1 – Group Policy is Just a bunch of Registry Settings

It might seem that way, but in reality, a GPO typically lands on a target (user or computer) as a registry footprint, and starts working from there.  Many settings actually initiate further/additional processes on the clients, such as enabling services, changing options in other locations (files, etc.) and so on.

You can verify this by reverting a GPO setting, deleting the corresponding policy registry setting, running a GPUPDATE and checking to see if the residual goodies are gone.  In many cases, they continue on, laughing at you.  This is why it’s often necessary to explicitly revert a setting (e.g. changing from “disable” to “enable”, or vice versa), rather than setting it to “Not configured”

2 – Group Policy Administration is Easy to Master

Anyone who claims to be an “expert” on Group Policy , and can only provide documented proof of less-than five years of working *exclusively* with it, in multiple types and scales of environments, is on drugs.  They might be “familiar” or “comfortable” with it.  They might even be “well-versed” with it by then.  But “expert”?  Hell no.

I’d have to see how they dealt with things like users that roam from desktops to mobile devices and into RDS or Citrix and back to whatever and then back out to cloud interfaces (like Office365, Azure) and back again.  I’d also have to see how they deal with environments that toss in multiple versions of Windows, Office, Internet Explorer and maybe AD forest trusts (with or without ADFS).

After all that, and a cup of fresh coffee and a foot rub: I might consider them intermediate at best.  Once they’ve passed that test, I couldn’t afford them anyway.  By the way, I only claim to be an expert about Group Policy around people that don’t speak English and can’t understand what I’m saying anyway.

3 – It’s Easy to Undo Group Policy Settings

Ha ha ha!  (cough-cough, hack.. gasp / I just snorted coffee backwards through my nose)  Rather than trying to provide a feeble explanation, just search for “GPO Tattoo” with Google or Bing.  Enjoy!  I’m not saying it’s impossible.  I’m just saying it’s not as fun as getting a tooth pulled.

It’s also different (in terms of pain and difficulty) for user and computer settings, and with regards to *which* specific settings are involved.  Not all settings will “tattoo” a client device.  Most will.  But the answer is most often: it depends.

101 Tip: To remove a user-based GPO setting tattoo effect from a given computer, delete the user profile.  And if that doesn’t work, reinstall Windows and take the computer out into a field and set fire to it.  That usually works.

4 – GPO Settings are Always “All-or-None”

It may seem that way, but actually, many “Policy” settings allow for making changes on the clients while still enforcing some constraints.  Then there are the “Preferences” settings, which allow for much more broad enforcement capabilities.  These often include one-time processing, updating, refreshing and so on.

Some preferences settings allow you to set a baseline and still enable users to modify things. Some will allow you to set things and users can undo them.  Some will keep putting things back as you configure them, and others may not.   See how fun it can be?

5 – It’s All Double Double Negatives

As if voting in political elections wasn’t insane enough, you can rest assured that you will often see settings that look something like “Disable the prevent denial of disabling the enabler service on disabled denials”.  You’ll stare at those for at least a full minute, just trying to verify whether “enable” or “disable” is what you really want to use.

Why are these settings worded this way?  Because the people that wrote them are either on drugs or have a very bizarre sense of humor.  It’s easy to make knee-jerk jokes about this aspect of Group Policy management, but it’s really not that bad.

Actually, in the grand scheme of things (i.e. “ALL” Group Policy settings), these types of settings account for a minority of the overall options.  Most settings are pretty straightforward and easy to understand (assuming you know what they relate to, that is).  Even if the phrase itself isn’t immediately recognizable, the help information that is available will usually provide enough detail to make sense.  If all else fails, drinking and medication will help you forget all about it.

6 (Bonus) – AGPM Fixes Everything

The short answer is, NO.  AGPM does not fix everything with regards to managing GPOs.  In my humble opinion, it does very little for most environments if they don’t already have a well-defined process (and authority) framework in place for who/what/when/where changes are made to GPO’s.  If you don’t have clear role assignments and permissions in place, it’s not going to prevent people from screwing things up.  It can be very helpful, IF the other parts are in place.

As one former colleague of mine used to say “If you automate a broken process, you end up with an automated broken process”.

7 (Double Bonus) – GPO Management Leads to Drug Addiction

This is actually not a myth.  I can’t say it’s a fact, but it’s likely to be true from what I can tell.

Thoughts: Enable. Disable. Not Configured.  Why not “Revert”?

If I had the microphone at this wedding party, I’d tap the glass and then kindly ask that a new option be added to this list, named “Revert”.  What this would do is reset the client policy (registry as well) to the “Not configured” setting, but still allow for subsequent GPO cycles to override that.

This would allow for other GPO settings, processed earlier in the sequence, to apply a setting that would have been undone by the later policy which was enabled or disabled, but is now “Not configured”.  As it is now, that’s not a simple task for most administrators to tackle.


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s