Solved Is not bringing PCs in Domain is a sin?

scottalanmiller

@Dashrender said in Is not bringing PCs in Domain is a sin?:

you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.

RSOP needed as a tool kind of shows just how hard it is. GPO is considered one of those beastly things to track with any size shop.

Obsolesce

@scottalanmiller said in Is not bringing PCs in Domain is a sin?:

@Dashrender said in Is not bringing PCs in Domain is a sin?:

you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.

RSOP needed as a tool kind of shows just how hard it is. GPO is considered one of those beastly things to track with any size shop.

Yeah, group policy can be set to target an object in many ways. The only way to know every GPO targeted to an object is checking on the client itself with gpresult, or rsop otherwise.

scottalanmiller

@Obsolesce said in Is not bringing PCs in Domain is a sin?:

@scottalanmiller said in Is not bringing PCs in Domain is a sin?:

@Dashrender said in Is not bringing PCs in Domain is a sin?:

you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.

RSOP needed as a tool kind of shows just how hard it is. GPO is considered one of those beastly things to track with any size shop.

Yeah, group policy can be set to target an object in many ways. The only way to know every GPO targeted to an object is checking on the client itself with gpresult, or rsop otherwise.

Right, but if doing anything beyond extreme basics, GPO gets really hard to track and finding settings can be a bear.

Working as an MSP, GPOs are a nightmare because everyone uses them differently and settings are so easy to be buried so deeply. Text files with everything clear and exposed that you can just audit with easy searches seems leaps and bounds easier.

JasGot

@scottalanmiller said in Is not bringing PCs in Domain is a sin?:

Right, but if doing anything beyond extreme basics, GPO gets really hard to track and finding settings can be a bear.
Working as an MSP, GPOs are a nightmare because everyone uses them differently and settings are so easy to be buried so deeply. Text files with everything clear and exposed that you can just audit with easy searches seems leaps and bounds easier.

Keeping your GPOs simplified and concise makes them super easy to manage and navigate. We only do one task per GPO. We often have a hundred GPOs in AD.
Here's a sample list of GPOs

And here is an entire GPO:

Super easy to manage. I'm not saying opening the XML is not also easy. But the GUI is stupid easy.

Obsolesce

@JasGot said in Is not bringing PCs in Domain is a sin?:

@scottalanmiller said in Is not bringing PCs in Domain is a sin?:

Right, but if doing anything beyond extreme basics, GPO gets really hard to track and finding settings can be a bear.
Working as an MSP, GPOs are a nightmare because everyone uses them differently and settings are so easy to be buried so deeply. Text files with everything clear and exposed that you can just audit with easy searches seems leaps and bounds easier.

Keeping your GPOs simplified and concise makes them super easy to manage and navigate. We only do one task per GPO. We often have a hundred GPOs in AD.
Here's a sample list of GPOs

And here is an entire GPO:

Super easy to manage. I'm not saying opening the XML is not also easy. But the GUI is stupid easy.

Yes, but the point isn't that it can be done well, the point is that it's most often NOT done well, therefore causing a lot of work for people coming in after the fact.

There's always a correct/best and efficient way to do things. But with Microsoft tech, it's too easy to do it bad and incorrectly due to ignorance, so that's often the case.

scottalanmiller

@JasGot said in Is not bringing PCs in Domain is a sin?:

Keeping your GPOs simplified and concise makes them super easy to manage and navigate. We only do one task per GPO. We often have a hundred GPOs in AD.

That's the problem. MSPs (like NTG) normally deal with GPO in a "someone left us this mess" mode where the way GPO works makes it insanely hard to untangle. Getting pristine environments to set up ourselves is uncommon. AD is almost never deployed new, it's almost always already in place with this stuff already well messed up.

Not that that is GPO's fault, but the way that GPO relies on slow and complicated GUI interfaces makes it so much harder than necessary.

Dashrender

OK, the point of easy to read txt files is a huge bonus on the other side.

scottalanmiller

@Dashrender said in Is not bringing PCs in Domain is a sin?:

OK, the point of easy to read txt files is a huge bonus on the other side.

And easy to parse. Searching on where a computer is mentioned or something else is so fast. Even when it isn't a human doing it.

But it's also super easy to put into GitLab, verify changes with another person, roll back changes, check changes over time, copy changes to another environment, review outside of the box (we often do GPO changes remotely so that the GUI becomes slower and less easy to read), etc.

You can make lots of ways with GPO to overcome the limitations, but the fixes are all extra work and only edge you towards the simple benefits of text files. Using DevOps methodologies with GPO is way harder than it needs to be, for example. Totally doable, but not so insanely straightforward.

scottalanmiller

https://mangolassi.it/topic/21066/samit-do-you-really-need-active-directory

openit

Thanks a lot for nice insights.