We're nearing the end of GPOs part two, so I want to take the time to review the state of GPOs on Windows in general, and the lessons I have learned. I have worked with policy-based systems management for more than a decade. I have worked with implementations from Novell, Likewise and Microsoft. Running a network with Windows …
1) Group policy preferences are what it said on the tin ie: *preferences* that can be overridden by the user - unless you blow a users profile away at each logon they are of no use use for compliance
2) I agree that for real power/flexibility scripts are the business (powershell, vbscript, jscript, batch - choose your poison but this is my order of preference) - but l in every case i've ever come across these can be fired off by a property of either the computer or the user that is easily evaluated by GPO. I may seem obtuse but I don't understand why adding another policy management tool adds value. It seems you are adding puppet to the mix 'cos you dig it on linux
Actually, I'm adding puppet because it offers good versioning support. I didn't start using puppet on Linux until a few months ago. While I find scripting generally more powerful than GPOs, it's honestly the versioning support that won me over to Puppet.
The power of ZEN
You can't beat the power of ZenWorks even in AD driven environments.
No eDirectory required now as well.
ZCM 11 is looking sweet.
Other tools available
Both AppSense and RES PowerFuse enhance the functionality provided by AD GPOs. Neither are cheap mind you.
New toys to investigate...
``[an iptables config text file] will work on pretty much any Unix system in existence - provided of course that I know where that particular flavour of Unix keeps it firewall config''
Er, no. Not unless you assume that all unix in existence is linux 2.6. Before 2.6 they used ipchains and before that... something else. By contrast, FreeBSD support ipfw(2), ipf, and pf. You can even mix them to a point, though your rulesets will become... interesting, but you can do it, and sometimes it's even useful to do so. I like ipfw2 and pf both for their routing table style lookup ability, meaning that you can do ip/range blacklists efficiently. The closest to ``universal'' packet filtering would probably be openbsd's pf.
Not contesting the sendmail dig, I'm not even trying to read, much less write, sendmail.cf myself. Plenty people _do_ roll their own and without m4, though that also means they're sendmail specialists and can make good money doing it. Personally, I'll pick a different MTA. The fact that I can means more power to me.
For an ``unreadable text'' format I'd point to XML first. Mostly because it's overly general, overly verbose, overly hyped, and often abused by people who shouldn't be let near designing formats at all. As a developer I can think of many formats that are simpler and faster to parse and develop parsers for. The belief that XML will make everything magically better, as too many developers, managers, and other silly people hold, makes it snake oil.
From what I heard about puppet is that it's an useful approach, but certainly the only one. cfengine is something of a low-level, experts-only, very unix-y remote automated scripting tool. You might take a look at arusha (ark.sourceforge.net) that builds on that and offers another take on what puppet does. Though it uses XML extensively. Oh well, can't have everything.
I'd still like to know how to poke windows boxes remotely from unix boxes running scripts. Through the remote registry, exec-over-rpc, or what-have-you. One of the things I'd want to have, eventually, is some cron job updating the latest in emergency micros~1 patches onto a unix server for review, then lets me push them out through perhaps another script onto the windows boxes. There are various tools to do parts of that around, but I haven't gotten around to hack them so they'll work sensibly as scripted components in a POSIX environment and glue it all together. I'm a bit surprised if nobody else managed that before; the protocols should support it though they're exceedingly obscure and rather painful to work with. But maybe I just haven't been looking enough.
Yes, it does assume all Unicies I encounter are 2.6 or newer. Shh. I was glossing over this. IPchains wasn't that much different than IPtables, and IPtables still accepts IPchains rules. I can write scripts that easily vomit out code for all of it from one central config location.
Or since I am so lazy, just use Webmin for the bulk of it, and hand-edit the finer details. The point was more that “firewall by text file = easy” while “firewall via impenetrable GUI = gigantic pain in the arse.” Being completely accurate while keeping the length of my articles down is a skill I am still learning.
Yes, I agree with the point you're trying to make and I'll grant you that `linux' pretty much counts as a `unix' like `minix' does, even though neither contains any actual original `unix' code. But assuming nothing else exists is a bit too close to a goatse done on artistic license for comfort. So now you do have to prepare for a mob of beardy purists with pitchforks claiming that `linux' is not at all a real `unix' because linus is a bald-faced foulmouth.
Aren't GPOs basically registry settings though? And the .adm language that Group Policy Editor uses is documented somewhere, so there's really nothing to stop you writing your own .adm files to control settings for non-Microsoft applications, is there? Provided they store their settings in the registry of course.
You can write GPPs for anything you wish. Regular GPOs are a bit more limited than this, though in principle you are correct. There are plenty of programs however that don't store their configs in the registry, and plenty more that read the config on lead, maintain an active modified copy in RAM, then flush to the registry on quit. (Nuking any GPOs you had there.) GPPs allow you to play with many more areas of the system, and alter many more settings than traditional GPOs.
I think you're comparing apples and oranges here. Of course scripts can be used to push registry settings (which ultimately is what GPOs do, as danj2k has pointed out), but they do much more than this. On the other hand how do you easily deploy a script to a well-known bunch of machines or users anyway? The easiest (and free) way to do so under Windows is... GPOs.
What I would really like to see is a less half-baked implementation. This machine/user schizophrenia is nonsense, and the 'loopback' trick to work around this is a ugly and very limited hack as one soon finds out when he/she wants to deploy user settings to limited sets of users working on machines found in a given OU. The whole concept of GPO is something I like in Windows (mind you, there aren't so many such things) but it's not really there yet.
Yes, GPOs are a nightmare to track, maintain and document. On the other hand scripts by themselves wihout strict coding policies and extra tools can be equally bad.
As for iptables, why would you need to know where a given distribution stores its configuration? make your rules a ...shell script, precisely. Have called from rc.local if no better place. At least this will be portable.
The point behind Puppet is that it removes that "nightmare to track, maintain and document." It's got beautiful versioning that makes life much easier.
Advanced Group Policy Management
I apologise if you have mentioned this already but there is a Microsoft tool out there for tracking GPO versioning and tracking changes: http://www.microsoft.com/windows/enterprise/products/mdop/agpm.aspx
Yes, my previous article mentioned it. Compared to Puppet, it's wholly inadequate. If AGPM were part of the OS instead of the MDOP and as good as Puppet’s versioning, then I would have a hard time recommending puppet over AGMP.
When I look at AGMP (and it’s associated costs) and then I look at Puppet…I’d rather spend the money on Puppet and get more bang for my buck.
- Analysis BlackBerry Messenger unleashed: Look out Twitter and Facebook
- Comment Mobile tech destroys the case for the HS2 £multi-beellion train set
- Nine-year-old Opportunity Mars rover sets NASA distance record
- IT bloke publishes comprehensive maps of CALL CENTRE menu HELL
- Things that cost the same as coffee with Tim Cook - and are WAY more fun