Group Policy Made Great

Microsoft, please finish the job you've begun with the Group Policy Management Console

I’m a big fan of Group Policy. System policies, although a nice idea, were limited in scope, and I think Microsoft was wise to develop the completely different Group Policy engine for central control and administration.

If you haven’t yet worked with Group Policy, I strongly suggest that you start learning about it. The old approach of having to do a lot of repetitive clicking to administer domains is fast dying out at the hands of two forces. One of these forces is the exceptionally scriptable nature of Windows .NET Server (Win.NET Server) 2003, Windows XP, and Windows 2000. The other is Group Policy.

When you start to work with Group Policy, however, you see that it's a management tool that, ironically, lacks decent management tools. Microsoft is hastening to remedy that deficiency with the Group Policy Management Console (GPMC), a tool that will greatly improve Group Policy management but that, in my opinion, doesn't go far enough.

GPMC is in beta 2 now and will be available as a free download sometime this spring. GPMC lets you back up and restore Group Policy Objects (GPOs) and script new GPOs (but not their settings) and provides a greatly improved Resultant Set of Policies (RSoP) tool. RSoP tools are the Holy Grail of Group Policy management. Suppose you’re trying to figure out why Sheila no longer has access to Control Panel at her workstation. Numerous GPOs might apply to Sheila and her workstation, but which one applies the "hide Control Panel" policy? RSoP tools seek to boil down the effects of all the GPOs and tell you, in effect, that the system ultimately takes action X because of GPO Y. That information is certainly helpful, but GPMC could do more.

1. GPMC should provide a conflict log. One factor that makes GPOs confusing is that they can conflict. If your workstation receives one GPO that says, "Set the desktop’s wallpaper to Red Moon Desert" and another that says, "Set the desktop’s wallpaper to Bliss," one of those GPOs will win and the other will lose. But RSoP tools don't tell you which GPO takes precedence. Learning about and troubleshooting GPOs would be much easier if an RSoP tool made the GPO application process transparent. I'd like GPMC to provide a log that can tell you "GPO 2 said to set the desktop to Red Moon Desert, but GPO 8 said to use Bliss. Because GPO 8 came after GPO 2, GPO 8 won." Such a log would be a great teaching tool as well as a helpful troubleshooting tool.

2. GPMC should provide completely scriptable GPOs. GPMC lets you script policy creation, deletion, and copying, but it doesn’t complete the job. Suppose I wanted to create a GPO that would roll out Microsoft Word 2002 by assigning Word to a particular user. First, I’d have to create a GPO. Then, I’d have to create a new software-deployment policy within that GPO. So far, so good—GPMC lets me do those things. But when I want to adjust the policy, choosing to assign rather than publish the application, GPMC leaves me hanging. You have to click buttons and drop-down lists to tell a GPO exactly what you want it to do. And, to roll out an application to just one person, I’d probably use policy filtering to adjust the GPO's permissions to control who it applies to, but GPMC’s scripting tools apparently won’t let me do that, either. The "perfect" GPMC would let you script all those steps.

3. GPMC should tell you which GPOs aren't disabled. About half of my Active Directory (AD)–related consulting jobs have involved fixing someone else’s Group Policy–related mess. Open the Microsoft Management Console (MMC) Group Policy snap-in, and you see GPOs. Open a GPO on an XP box, and you can potentially modify about 500 different policy settings (on Win2K, you can modify about 300 settings). Most GPOs have three possible settings: On, Off, and Disabled. On a job, I need to look at hundreds of possible settings to figure out which ones the previous administrator set. The frustrating part is that I know that no one has touched most of those settings, so they're irrelevant to the analysis I’m trying to do. GPOs that contain just one policy setting aren't unusual. But Group Policy Editor (GPE) doesn’t provide clues about where that one setting is, so I might have to spend hours poking through GPOs. If GPE had a "Show me the settings that are either On or Off but not Disabled" mode, a task that once required hours would take only a few minutes.

4. GPMC should let you back up and restore local GPOs. AD is great, but I have many clients who are still on the fence about AD. Meanwhile, they love XP Professional Edition and Win2K and really want to use the power of Group Policy. And they can: You can run gpedit.msc to open GPE on a system that’s not a member of a domain. Gpedit.msc can create a set of local policies that can do just about anything that you could do if you had an AD domain. The problem is that you might need to spend 30 minutes clicking to get a system just the way you want it, and after that half hour you have only one correctly configured system. If only you could configure one system, then have gpedit.msc spit out some kind of configuration file that you could apply to other systems by running just one command. Security templates can accomplish some of this, but they can’t do everything.

These suggestions are based on my experience with Group Policy. You might have different suggestions—drop me a line to tell me about them. Microsoft, you’re doing a good job with GPMC. Now, please consider finishing the job!

TAGS: Windows 8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.