Data Centers

Have we forgotten how powerful Group Policy is?

In critical times for Microsoft, we may have underestimated this centralized management solution for Windows systems. IT pro Rick Vanover will try not to start a fight, but highlight a long-time strength from Microsoft.

These days, it seems that Microsoft is taking a lot of criticism from a number of different avenues. One thing is rather undeniable; Group Policy is a great solution for centralized management. Each time I find some new configuration item, I’ll go out on Twitter and say something rash like, “Group Policy is the best product that Microsoft has ever made.”

While it may be a quick-passing comment, the fact the remains that there are many configuration capabilities that Group Policy objects (GPOs) make possible. Further, there are built-in security aspects around the computer account that allow the policies (including network access) to be enabled or disabled. Group Policy as we have it now was first introduced in Windows 2000, some ten years ago. Sure plenty of agent-based system management products have come into the field, but some things are still just best addressed with Group Policy.

Part of the critique with Microsoft is that they aren’t addressing the computing experience of modern times. While they haven’t “won” the mobile phone operating system war, I do applaud the recent extensions of System Center Configuration Manager (SCCM) 2012 to include Android, Symbian, iPhone/iPad platforms, and oh yeah, Windows Phone 7 systems. This is big news for the traditional environment dealing with the influx of consumer devices, yet still able to meet organizational needs.

While SCCM is not Group Policy, the strategy is a welcome bridge to managing this inevitable mix of devices. At face value, some may dismiss this as irrelevant because users are able to do everything they need to do without the traditional internal IT service. Sure, the vocal minority of that class of user will be self-sufficient with their iPad and fancy phone, but they may not need to do any real work that would need a full, managed computing experience.

The next argument is whether or not the PC is dead, making Group Policy and SCCM moot. Of course the PC isn’t dead. People simply use more devices; once Dell, HP and others stop selling PCs and laptops, I’ll believe that. Until then, Group Policy reigns supreme for PC and server centralized management. What is your take on Group Policy?

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

33 comments
jensongroves
jensongroves

Just like a professional employer organization that a human resources company has people do use more devices and a group policy should be included to work with all of the hardware. Why do we have to get licenses on each or why does some hardware work with others? Everything should be comparable now a days.

hrisan
hrisan

It is absolutely true, the combination of those 3 is really good and I can't see how you are going to manage 30 000-40 000 computers without it. We had "very bright" chaps from India who were rolling out the SCCM clients on machines manually for months and I am not sure why they never heard about GP and scripting, but it took them months rolling out the client. After checking what they were doing and realizing their "ingenious" approach we wrote a script which implemented the software on several thousand computers on the next reboot. Also what to say about the templates for the MS Office application settings, the browser settings or security policies - they are just great. I think that is one of the main reasons to be really hard to kick out Microsoft from the Enterprise market easily, you need alternative that can substitute all that.

link470
link470

To the person who down voted this once, when I made my comment up top, the TR website posted it twice. Once as a reply up above, and once down here. However, as far as I can see, TR does not allow users to delete their own comments. Could a moderator please delete this?

randyd@sji
randyd@sji

The sweetest thing about GPOs is the ability to push software out and have it install across the network. Some drawbacks are necessary msi and mst to do this with but in the long run it saves time. Regulating what users can do in a domain is priceless; otherwise time would be spent on repairing mistakes users make. As is said, Google is my best friend. A good discussion on GPO with AD is a great idea. Just include real world usages? Oh, SCCM appears to be another good tool, but doesn't that cost $$$...GP is....free?

b4real
b4real

Look out! Selena's on me for ideas. "THANKS GUYS" :)

Ken487
Ken487

I am just getting started with using AD and GP on a Small Business Server and agree that a series on AD and GP would be useful.

sallen
sallen

We are about to implement AD (currently in a Netware environment). A GP primer would be great for me. Anyone know where I can find one?

Justin James
Justin James

... are people who haven't used it. Whenever I hear someone talking about throwing out Active Directory and going all Linux (or cloud) on the backend, I ask them how they plan to centrally manage all of their desktops (not to mention servers) without GP. They usually have little to say in response because they have no idea what GP is or how it works. Sorry, but using AD + GP = big savings that scales infinitely, and in fact, the bigger your organization is, the more you save PER NODE. It's that good. The folks who want to toss AD prove their ignorance when they don't take this into account. Even if I had a 100% non-Microsoft backend, I'd still want one Windows Server on the backend providing AD for the clients, just for things like GP and centralized authentication. J.Ja

capeterson67
capeterson67

As an IT contractor and network engineer/admin, I oversee 4 fairly large domains. Group Policy is THE foundation upon which my remote management strategy is built. I don't understand the premise that MS is thinking each PC is a single user device. All it takes is some minor scripting ability and Group Policy know-how. Any user on my domain can log into any PC on the network and see their desktop, their documents, and their email. They can print to all the same printers and perform virtually every task on a different PC that they can perform on their own. With an authorized VPN login, they can even log in from a pc in their home and have a very similar experience, internet conditions permitting. I am not a "Microsoft Guy". I am a "getting things done and performing actual work" guy. I want to like Linux. I would love to be able to design and build a network with the same powers of centralized administration on a Linux platform. You simply can't. Right now, Group Policy has no equal. The only real limitation I see with it is the experience level and skill of the administrator.

lhAdmin
lhAdmin

I too would love for Techrepublic to do some series of technotes, articles, etc on Group Policy best practices, perhaps with real world uses/examples (as opposed to text book/readme.txt), including some focus on specific areas (how to use it to prevent malware, how to allow users to do some tasks (like update Firefox, adobe reader, etc).

Ajax4Hire
Ajax4Hire

I agree, Group Policy is a good way to manage/conform multiple users to a common setup. It is a great work-around from forcing "regedit /s new-edition-to-profile.reg" on login My problem is this highlights Microsoft's lack of multi-user design. Microsoft is still thinking single-dimension, a PC is a single user device.

jhamblet
jhamblet

I am IT assigned to a university library. We use Group Policy to "lock down" Windows 7 for use at public computer kiosks. And for that purpose, it works great!

randy_scadden
randy_scadden

I've always wanted a site like Tech Republic to do a series on Group Policy best practices with topics ranging from here are the best Group Policies for reducing your vulnerability to Malware and Virus attacks to just general Group Policy tips, tricks and tweaks.

CharlieSpencer
CharlieSpencer

Replace the title with something like 'Duplicate Post' and replace the comment with a single period.

b4real
b4real

There are a lot of "better" ways to do that; but nonetheless -> That works.

capeterson67
capeterson67

There really are no drawbacks to silent install. With some fine tuning you can make an MSI package for literally anything...even applications that require multiple option selection during installation or ODBC connections. I have created MSI packages that pushed down upon a new computer joining a domain that attach to multiple databases and require multiple setting changes with a handy app called MSI Package Builder: You can find it here: http://emcosoftware.com/msi-package-builder There is a learning curve involved but it is well worth your time. With a little VB programming, I have a GP script that will automatically uninstall one set of printers and install another set just by changing the OU PC resides in. That is the kind of functionality I want to see from Samba before I use it.

readret
readret

the book "Group Policy Fundamentals, Security, and the Managed Desktop" by Jeremy Moskowitz. It takes you from a high-level overview to the nuts and bolts of GP. Also, his website: gpanswers.com is a great resource. He has a product called "PolicyPak" that will let you lock down via GP almost any applications - even non-MS ones.

link470
link470

It's by far one of the best things about running a Windows network. The amount of fine tuned, granular settings that can be applied to systems, combined with Active Directory Users and Computers is fantastic. It took me awhile when I was in University to understand its true power, but now that I've been working in IT for a few years, I absolutely love it. The more you play with it, the more you realize just how powerful it is. Many authors of applications, even free applications, have developed .ADM files for use with Group Policy as well [Firefox ADM is a great example], and you can script your own .ADM administration template files for use with Group Policy too. My only advice for now to beginners reading this who may be interested in getting started with Group Policy is to be careful and not get carried away by just enabling everything. Here's some quick tips: -If you're using Windows Server 2003, I'd highly recommend going and downloading the GPMC, Group Policy Management Console. This makes working with Group Policies MUCH easier. Install it either on your computer you operate the network from in your domain and point it to your domain server, or install it on the domain server itself if you do most of your work right at the server. If you're running Windows Server 2008, you should already have this. -Policies are applied within Active Directory to Organizational Units. I'd HIGHLY recommend organizing Active Directory Users and Computers in advance, BEFORE starting to apply group policies. If all of your users are just under the "Users" OU, and all of your computers are sitting in "Computers" after being added to the domain, things could get messy. Now, don't get me wrong, if you want one policy that applies to everything globally, you'll be fine and it will work. But that's usually not the case. -Carefully read the description on each policy setting, as sometimes Microsoft's wording can be confusing or misleading if not read correctly. This is similar to a lot of Microsoft's documentation. Don't get me wrong, I love the company, but their documentation is definitely written in the "Microsoft" way. Most of their stuff is pretty straight forward, but sometimes has to be read a few times to understand what they mean. -Policies applied can sometimes interfere with other policies being applied, double check what policies are being applied to where and that you aren't enabling something somewhere and disabling something somewhere else. For example, check that you haven't created a policy that restricts 17 control panel items and allows 4, and then you restrict access to the control panel in another policy. -Policies are either applied to computers or users. Remember to apply policies to the correct OU. If you designed a policy using a lot of settings that effect computer configuration, and you apply it to an OU that just has users in it, that policy isn't going to do much without loopback processing [see http://support.microsoft.com/kb/231287 ]. -This one's a no brainer, but TEST your policies! Have a separate OU either within an OU you want to add another policy to, or completely separate in the domain root altogether, and apply the necessary policies to that. Add any test computers or test users you want to that OU, and then try the policies out and make sure they work before pushing them out to all users of a network. This is especially important when testing software restriction policies. The last thing you want to do is implement a broken software restriction policy and have everyone in your organization unable to launch the required applications they need for doing their job.

capeterson67
capeterson67

any of the Administrator's Companion series books from Microsoft. Simply look for the volume written for your server OS. They include information on installation, configuration, and best practice advice. It will get you started and possibly get you thinking about potential admin uses that hadn't occurred to you before. There is also lots of info on the web that is only a Google away.

capeterson67
capeterson67

You are quite right that Active Directory should always be mentioned with Group Policy. I also agree that there are too many admin's out there who don't know what Group Policy is or if they do, have no idea how to use it.

APSDave
APSDave

@caperson67 Up until recently, I would make the same arguement as you about Linux. I'm a die hard open source nut, and look for every avenue to put Linux or open source solutions in our infrasturcture. But, the bummer was that, while LDAP can manage access to folders and files, it cannot manage workstations and policies like AD. However, Samba is developing Samba4 that will handle all of this for us. It is still in alpha release, and no release date has been set, but it is in the works. You can read about it here http://wiki.samba.org/index.php/Samba4. I'm not advocating jumping off the AD wagon yet. Just bringing it up so you can keep your options Open :)

mysterchr
mysterchr

Please help me understand your statement here. Because currently I'm in agreement with kbc2811. I don't see how Group Policy or Active Directory would highlight a lack of multi-user design. In fact GP and AD are put into place specifically for networks where PCs are used as multi-user devices. I can't think of another OS or platform that does this better. Now Linux/Unix does have what I call "Passive Alternatives" but none that I've had the pleasure of working with that had the scale-ability of GP. So instead of ragging on MS maybe you could explain why you feel this way. Is there an option that provides management support for multi-user machines better then Group Policy?

ksec2960
ksec2960

This is only a problem if you have not designed your AD structure correctly or to fit you specific needs. AD combined with GP gives you allot of choices and allot of flexibility for applying different policies to different groups of users or individual users. This takes time and planning but can save you allot of time and headache in the long run.

JenIT
JenIT

Great IDEA!!! Will you follow thru Tech Republic?

pgit
pgit

I second the idea. It would start some good discussions, people would chime in with their ideas and the forums would remain a good place to ask questions related to a given subject. I'd start with 'tips, tricks and tweaks.' I'm sure a lot of that would cover security concerns.

capeterson67
capeterson67

but when you are adding 10 pc's at a time...or dealing with high employee turnover...or the constant game of musical offices...I haven't found a better way yet than automating the process as much as possible.

bearmr
bearmr

???Group Policy is the best product that Microsoft has ever made.??? Not sure about 'best' but yeh - it's up there.

capeterson67
capeterson67

If you are looking to redirect "My Documents", do that and only that, within that policy object. Don't redirect "My Documents" and then set everyone's home page to Google. Make a separate policy object for that. Also give each policy object a meaningful name. I promise you that six months later, you will completely forget what each policy does otherwise.

capeterson67
capeterson67

their progress sporadically. I will need a version in my hands to play with before I consider it viable. It will need the same open ended scripting capabilities (which is the real beauty of Group Policy) that GP has. If I can perform the same automated tasks and configuration control functions as GP, I will definitely consider it. Being able to present a viable and dependable centralized domain network option to a client for a fraction of the cost of a Microsoft solution would be a great thing. :)

b4real
b4real

@JenIT -> I'm on it. Selena and I will come up with something!

Selena Frye
Selena Frye

Our writers, including Rick, have covered a lot of Group Policy topics (I know, good luck trying to find them all with our site search!) over the years. I'll work on compiling those and then we can see which areas we've missed and go from there. Thanks for the feedback!

b4real
b4real

But, yes that comment is a "firestarter"

link470
link470

Very true! The naming one is huge. Keep each policy well defined and specific to what it's supposed to do, for sure.