What common things won't Group Policies do on workstation setups?

If I have a DC and AD then what things should I expect to NOT be able to handle with Group Policies that are common and likely a pain for Network Admins?
I'm happy to read about it but I'm more interested in experience with this question.
LVL 27
Fred MarshallPrincipalAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
That's kindof a tough question to answer. It won't make you coffee. It won't pick lotto numbers.  It's basically asking to prove a negative.  It's better to lisy business problems you want to solve then see if group policy can help solve those problems.
Fred MarshallPrincipalAuthor Commented:
If you can't think of one then that's OK.  Here's an example:
I want to turn off SMB 1 on all the computers.
Cliff GaliherCommented:
Can be done via group policy.
SolarWinds® IP Control Bundle (IPCB)

Combines SolarWinds IP Address Manager and User Device Tracker to help detect IP conflicts, quickly identify affected systems, and help your team take near instantaneous action. Help improve visibility and enhance reliability with SolarWinds IP Control Bundle.

AlanConsultantCommented:
Hi Fred,

This is what I have done over the years for clients.

1) Determine the required workstation setup for a 'new build' - this is a discussion between me and my client, with most of my 'requirements' (that my client doesn't even know or think of) being around locking down settings / security.  It will include all the software required.

2) I implement everything I know I can do with Group Policy.

3) I manually setup everything else, and put all of these on my 'research list' to go away and find out whether I could have done it with group policy (for example).  I hit this list in downtime, rather than slowing up a client setup unless there a lot of machines, in which case I will research earlier, but most of my clients, it is one or two new machines at a time.

4) I update my records for the client and create / edit their GPOs so that the next new machine will have anything else 'automated' by default that I can, and update my 'setup notes' to remove that item (or items) from the manual section.


I have found that, over time, windows settings can be automated, and most software installs can be too (or scripted) if you want, but for 'obscure' software, I usually leave it manual so that I can see what is happening, and the time factor is not significant.


Hope that helps,

Alan.
yo_beeDirector of Information TechnologyCommented:
If the setting does not exist,  but you know a registry setting that controls something you want you can use either GPO or GPP to push out custom registry settings.

Most of the setting that GPO controls are registry settings.

My recommendation is to just enter a search in your favorite browser search engine of a setting you are looking to apply. Most every setting is well documented.

Here is a search I just did in Google for disabling Smbv1 via Group policy.
https://www.google.com/search?q=how+to+turn+off+smbv1+via+group+policy&ie=UTF-8&oe=UTF-8&hl=en-us&client=safari

Here is a nice explanation of GPO.
https://msdn.microsoft.com/en-us/library/bb742376.aspx

Here is a reference guide from MS:
https://www.microsoft.com/en-us/download/details.aspx?id=25250

I would say almost any setting you can think of you can accomplish with GP.

Here is a complete count.

Blank = Pre Windows 10
All others are Windows 10
GPOList.PNG
Fred MarshallPrincipalAuthor Commented:
Just to be clear - I didn't ask to prove a negative.  
I asked folks to *identify known* negatives.

I rather expected the answers but one never knows if they don't ask - particularly with my limited experience.
So, it appears, at least so far, there are no common tasks that can't be done that come quickly to mind.  Is that right?
yo_beeDirector of Information TechnologyCommented:
With over 3000 default setting (not including any thing from Citrix, Google or Microsoft Office) I would say there is not much you cannot accomplish with GPO or GPP.
Like I said earlier GPO setting are registry settings so if there is a setting that is not in GP and it is a registry setting you are looking to push company wide you can accomplish this with registry pushes in GP.  

I have been working with GP for 18 years and I am still finding things that I was not aware I was able to do.

As the Cliff said you would be better off asking what you are looking to accomplish and the EE group can post their knowledge and personal experience.  I think it would be almost impossible to higlhlight anything that gp will not accomplish without you highlighting what you would like to setting centrally.
AlanConsultantCommented:
Hi Fred,

I'd say the short answer to your question, at least as far as Windows settings are concerned, is that almost anything can be done with Group Policy.

Alan.
Fred MarshallPrincipalAuthor Commented:
OK.  Thanks folks. I had rather expected that if, with your experience, you had a list of favorite "peeves" that they would come out.  But, they haven't.  

I suppose I could modify the quesiton just a bit:
Alan alludes to tasks that don't get done with a GPO.  So, there are situations where they aren't used.
How might you describe typical situations of this sort?

Also, I'm working in small network environments with fewer than 50 workstations.....  I suppose numbers matter.  1,000 workstations would beg for broad coverage.  But 20 workstations don't always.
yo_beeDirector of Information TechnologyCommented:
Fred the size does not matter. It's about central management of your environment. GP gives you and your IT team the ability to make a company wide setting and it is locked down by GP.  

So if you are looking for a negative here is one.  When you set a GP setting it is locked down and you are not able to change it from the client end. For example you set the screensaver setting and locking of the computer this will not be able to be turned off or adjusted from the client end.
yo_beeDirector of Information TechnologyCommented:
Fred,
So three EE all stated that there is almost nothing that we can think of that cannot be set via GP. This is not validation that pretty much any setting you are looking to push cannot be set centrally.

If you repost you will get similar answers and statements by other EE’s here.
AlanConsultantCommented:
Hi Fred,

For me it is all about giving my client the best possible service and lowest cost (without skimping or missing things).

Using Group Policy to deploy workstations means that the time I put in is reduced (sometimes to very little if there are no 'exceptions' such as obscure software to be installed), I cannot 'miss' something (the way that it is possible if you use a checklist), and there is a very high degree of consistency across all the workstations in a location.

Compare that to doing it without Group Policy - for example, using Workgroups / Home Licenses rather than Pro / Business machines joined to a domain - the cost to the client would frequently be much higher, and the quality would suffer due to inevitable human error no matter how carefully I tried to ensure all setups were identical.

Nothing is perfect, but as I said above, I suggest you just start, and if you find yourself doing something manually, search the net and / or post a question here - it is reasonably likely someone will be able to suggest a setting to achieve whatever it is you want to configure.

Hope that helps,

Alan.
Mal OsborneAlpha GeekCommented:
Change the boot order, set flags to disable hypertheading or anything else set in a machine's BIOS.
Cliff GaliherCommented:
Again, it is a very broad subject. But it is also in the name. Would I want to manage every OS update with GP alone? No. That's a manual scripting that is massively painful. But will I utilize GP to roll out WSUS easily? Absolutely. But that solution isn't "just" GP. And it isn't a pet peeve at all. So it doesn't meet any of your criteria, but meets the definition of things that can't be done with GP alone.

One of many many many examples.
MaheshArchitectCommented:
Where Microsoft is not able to get things working as par to customer satisfaction or where there is room for development, they have developed products for that
Ex,: scom for monitoring
Sccm for os deployment and for better patch management than wsus
TMG for URL filtering
Instead of finding answers what cannot be done, we should try to find out what can be done with GPO
For me it's like question with no output
Better you list your wish list / tasks to be achieved and I hope all experts here will be more than happy to answer if it's possible through gpo or not
Fred MarshallPrincipalAuthor Commented:
What great comments!  Thank you all!  There are some real nuggets here!
yo_beeDirector of Information TechnologyCommented:
Please close this question and award points how you see fit.

Thanks
Mike
Fred MarshallPrincipalAuthor Commented:
yo_bee: Why such a hurry?
MaheshArchitectCommented:
If taken your question "word to word", Few pointers came in mind wrt GPO application, in fact GPOs can't control that

The base of GPOs applied on workstation is WMI and RPC ports, port rules to allow / block certain ports or even batch scripts to refresh wmi repository can be pushed through GPO, however if machine has WMI corruption problem, GPO would fail
If network firewall exists between clients and DC servers and RPC is blocked on network firewall, port rule GPO again would fail

If there is failure of sysvol replication / name resolution GPO application would fail
enforcing policies on laptops would be pain as laptop users hardly turn off laptops unless you push some schedule task / sccm task to reboot machine at periodic interval

GPOs cannot restrict / control admins from elevating privileges most of the time with exception of very few settings, since GPO is nothing but toggle workstation / OS controls by toggling registry values from 0 to 1 and vice versa

finally troubleshooting of complications arrived due to multiple GPOs application / conflicts, no GPO is available to auto identify and resolve GPO conflicts and take workstation to normal stage, this has to be done manually by verifying each and every GPO by trial and errors

in short GPOs, cannot control other environmental variables because of which GPOs are getting applied and utilized, Infact GPO have dependency on those variables

Mahesh.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
yo_beeDirector of Information TechnologyCommented:
No hurry. Take as long as you want.  It was just that you stated  
What great comments!  Thank you all!  There are some real nuggets here!
.  This seemed like you had what you needed and it was just a reminder to close the question.  Many people tend to ignore the closure after they got the answer they were looking for,  

If you are looking for more feedback that is fine.
Fred MarshallPrincipalAuthor Commented:
Ah!  Yes, I'm waiting a suitable time for more feedback.
yo_beeDirector of Information TechnologyCommented:
Take your time and hope you find what you need.
Fred MarshallPrincipalAuthor Commented:
Thank you all.  There was some clever thinking here.  
I already knew that it would be powerful.  My concern was overselling it.  So I wanted to know what it *wouldn't* do.
I guess a reasonable answer to that in context might be:
It won't allow a casual IT manager to make settings very easily.  And, some things will take some experience, study or planning.
- you can't get at the BIOS/UEFI might be viewed as "outside the box" but it does address the original question.
- you can't change a setting as a user that's set by a GPO.  I ran into this once and was really confused by it!!  Somewhere there was a server hiding.  Anyway, it's a flip-side kind of answer and appreciated!
- I might guess that one can't cause a workstation to go through a user log in.  Is that right?
Can one make settings in:
control userpasswords2
??
In view of the clever answers, I guess that the admonitions that "there just aren't any", must be pretty true.
Fred MarshallPrincipalAuthor Commented:
Thanks!
yo_beeDirector of Information TechnologyCommented:
Glad I was able to contribute to your question.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.