Desktops are important and need managing with the same care as servers. If you are using Windows many of the tools you need are built into Active Directory, which lets you define individual users and computers along with their roles and the groups they fall into. This division makes managing Windows PCs relatively easy. The key …
Speaking as a rank amateur
I find GP useful though I've only used it in a few instances. It allowed me to set the default file formats in later versions of office to doc and xls instead of docx and xlsx thereby avoiding compatability issues within the workplace.
AD? A toy for MCSE's to royally piss users off remotely.
AD and the client systems that connect to it are a perfect playground for MCSE Plonkers to implement group policy changes with absolutely no thought for the people who have to suffer their mostly plain crazy/silly/headbanging changes.
All the developers in our company have Local Admin rights on their Laptops. This is so that they can install the myriad of software products the need to do dev work. For example Websphere Application Server or SAP Clients or Oracle Clients.
Last month the AD ******er's took that access away. No consultation No warning No nothing. It was done overnight.
When people started to arrive for work and login about half the Laptops BSOD'd. Ok, you reboot and try to login. You account is now disabled coz they took our access away.
The more savvy of us booted into the Linux install we had on the laptop and carried on working. Many didn't have that luxury.
Two days later, we got our access back. Guess how much that cost the company? Lots. Did any *****er's lose their job? Did they heck. IS Management tried to blame us devs to a Group Policy change. PHB's all round that lot.
Oh, an don't get me started by the registry changes they make on the fly. Several have caused BSOD's in the middle of preparing a priority 1 patch to our production systems. Now we take the systems we use for job that off the network at times like that.
Thankfully, we are all moving to Mac's or Linux Laptops soon. Then their days or wreaking havoc will be long gone. They are lucky that they work in a different part of the country.
Grenade. For all AD admins everywhere. May you all die a horrible and slow death in the Microsoft never-never land.
AC @ 10:39
That sounds more like a failure of Change Control to me.
Tar everyone with the same brush?
If your admins make changes without consultation your company just has bad policies and procedures, all changes to GPOs and AD should go through testing and change control. Change controls should show the implementation plan, roll back plan and testing plans. Servers should have as fewer Policies applied as is possible.
As devs you should not have Admin rights when working outside of your dev environment (Email etc). Any development environment should be sandboxed, if they had planned it right with you it wouldnt have been an issue, but like i said thats the companies working practices that are at fault allowing them to act like this.
@ AC 10:39
For an apparent software 'engineer' you don't seem to have much logic!!
As someone else said, ever heard of change control? Don't blame everyone else for your, and your company's failings.
GP is a tool, yeah, people should use it cautiously, and with testing and change control.
If you show that attitude to your AD admins, are you sure they didn't do it on purpose?!
And for trolling, grenade thrown right back at ya. Have fun in the enterprise Mac world! PMSL!
Re AD Change control
The rules we have to follow don't apply to the AD Admins.
We tried and they laughed in our face. Next day all of our passwords had expired.
We complained again.
Who Us they said? No us. Must be those pesky developers. As it we had access to the AD controller?
Anyways, I will be out of there at the end of next month. They've just announced that we have all been offshored (to China) all right in the middle of a big project release cycle. The Business people are up in arms. I'll take the 17yrs redundancy and go contracting for the few years I have left before I retire. Shrugs.
AD is still the worst bit of software I've ever encountered. It takes a lot to beat RACF (I spent 3yrs as a 3083 Admin in the late 70's, early 80's).
Does not always work.
Sometimes all the tests will not work.
Some devs use old software that demand to install using the local admin and not admin from a domain.
Some printer installs demand to be admin when installing a network printer. Yeah tried the GIVE RUN ADVERTISED PROGRAMS ADMIN RIGHTS and that bombs now that we are on a new domain.
SCCM is a failed product which is still being beta tested on customers.
Not an AD problem, it's a communication problem
What you're describing is a lack of communication, not a problem with AD. I ran a Win2k3/XP network and AD/best practices were the only way I could keep my users from constantly breaking or infecting their machines. What I did do, apparently unlike your admins, was consult with my developers and users to see what they needed and make sure that it worked--including adjusting Program Files folder permissions for the programs that supposedly "won't work unless you're an admin.". I also made sure that if anybody needed a new program or tool I got it installed on their system as quickly as possible; my top priority was to make sure they had the tools they needed. The only people who had any problems were the ones who blew me off and forced me to make a best guess as to what was going to work. By the time we had everything setup, nobody needed admin rights to do their jobs, machines quit crashing, I no longer had to disinfect/reload machines, and the only people still whining were the ones who resented not being able to play Super Text Twist or Zuma on their machines.
Communication is a two-way street--are your admins really loose cannons or are you refusing to accept any changes to "the way it's always been?" Whether it's the admins or the users or both that aren't talking to each other, don't blame the tool for a lack of communication in your enterprise.
@ AC 12:02
It's still a fail on the company's end. proper change control appears to have not been used.
Then again it also sounds like a political war at your company. This is not something you can blame on AD.
Forgot to mention MMC...
Nice article; and quite accurate. The only thing I'm missing is mention of MMC; the Microsoft Management Console. This is the ideal way to look into the group policies and administering your Windows environment as a whole. I read many people complaining about how awkward it is having to manually edit the registry and how the options are so arcane while in fact much (most?) of the settings can be tweaked using mcs files ("Management Console Script") within MMC. Which also provides you with clear comments on what an option does.
So; to get a look into your group policies simply use 'run program' (win-r or click the option) and enter "gpedit.msc". After that MMC will be started, load the gpedit.msc file and you're left with the group policy editor.
If you're running Win7 using a normal account (which is what I do) then you're better of starting the command prompt as administrator (right click -> run as...) and then entering "mmc gpedit.msc".
Also don't forget to check out c:\windows\system32 which contains many other msc files which you might find interesting as well. Personally I think MS is doing a pretty decent job with MMC to be honest; one environment which can be used to control various aspects of your own or remote computers or servers. And what's more: you can also fully tweak the console and create mcs files of your own (for example to administer specific aspects of a server).
Gpedit.msc only local
Gpedit.msc is only to show the local policy on the machine it doesnt show you the current applied policies. (Sure you know that, but "So; to get a look into your group policies" sounds like its displaying the current applied gpos)
RSOP.msc to view the current settings from all policies applied to your machine in the Group policy mmc. If your not an administrator you cannot view the Computer policies tho.
You can also run a comand prompt and type "gpresult" to show you the applied policies that are in effect on the local machine, not to mention a very useful listing of the Security groups that the User belongs to.
An invaluable tool
Once you are managing more than a couple of thousand Windows desktops, Group Policy is one of the key tools to keep them, well, manageable. Beyond about ten thousand, it's indispensible even if you end up needing third party tools to administer it effectively.
All as long as AD replication is in a good state, of course.
Yes, it can be unpopular with users but that is largely due to combinations of ill-conceived policies and poorly advertised/managed changes. GPOs just make it easy to implement these and (mostly) just as easy to roll back.
Policing for no good benefit
Why does the IT community insist on being policemen, treating users like kids and the desktop as though they own it. They don't, it belongs to the people who use it. Treat your users like adults and GPOs aren't needed. This obsession with controlling and locking down the desktop "for the good of the users" must stop. Instead allow them to do what they want and if it goes wrong push down a new image and invest your time and effort in providing good perimeter security so they can play safely.
One of the most irritating things an IT Admin can do is force a screen saver, back screen or home page on to a user. If you don't know how much that drives the individual user mad, you need to spend longer with your users, then consider what to implement.
I've worked in a number of organisations now where by default people have the ability to more or less do what they want, but without admin rights. Fault reporting drops, user happiness goes up and productivity increases (for the users).
Come on, get over yourselves and stop playing the policeman.
Community? Or business?
Have you used group policy before? I assume you know you can push out printers, mapped drives, software, proxy settings, favorites (IT Helpdesk perhaps?) icons, logon scripts? Is any of that a hinderance?
So you think we should just give users a computer and say 'there you go' and let them get on with it? Just a bare OS. That would be productive. Users would be happy with that? No internet, software, help, mapped drives?
When my CTO asks how a user managed to get illigal software on the domain, (and the company is liable) should I say, 'we let them, because we're treating them like adults'
Do you think Terminal servers should also have no group policy? What about updates?
Do you think there should be no rules or laws in the world? That people don't push boundries when they can?
Do they really own the 'desktop's they use? Who paid for it?
Is the driver of a fire engine allowed to paint the truck any colour they want and spray petrol out of the hose?
Do you see your argument is falling apart?
"Why does the IT community insist on being policemen, treating users like kids and the desktop as though they own it."
Maybe the users need to be policed!
At the company I work for, IT owns the PCs. Yes you use the PC but we own it and we charge your group accordingly for you to use it. So it's our responsibility to maintain them for you and that also makes it our responsibility to police them. If IT didn't police those desktops then no one would get want they want and there would be many more malware infections in the work place, and productivity would plummet.
GPO/SCCM/SMS.... Things I love to hate.
As much as it has made my job easy it has also made my job hell.
SCCM breaks. Unable to communicate with server.
XP PC's have IE 8 but server still shows them with IE 7.... WMI fix does not work. and renaming the repository and using other scripts to fix SCCM is foolish.
They need to make SMS/SCCM as a add remove program and not this non standard install crap.
If ANYTHING installs on the pc then it MUST sho win ADD/REMOVE programs.
The people who created SMS/SCCM are just software hackers and I will not regard tthem as legit microsoft programmers until I see SCCM in the add/remove directory.
They are now antiquated and REFUSE install like a normal program. WHy? Why must SCCM be so different? It's stupid! GOing into safe mode and deleting registry entries and folders. Just a waste of time.
Totally agree, I get worried whenever my boss mentions anything 'System Center' now!
I think the article was more about GPO though, written by the enterprise server team of course. SCCM 2007 R2 has worked a bit better for us. Maybe the next version will be better.. I don't do the software roll out side of it, but the guys that do have said it's much better now.
I can't fault GPO though. Most people commenting on here it would appear, haven't seemed to notice that it's how GPO is implemented that can be the problem, not the technology itself.
SCCM and GPO
I commented about SCCM because with SCCM you can do GPO stuff with it as well.
Oh but the big boys up in IT when they either mess up SCCM they never fix it themselves.
Oh just get the IT rep helpdesk to fix it. IF YOU BROKE IT FIX IT YOURSELF!
SCCM and deployment of GPo's across teh enterprise is just a scapegoat for the tier 3 admins so they have no guilt whatsoever if something messes up always hand over their errors to someone else. GPO's..... I would think windows 7 would make this technology go away as well. I still think thin clients would work best this way no more virus infection even for the worst employees.
I for one love Group Policy, It's saved me hours of work.
Orwell would be proud!
What's wrong with ssh?
These Windows guys know nothing apart from how to sink a company in IT budget!
The clue is in the "Group" part of Group Policy, sure I can remotely configure a Windows box or Linux box via command line. The advantage with GPO is that a group can be setup to receive the same config 'just like that', no scripting up and rolling out of changes, which you would have to do with a command line based system. No missing machines that were off, because they're caught when they're next on.
Group Policies are a solution for a problem that existed in Windows: the need to run with administrative rights. Now they are (mis)used for anything just because they are there.
if you have to use Windows...
...and you have a crapton of desktops to manage, GPOs are the way to go. Linux doesn't need GPOs because it has security that actually fecking works. You can also manage a herd of Linux desktops with very simple tools, pushing out text-based configuration files. How do you manage Macs centrally? You don't. You let the fanbois have their shiny pretty computers and hope to Buddah they don't break anything.
You mean, "here's /bin/sshd and here's /usr/bin/(python|perl|php), go for it!" ?
Hi, GP/AD admin at my job here...
Been there, done a good chunk of it.
I can certainly respect needing a good, solid change control process for making GP changes- made a few global goofs myself, and the impact of it was... inspiring, to say the least. A good understanding of *what* you are doing with making those settings, and testing them is also essential. AC's hatred is justifyable- they've got some cowboy admins at work there.
I will admit that some of the shinier policy enhancements for windows 7 makes admin's lives a bit easier- deploy printers based on where the computer is? Easy peasy. make an AD group, chuck the computer account into it, delegate the printer deployment GPO to that group, and wait 90 minutes or as machines reboot- poof, instant printer mappings. The only downside is that not even someone accorded domain admin rights can remove the printers- you have to remove the policy application to remove the queues.
Linux on the desktop? not happening...
The problem with Linux on the corporate desktop as some stated is indeed not so much an inability for administration, but IMO backwards compatibility.
Setting up and using a Linux environment is indeed rather easy (if you know what you're doing of course). However; the big issue with Linux are the enforced upgrades which you can hardly bypass. That is; if you have a problem with running a version which no longer gets any security updates.
The best options at your disposal here are Ubuntu's LTS (3 year continuous updates) or CentOS. However; even CentOS' 5 support will be discontinued in 2014, see this link:
When you compare that to Windows then it becomes very clear IMO why Windows has the upper hand on the corporate desktop:
Windows XP will stop in 2014 (that is a lifecycle of approx. 13 years (Win XP professional 32bit), Windows 7 will stop in 2020 which would mean a life cycle of 11 years (although one may assume that 2020 won't be the final date).
This is something simply unheard of with Linux environments. And the longer you can continue to use a product the lower the costs you'll need to make in order to test and rollout the new version.
Nothing fanboish here, merely stating facts. Heck; even Linux knows this strategy by heart: "If it isn't broke, don't fix it!".
As for SSH... I think MS' Powershell really takes interesting steps in the right way, even though it still feels quite a bit flakey here and there. I know its not comparable to SSH; its not even an encrypted connection perse. But it does give you quite some interesting commandline based features which doesn't stop at a local machine. Even for remote administration.