One Thing Group Policy Desperately Needs
Many companies depend on Group Policy (GP) for delivering stuff, such as security settings, configurations, software, and etc. When I think of “delivery,” I think of the mailman.
After pondering on this a bit, I started to realize GP is no different from the postal service.
To show the similarities I’ll use an analogy.
A mother writes to each of her children. In the letter, she provides instructions for completing an online survey for their upcoming family reunion.
She puts the letters in envelopes and then heads to the post office.
Since her children are such great kids, she assumes that they will follow through with her request and complete the survey as soon as they receive the letter.
But how would she know when they received it? … you ask
Well, she asked the clerk at the post office to include delivery confirmation when she paid for the letters to be mailed out.
From a GP perspective, an IT administrator (mother) creates a GPO (envelope) and specifies the configurations (instructions) that need to be delivered to Windows systems (children). The Group Policy infrastructure (post office) gets the GPO to the workstations.
So to recap, we have the following (and something is missing):
There is no delivery confirmation for GP! How do we know if or when GPOs are applied to our desktops, laptops, and servers? Clearly, this is a void that needs to be filled.
Now that this has been determined, let’s look at the postal service again for clues on what an ideal GP delivery confirmation feature would look like.
When the letter is delivered, status information is automatically sent back to the post office so that it’s available to the sender.
All mom has to do is open a browser and go to the postal service’s website periodically to know what’s going on.
Perhaps, if GP were to get such a feature, it should work in a similar fashion
Here are some things mom DID NOT have to do:
- Contact her children for updates.
- Check whether the surveys have been completed.
- Call the post office for a status.
So similarly, because delivery information should automatically be sent back to a server, IT administrators should not have to do the following to check whether GP was applied.
- Run tools such as gpresult.exe and rsop.mmc.
- Check whether the stuff GP delivered actually applied. (Keep in mind delivery confirmation does not tell mom whether her children followed her instructions and completed the survey. Rather, it only confirms that the letter got to the destination.)
- Analyze any kind of GP logging (e.g., event log, log files).
Certainly, doing these things are necessary at times; especially for advanced troubleshooting. But definitely not for something as trivial as determining “did my letter arrive?”
So there you have it. GP desperately needs delivery confirmation, which I will refer to moving forward as reporting.
In another blog post, I continue the discussion by talking about the information this reporting should provide.