(Note: Names are omitted to protect the clueless.)
A medium-sized organization is facing a dilemma. In the ten years since they implemented Active Directory, they’ve amassed a pile of weapons-grade issues. Among these are a garage-full of Group Policy headaches. Not just GPO’s, but settings. And among the settings are carloads of WMI filtering statements. As it turns out, a long-since departed engineer was adamant about (a) having complete control over policy architecture and implementation, and (b) using WMI filtering like it was at a going-of-business sale and he had a pocket full of coupons.
There’s nothing inherently wrong with WMI filtering in policies. But like fire and water, they offer both benefits and drawbacks, depending upon how and where they’re used.
But this is only the beginning. In addition to piles of GPO’s and settings and WMI filtering, there are essentially no documented aspects to rely upon. That’s right: None. The staff can find some, when push comes to shove. But there is no document, or central repository of information to explain why most of the GPO’s even exist, much less why they have certain settings, or why they’re linked to specific things, or why filters are used.
I won’t go into the other problem with computer and user accounts being in the wrong OU’s and members of conflicting security groups (as it pertains to WMI filtering statements. errr, more on that later).
Planning on a little DR drill ahead of the coming hurricane season? Ha ha ha! Good luck.
Try to imagine that you’ve been handed the keys to an old house and told that it’s now yours to own. You unlock the door, turn on the light, and in the middle of the living room is a pile of human bodies, a boat engine, a stack of newspapers and a cat singing some Barry White tune into a microphone. You might pause and wonder how, and why this came to be. Now, imagine some cops knock at the door and ask you to explain it all.
Those cops are a metaphor for IT management, who handed the mess to you and now they want an explanation of how you’re going to “fix” it all. “Fix?” What’s broken? Who knows. A few minutes on the job and you’re the “go-to” person. And you don’t even know what’s supposedly broken yet.
Let’s review some facts:
A midget runs into the room, wearing a SWAT team outfit, and hands you a paper with the following, and then runs out. It says:
Single AD forest and domain. Roughly 5,000 computer objects, and roughly 6,000 user accounts. 22,000 security groups. 18 AD sites and about 100 subnets. Five domain controllers.
Nothing to write home about. Then you open GPMC and see 150 Group Policy Objects. They are mostly built to deliver either computer, or user settings, but rarely both. There appears to be somewhat of a naming convention, but it also appears to have been managed by a one-legged cat, having a seizure, with it’s paw on the keyboard.
The GPO’s range from having 10 to well-over 100 configuration items (for fellow statistics nerds: it’s approximately a median average of 55 with a Mean around 65). One of the objects has 75 WMI filters (note: I use the term “WMI filtering” instead of “Item-Level Targeting” because I’m a crusty old cranky fart and it takes less typing).
The only relatively “clean” policies appear to be Default Domain and Default Domain Controllers. Like old faithful dogs, sitting by the door with the lease in their mouth, waiting for you to go on a walk.
Looking over the mess, you sip your coffee. Then someone bangs on the door, you spill some down your new white shirt and mumble something inappropriate. It’s okay, it’s Monday after all. They come in and start laying out the “problems” you were warned about:
- Horribly slow log-ins, especially at some of the peripheral sites on slow links
- Dozens of tattooed settings that no one can locate the origins anymore
- Settings being applied to users and computers they shouldn’t be applied on
- Errors in the Group Policy logs
- Errors in GPMC indicating domain controller replication failures
- Settings built for versions of Windows no longer in use
- Settings built for Office, IE and third-party products no longer in use either
- Scores of GPO’s that are applying the same settings on top of each other
- One GPO oddly-named for something that nobody can identify
The list goes on. You glaze over. Your phone buzzes and it’s almost lunch time, but this whiny staff person keeps listing the problems, until finally handing you a bound stack of printed material with details. It’s almost a phone book. You almost feel a sense of anger rising up, but then you remember: You’re a consultant. You get paid to do this. Awesome!
While eating lunch, answering e-mails and catching up on your social media circus, you think about alternative ways out of this quagmire:
- Build a new AD forest and domain and start over from scratch.
- Build several sub-domains and start moving accounts
- Build a new root-level OU tree to isolate GPO links and start moving accounts
- Sift through all the GPO’s and begin diagramming and documenting what each is currently going.
- Practice taking Xanax with strong liquor for breakfast
- Take that offer your cousin made to go work in his pottery factory
Option 1 is ruled out due to costs, time-delay, and issues with certificates, resource sharing and establishing new trusts with the current environment. Just mentioning this option results in stares of disbelief, as if you’d just walked into an AA meeting asking who wants a drink.
Option 2 isn’t bad, but there’s still some possible headaches to contend with on some internal resources and certificates.
Option 3 looks to be most promising, given that the two root-level GPO’s (default domain, and default domain controllers) are fairly clean.
Option 4 is for masochistic suicide bomber types, looking for a reason to sign up for yet another support group and take up another drug addiction hobby.
Option 5 just means you really need option 6.
Option 6 is best if you’re just really not that into IT work in the first place.
Option 3 it is. For now. You refill your drink and head back to the office. Stay tuned…