provided of course that I know where that particular flavour of Unix keeps it firewall config; but that's all in my previous article about why group policy is useful in the first place.
Thanks to GPP, I can finally write my Windows firewall rules out as a text file. It’s not nearly as easy as working with iptables, but I would consider it passably usable. I'd even say that the ability to manipulate both the Task Scheduler and Windows Firewall via GPPs are revolutionary advances in Windows systems management.
Doing this is still a royal pain. But using powershell scripts, combined with the GPP's ability to manage task scheduler, I suddenly have the power of grown-up scripting available to me in Windows.
It’s too little, too late. I can now script anything I want, but managing these scripts - the whole point of using a tool like GPOs in the first place - is still needlessly complex. GPPs exist because DesktopStandard saw a huge gap in how Microsoft dealt with systems management. They tried to bring grown-up management tools to Windows, and largely did a good job. They were excellent extensions to Windows five years ago but, compared to the competition available today, they fall short.
So what are my recommendations for using group policy in your environment? First, don't abandon it; in fact, embrace it. GPOs provide easy fire-and-forget tools for administrators. Outside of the simple tasks, though, they simply aren’t worth your time.
Next, powerful as the advanced features like GPP are, there isn’t anything they can do that I can’t do with a script for the same amount of effort. Scripting offers me more flexibility for the difficult, detailed administrative tasks that regular GPOs don’t support.
Puppetlabs has been promising to bring administrators Puppet for Windows some time this year. Given the incredible feature set Puppet provides for scripting on Unix, I expect that when Puppet comes to Windows, it will take Microsoft to school. If Puppet for Windows is half as good as Puppet for Unix then it’s going to be worth the budget.
I can’t see a way to get away from scripting. I’m locked into Microsoft at both the desktop and the server level; I’m not getting away from using Microsoft’s AD. I am wedded to both Microsoft and Red Hat, and have determined that a combination of GPOs and Puppet are what I will be using to get me through the next few years.
Still, after weeks researching policy and script-based management, I find myself thinking only one thing: Damn it. I should have used Zenworks.