What’s Wrong with Group Policy

Over the years I have worked with Group Policy in many different ways. My experience ranges from helping an enterprise client establish a brand new set of policies for physical PCs and VDI machines to authoring ADM/ADMX/ADML files. Last year I presented and wrote a very detailed analysis of the impact of Group Policy on user logon performance (blog posts). Along the way I learned a lot about the strengths but also about the weaknesses of Group Policy. This article is an account of the latter.

Arcane UI

When you work with Group Policy you do that with Group Policy Management Console (GPMC) and Group Policy Object Editor (GPOE). GPMC was introduced with Windows Server 2003. It has not been updated in any significant way since then – that was 13 years ago.

What can I say? These tools work and they are even kind of functional. But they could be so much better.

Development / Roadmap

That brings me to the topic of ongoing development – which does not happen. Sure enough, every new version of Windows adds new Group Policy settings, and the number of client-side extensions increased from 9 in Windows 2000 to 47 in Windows 8.1 (source), but I am talking about the Group Policy engine here.

It would have been cool if Microsoft had gradually evolved Group Policy by adding management capabilities for devices not joined to a domain and potentially even for mobile devices. But that did not happen. The last significant improvement to Group Policy was the integration of Group Policy Preferences (GPP), a technology Microsoft acquired from DesktopStandard in 2006. This update came as part of Windows Vista.

Management / Documentation

Improvements would also have been nice in the area of managment, where Group Policy is lacking (even considering AGMP, the Advanced Group Policy Management extension which is part of MDOP which in turn requires Software Assurance).

The one big issue not even AGMP fixes is documentation. Change management has been a big thing for at least the past 10 years, yet even today there is no way to force administrators to document a Group Policy change in the one place where it makes sense: right in Group Policy Editor. Please note that I am talking about forcing admins to document a change (only if configured by the enterprise, of course). I am well aware of the fact that some Group Policy settings have a field for comments, but that is optional, and it is only available for registry-based policy settings (the classic Group Policy settings based on administrative templates).

Summing this up, if you want to document the reason why exactly each individual Group Policy setting is configured the way it is, you have to resort to Excel or similar. That sucks. Bigtime.

Group Policy Templates (ADMX/ADML)

Windows Vista brought a new templating engine for Group Policy. It is based on XML files, separated into content (ADMX) and presentation (ADML). So far, so good. Now comes the ugly part.

There is no authoring tool available, at least none that works (Microsoft’s ADMX Migrator is just plain horrible). If you are “lucky” and work for a software vendor who want to make their application configurable through Group Policy you will have to edit the ADMX/ADML files in a text editor.

Now, when you read the next sentences keep in mind this is coming from a guy who edits HTML (including this blog post) in a text editor. Okay, here we go:

Editing ADMX/ADML files is an experience you do not want to make. If you did, you do not want to repeat it.

’nuff said.

UI Capabilities

I already mentioned the arcane UI earlier. The following is geared towards people authoring ADMX files who have to squeeze their application’s rich configuration features into the confines of the capabilites of the Group Policy UI.

  • No validation of user input possible
  • Maximum value of the number field is 9,999. If you need bigger numbers you have to use a text input (resulting in REG_SZ).
  • No UI layout options whatsoever
  • No dependencies between fields (e.g. if this is enabled that needs to be enabled, too)
  • List input is horrible
  • Not many options for providing help to the user

Summary

Summing this up, Microsoft has not invested a single cent in Group Policy since Windows Vista. The UI ranges from arcane (for users) to horrible (for template authors). While the extensibility of Group Policy is a very big plus, you definitely do not want to be the person authoring the ADMX/ADMX files.

Management is severely impacted by the lack of documentation and change management features. As to the roadmap – what roadmap?

Should you use Group Policy?

Everybody does. It is well understood, scalable, extensible. Basically a good tool. If only there was evolution.

If you are looking for alternatives you might want to read Jeremy Moskowitz’ “Why Group Policy is Not Dead” manifesto.

,

One Response to What’s Wrong with Group Policy

  1. Martin Binder September 13, 2016 at 11:33 #

    This is a working ADMX editor: http://www.sysprosoft.com/adm_summary.shtml
    I use it for about 6 years now, and it fully supports all ADMX schmema elements as well as multi language ADML files. Multiple values set with enabling one setting? No problem. Referenced ADMX parent files? No problem
    Give it a try :-))

    regards, Martin

    PS: It is the _only_ working ADMX editor I’m aware of. MSFTs ADMX migrator AFAIK was bought from FullArmor, and the ADM editors integrated in NetIQ or Quest “GPOAdmin” products do not support ADMX.

Leave a Reply