What common things won't Group Policies do on workstation setups?
If I have a DC and AD then what things should I expect to NOT be able to handle with Group Policies that are common and likely a pain for Network Admins?
I'm happy to read about it but I'm more interested in experience with this question.
I'm happy to read about it but I'm more interested in experience with this question.
Cliff Galiher
That's kindof a tough question to answer. It won't make you coffee. It won't pick lotto numbers. It's basically asking to prove a negative. It's better to lisy business problems you want to solve then see if group policy can help solve those problems.
ASKER
If you can't think of one then that's OK. Here's an example:
I want to turn off SMB 1 on all the computers.
I want to turn off SMB 1 on all the computers.
Can be done via group policy.
Hi Fred,
This is what I have done over the years for clients.
1) Determine the required workstation setup for a 'new build' - this is a discussion between me and my client, with most of my 'requirements' (that my client doesn't even know or think of) being around locking down settings / security. It will include all the software required.
2) I implement everything I know I can do with Group Policy.
3) I manually setup everything else, and put all of these on my 'research list' to go away and find out whether I could have done it with group policy (for example). I hit this list in downtime, rather than slowing up a client setup unless there a lot of machines, in which case I will research earlier, but most of my clients, it is one or two new machines at a time.
4) I update my records for the client and create / edit their GPOs so that the next new machine will have anything else 'automated' by default that I can, and update my 'setup notes' to remove that item (or items) from the manual section.
I have found that, over time, windows settings can be automated, and most software installs can be too (or scripted) if you want, but for 'obscure' software, I usually leave it manual so that I can see what is happening, and the time factor is not significant.
Hope that helps,
Alan.
This is what I have done over the years for clients.
1) Determine the required workstation setup for a 'new build' - this is a discussion between me and my client, with most of my 'requirements' (that my client doesn't even know or think of) being around locking down settings / security. It will include all the software required.
2) I implement everything I know I can do with Group Policy.
3) I manually setup everything else, and put all of these on my 'research list' to go away and find out whether I could have done it with group policy (for example). I hit this list in downtime, rather than slowing up a client setup unless there a lot of machines, in which case I will research earlier, but most of my clients, it is one or two new machines at a time.
4) I update my records for the client and create / edit their GPOs so that the next new machine will have anything else 'automated' by default that I can, and update my 'setup notes' to remove that item (or items) from the manual section.
I have found that, over time, windows settings can be automated, and most software installs can be too (or scripted) if you want, but for 'obscure' software, I usually leave it manual so that I can see what is happening, and the time factor is not significant.
Hope that helps,
Alan.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Just to be clear - I didn't ask to prove a negative.
I asked folks to *identify known* negatives.
I rather expected the answers but one never knows if they don't ask - particularly with my limited experience.
So, it appears, at least so far, there are no common tasks that can't be done that come quickly to mind. Is that right?
I asked folks to *identify known* negatives.
I rather expected the answers but one never knows if they don't ask - particularly with my limited experience.
So, it appears, at least so far, there are no common tasks that can't be done that come quickly to mind. Is that right?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
OK. Thanks folks. I had rather expected that if, with your experience, you had a list of favorite "peeves" that they would come out. But, they haven't.
I suppose I could modify the quesiton just a bit:
Alan alludes to tasks that don't get done with a GPO. So, there are situations where they aren't used.
How might you describe typical situations of this sort?
Also, I'm working in small network environments with fewer than 50 workstations..... I suppose numbers matter. 1,000 workstations would beg for broad coverage. But 20 workstations don't always.
I suppose I could modify the quesiton just a bit:
Alan alludes to tasks that don't get done with a GPO. So, there are situations where they aren't used.
How might you describe typical situations of this sort?
Also, I'm working in small network environments with fewer than 50 workstations..... I suppose numbers matter. 1,000 workstations would beg for broad coverage. But 20 workstations don't always.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Fred,
So three EE all stated that there is almost nothing that we can think of that cannot be set via GP. This is not validation that pretty much any setting you are looking to push cannot be set centrally.
If you repost you will get similar answers and statements by other EE’s here.
So three EE all stated that there is almost nothing that we can think of that cannot be set via GP. This is not validation that pretty much any setting you are looking to push cannot be set centrally.
If you repost you will get similar answers and statements by other EE’s here.
Hi Fred,
For me it is all about giving my client the best possible service and lowest cost (without skimping or missing things).
Using Group Policy to deploy workstations means that the time I put in is reduced (sometimes to very little if there are no 'exceptions' such as obscure software to be installed), I cannot 'miss' something (the way that it is possible if you use a checklist), and there is a very high degree of consistency across all the workstations in a location.
Compare that to doing it without Group Policy - for example, using Workgroups / Home Licenses rather than Pro / Business machines joined to a domain - the cost to the client would frequently be much higher, and the quality would suffer due to inevitable human error no matter how carefully I tried to ensure all setups were identical.
Nothing is perfect, but as I said above, I suggest you just start, and if you find yourself doing something manually, search the net and / or post a question here - it is reasonably likely someone will be able to suggest a setting to achieve whatever it is you want to configure.
Hope that helps,
Alan.
For me it is all about giving my client the best possible service and lowest cost (without skimping or missing things).
Using Group Policy to deploy workstations means that the time I put in is reduced (sometimes to very little if there are no 'exceptions' such as obscure software to be installed), I cannot 'miss' something (the way that it is possible if you use a checklist), and there is a very high degree of consistency across all the workstations in a location.
Compare that to doing it without Group Policy - for example, using Workgroups / Home Licenses rather than Pro / Business machines joined to a domain - the cost to the client would frequently be much higher, and the quality would suffer due to inevitable human error no matter how carefully I tried to ensure all setups were identical.
Nothing is perfect, but as I said above, I suggest you just start, and if you find yourself doing something manually, search the net and / or post a question here - it is reasonably likely someone will be able to suggest a setting to achieve whatever it is you want to configure.
Hope that helps,
Alan.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Again, it is a very broad subject. But it is also in the name. Would I want to manage every OS update with GP alone? No. That's a manual scripting that is massively painful. But will I utilize GP to roll out WSUS easily? Absolutely. But that solution isn't "just" GP. And it isn't a pet peeve at all. So it doesn't meet any of your criteria, but meets the definition of things that can't be done with GP alone.
One of many many many examples.
One of many many many examples.
Where Microsoft is not able to get things working as par to customer satisfaction or where there is room for development, they have developed products for that
Ex,: scom for monitoring
Sccm for os deployment and for better patch management than wsus
TMG for URL filtering
Instead of finding answers what cannot be done, we should try to find out what can be done with GPO
For me it's like question with no output
Better you list your wish list / tasks to be achieved and I hope all experts here will be more than happy to answer if it's possible through gpo or not
Ex,: scom for monitoring
Sccm for os deployment and for better patch management than wsus
TMG for URL filtering
Instead of finding answers what cannot be done, we should try to find out what can be done with GPO
For me it's like question with no output
Better you list your wish list / tasks to be achieved and I hope all experts here will be more than happy to answer if it's possible through gpo or not
ASKER
What great comments! Thank you all! There are some real nuggets here!
Please close this question and award points how you see fit.
Thanks
Mike
Thanks
Mike
ASKER
yo_bee: Why such a hurry?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No hurry. Take as long as you want. It was just that you stated
If you are looking for more feedback that is fine.
What great comments! Thank you all! There are some real nuggets here!. This seemed like you had what you needed and it was just a reminder to close the question. Many people tend to ignore the closure after they got the answer they were looking for,
If you are looking for more feedback that is fine.
ASKER
Ah! Yes, I'm waiting a suitable time for more feedback.
Take your time and hope you find what you need.
ASKER
Thank you all. There was some clever thinking here.
I already knew that it would be powerful. My concern was overselling it. So I wanted to know what it *wouldn't* do.
I guess a reasonable answer to that in context might be:
- you can't change a setting as a user that's set by a GPO. I ran into this once and was really confused by it!! Somewhere there was a server hiding. Anyway, it's a flip-side kind of answer and appreciated!
- I might guess that one can't cause a workstation to go through a user log in. Is that right?
Can one make settings in:
control userpasswords2
??
In view of the clever answers, I guess that the admonitions that "there just aren't any", must be pretty true.
I already knew that it would be powerful. My concern was overselling it. So I wanted to know what it *wouldn't* do.
I guess a reasonable answer to that in context might be:
It won't allow a casual IT manager to make settings very easily. And, some things will take some experience, study or planning.- you can't get at the BIOS/UEFI might be viewed as "outside the box" but it does address the original question.
- you can't change a setting as a user that's set by a GPO. I ran into this once and was really confused by it!! Somewhere there was a server hiding. Anyway, it's a flip-side kind of answer and appreciated!
- I might guess that one can't cause a workstation to go through a user log in. Is that right?
Can one make settings in:
control userpasswords2
??
In view of the clever answers, I guess that the admonitions that "there just aren't any", must be pretty true.
ASKER
Thanks!
Glad I was able to contribute to your question.