Group Policy vs Real Sysadmin Tools

Discussion in 'NZ Computing' started by Lawrence D'Oliveiro, Jul 7, 2010.

  1. Trevor Pott has been doing a series on the Windows Group Policy Objects
    system, and how it compares to the way things are done on other systems. The
    latest instalment is here
    <http://www.theregister.co.uk/2010/07/06/sysadmin_using_group_policy/>:

    To get right to it: GPOs are training wheels for sysadmins. GPOs are
    able to modify a limited subset of configurations on a limited number of
    operating systems and applications.

    ...

    The first problem is that Microsoft’s various GPO elements need even
    more flexibility than GPP already has. The critical bit is
    extensibility; the ability to build true GPOs - not just scripting
    through GPP - for non-Microsoft products.

    Microsoft also needs to incorporate proper versioning, change control,
    and the ability to revert an entire system to a “known good†set of
    configurations through something other than system restore. Single-
    button reversion of system-wide configuration, pushed from the active
    directory, should not be optional. Are you listening Microsoft? Puppet
    does all of this right.

    The “Puppet†he’s referring to is here
    <http://projects.puppetlabs.com/projects/puppet/wiki>. The problem with the
    whole Windows GPO architecture is that it only works for applications
    designed to work with it. Contrast that with Puppet, which is capable of
    managing configuration for an entire system running all your usual common-
    or-garden open-source software, without any special cooperation on the part
    of the latter.
     
    Lawrence D'Oliveiro, Jul 7, 2010
    #1
    1. Advertising

  2. Lawrence D'Oliveiro

    AD. Guest

    On Jul 7, 4:37 pm, Lawrence D'Oliveiro <l...@geek-
    central.gen.new_zealand> wrote:
    > Trevor Pott has been doing a series on the Windows Group Policy Objects
    > system, and how it compares to the way things are done on other systems. The
    > latest instalment is here
    > <http://www.theregister.co.uk/2010/07/06/sysadmin_using_group_policy/>:
    >
    >     To get right to it: GPOs are training wheels for sysadmins. GPOs are
    >     able to modify a limited subset of configurations on a limited number of
    >     operating systems and applications.
    >
    >     ...
    >
    >     The first problem is that Microsoft’s various GPO elements need even
    >     more flexibility than GPP already has. The critical bit is
    >     extensibility; the ability to build true GPOs - not just scripting
    >     through GPP - for non-Microsoft products.
    >
    >     Microsoft also needs to incorporate proper versioning, change control,
    >     and the ability to revert an entire system to a “known good” set of
    >     configurations through something other than system restore. Single-
    >     button reversion of system-wide configuration, pushed from the active
    >     directory, should not be optional. Are you listening Microsoft? Puppet
    >     does all of this right.
    >
    > The “Puppet” he’s referring to is here
    > <http://projects.puppetlabs.com/projects/puppet/wiki>. The problem with the
    > whole Windows GPO architecture is that it only works for applications
    > designed to work with it. Contrast that with Puppet, which is capable of
    > managing configuration for an entire system running all your usual common-
    > or-garden open-source software, without any special cooperation on the part
    > of the latter.


    Puppet is cool, but I'm not sure the author fully understands what
    Puppet is. He keeps referring to it as "scripting", whereas I reckon
    what Puppet does and how it works is closer to Group Policy than it is
    to scripting.

    ie with both Puppet and GP you are specifying the end result you want
    (the 'what') - not the steps to get there like you do with scripting
    (the 'how').

    I haven't used it but from what I've heard Chef might be more like
    what he describes - a bit more script like ie more Ruby oriented vs
    DSL settings files like Puppet has.

    The comparisons I've heard are that Puppet is best suited for
    sysadmins wanting to make a bunch of heterogeneous systems at
    arbitrary starting points fall into a standard config, while Chef is
    best suited for deploying a standard config to a bunch of fresh
    systems (eg rolling out new production servers).

    --
    Cheers
    Anton
     
    AD., Jul 7, 2010
    #2
    1. Advertising

  3. Lawrence D'Oliveiro

    Simon Guest

    On Jul 7, 9:11 pm, "AD." <> wrote:

    > The comparisons I've heard are that Puppet is best suited for
    > sysadmins wanting to make a bunch of heterogeneous systems at
    > arbitrary starting points fall into a standard config, while Chef is
    > best suited for deploying a standard config to a bunch of fresh
    > systems (eg rolling out new production servers).


    My current pet peeve is Microsoft's move away from using GP for
    software distribution. As an example, the fiasco that was Office 2K7.
    Yes there's an MSI in the package, yes you can add it to the software
    distribution point in GP, but is it supported? Well, sort of.....

    I haven't had a chance to look into the situation with O2K10 yet, but
    we probably won't be moving to that platform anytime soon anyway.
     
    Simon, Jul 8, 2010
    #3
  4. Lawrence D'Oliveiro

    Simon Guest

    On Jul 8, 8:27 pm, EMB <> wrote:

    > > I haven't had a chance to look into the situation with O2K10 yet, but
    > > we probably won't be moving to that platform anytime soon anyway.

    >
    > They both push just fine with Config Manager.  As do the other 127
    > packages (apps and drivers) we distribute that way.


    Yup, that's the solution we settled on too, however my peeve is that
    you're expected to buy yet another piece of software. For the most
    part, our software deployment requirements are rudimentary, GP worked
    well for us until the recent changes.
     
    Simon, Jul 9, 2010
    #4
  5. Lawrence D'Oliveiro

    Simon Guest

    On Jul 9, 9:25 pm, EMB <> wrote:
    > On 9/07/2010 4:36 p.m., Simon wrote:
    >
    > > On Jul 8, 8:27 pm, EMB<>  wrote:

    >
    > >>> I haven't had a chance to look into the situation with O2K10 yet, but
    > >>> we probably won't be moving to that platform anytime soon anyway.

    >
    > >> They both push just fine with Config Manager.  As do the other 127
    > >> packages (apps and drivers) we distribute that way.

    >
    > > Yup, that's the solution we settled on too, however my peeve is that
    > > you're expected to buy yet another piece of software. For the most
    > > part, our software deployment requirements are rudimentary, GP worked
    > > well for us until the recent changes.

    >
    > Ours are rather more complex, especially from a licensing compliance
    > point of view.  ConfigMgr makes all that easy and uninstalls on demand
    > too when we wish to move apps between machines.


    We also looked into ZenWorks, but we managed to dump a lot of software
    that wasn't pre-packaged as MSI's, or which would be complicated to
    transform into an MSI.

    > Don't however get me started on Operations Manager - I never wish to see
    > the horrible piece of crap again.


    My condolences - we suffered that afflictions ourselves for a while.
    Luckily it disappeared with some decent antiseptic cream.
     
    Simon, Jul 10, 2010
    #5
  6. Lawrence D'Oliveiro

    Sweetpea Guest

    On Sat, 10 Jul 2010 15:13:56 +1200, EMB wrote:

    >> We also looked into ZenWorks, but we managed to dump a lot of software
    >> that wasn't pre-packaged as MSI's, or which would be complicated to
    >> transform into an MSI.

    >
    > We haven't found anything yet that we can't package into an MSI. It
    > helps that we have a staff member who is bloody good at doing that.


    What if you have a heterogeneous environment and you want to have all
    applications available for all platforms?

    MSIs surely are limited to only working on the Microsoft platform?

    whatever LDAP solution you use - Microsoft's "Active" Directory, or
    Novell's eDirectory, or anything else - surely the tool should be both
    platform agnostic from a user management perspective and also it should
    have the smarts to figure out what version of an application it needs to
    deploy onto the relevant OS.


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Sweetpea, Jul 10, 2010
    #6
  7. Lawrence D'Oliveiro

    AD. Guest

    On Jul 11, 12:00 am, Sweetpea <> wrote:
    > What if you have a heterogeneous environment and you want to have all
    > applications available for all platforms?


    Wouldn't having all apps available for all platforms mostly negate the
    point of that heterogenous environment in the first place? Most of the
    time a heterogenous environment only exists because different apps
    require different platforms.

    --
    Cheers
    Anton
     
    AD., Jul 11, 2010
    #7
  8. Lawrence D'Oliveiro

    Sweetpea Guest

    On Sat, 10 Jul 2010 18:39:57 -0700, AD. wrote:

    > Wouldn't having all apps available for all platforms mostly negate the
    > point of that heterogenous environment in the first place? Most of the
    > time a heterogenous environment only exists because different apps
    > require different platforms.


    What about user choice?

    All good applications are available for multiple platforms.


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Sweetpea, Jul 11, 2010
    #8
  9. Lawrence D'Oliveiro

    Enkidu Guest

    On 11/07/10 14:22, Sweetpea wrote:
    > On Sat, 10 Jul 2010 18:39:57 -0700, AD. wrote:
    >
    >> Wouldn't having all apps available for all platforms mostly negate the
    >> point of that heterogenous environment in the first place? Most of the
    >> time a heterogenous environment only exists because different apps
    >> require different platforms.

    >
    > What about user choice?
    >

    User choice? Hehehehehehe! In a corporate environment there is no 'user
    choice'.
    >
    > All good applications are available for multiple platforms.
    >

    Is Exchange available on Linux? There is nothing that can touch it so far.

    Cheers,

    Cliff

    --

    The ends justifies the means - Niccolò di Bernardo dei Machiavelli.

    The end excuses any evil - Sophocles
     
    Enkidu, Jul 11, 2010
    #9
  10. Lawrence D'Oliveiro

    Sweetpea Guest

    On Sun, 11 Jul 2010 16:52:26 +1200, Enkidu wrote:

    >> All good applications are available for multiple platforms.
    >>

    > Is Exchange available on Linux? There is nothing that can touch it so
    > far.


    QED!


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Sweetpea, Jul 11, 2010
    #10
  11. Lawrence D'Oliveiro

    AD. Guest

    On Jul 11, 2:22 pm, Sweetpea <> wrote:
    > What about user choice?
    >
    > All good applications are available for multiple platforms.


    Only if that is part of your circular definition of a good app in the
    first place.

    What if one of your users wants a platform that isn't supported by one/
    some/all your existing apps? What happens to user choice then? Or do
    those apps suddenly stop being good and you drop them?

    --
    Cheers
    Anton
     
    AD., Jul 11, 2010
    #11
  12. Lawrence D'Oliveiro

    Enkidu Guest

    On 11/07/10 19:27, Sweetpea wrote:
    > On Sun, 11 Jul 2010 16:52:26 +1200, Enkidu wrote:
    >
    >>> All good applications are available for multiple platforms.
    >>>

    >> Is Exchange available on Linux? There is nothing that can touch it so
    >> far.

    >
    > QED!
    >

    Exchange is the best example of its kind. While OSS aspires to approach
    it, nothing comes even close. Exchange is not available on Linux,
    therefore not all good applications are available for multiple
    platforms. Yet you claim QED. Moron.

    Cheers,

    Cliff

    --

    The ends justifies the means - Niccolò di Bernardo dei Machiavelli.

    The end excuses any evil - Sophocles
     
    Enkidu, Jul 11, 2010
    #12
  13. Lawrence D'Oliveiro

    Sweetpea Guest

    On Mon, 12 Jul 2010 09:28:36 +1200, Enkidu wrote:

    >>> Is Exchange available on Linux? There is nothing that can touch it so
    >>> far.

    >>
    >> QED!
    >>

    > Exchange is the best example of its kind.


    Indeed! A bloated, difficult to configure, resource hungry, platform
    specific, expensive, POM$S!


    > While OSS aspires to approach
    > it, nothing comes even close.


    There are several open source drop-in replacements for MS Exchange.


    > Exchange is not available on Linux,


    Indeed!


    > therefore not all good applications are available for multiple
    > platforms. Yet you claim QED.


    And rightly so!


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Sweetpea, Jul 12, 2010
    #13
  14. Lawrence D'Oliveiro

    Sweetpea Guest

    On Sun, 11 Jul 2010 02:10:54 -0700, AD. wrote:

    > On Jul 11, 2:22 pm, Sweetpea <> wrote:
    >> What about user choice?
    >>
    >> All good applications are available for multiple platforms.

    >
    > Only if that is part of your circular definition of a good app in the
    > first place.
    >
    > What if one of your users wants a platform that isn't supported by one/
    > some/all your existing apps? What happens to user choice then? Or do
    > those apps suddenly stop being good and you drop them?


    Did I say "all good applications are available on all platforms"?


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Sweetpea, Jul 12, 2010
    #14
  15. Lawrence D'Oliveiro

    AD. Guest

    On Jul 12, 7:22 pm, Sweetpea <> wrote:
    > On Sun, 11 Jul 2010 02:10:54 -0700, AD. wrote:
    > > On Jul 11, 2:22 pm, Sweetpea <> wrote:
    > >> What about user choice?

    >
    > >> All good applications are available for multiple platforms.

    >
    > > Only if that is part of your circular definition of a good app in the
    > > first place.

    >
    > > What if one of your users wants a platform that isn't supported by one/
    > > some/all your existing apps? What happens to user choice then? Or do
    > > those apps suddenly stop being good and you drop them?

    >
    > Did I say "all good applications are available on all platforms"?


    You said:

    "All good applications are available for multiple platforms."

    Which implies that an app only available for only one platform cannot
    possibly be good. That is completely laughable.

    You also said:

    "What if you have a heterogeneous environment and you want to have all
    applications available for all platforms?"

    and

    "What about user choice?"

    Which as the number of users increases, the likelihood of these
    statements conflicting with each other rises.

    Obviously this hypothetical Sweetpea Corp will need to either

    a) restrict which platforms or apps users can choose from
    or
    b) give up having all apps available for all platforms
    or
    c) both of the above

    to avoid the situation that arises when a user chooses something that
    won't run some of your existing apps.

    --
    Cheers
    Anton
     
    AD., Jul 12, 2010
    #15
  16. Lawrence D'Oliveiro

    Sweetpea Guest

    On Mon, 12 Jul 2010 01:57:14 -0700, AD. wrote:

    > On Jul 12, 7:22 pm, Sweetpea <> wrote:
    >> On Sun, 11 Jul 2010 02:10:54 -0700, AD. wrote:
    >> > On Jul 11, 2:22 pm, Sweetpea <> wrote:
    >> >> What about user choice?

    >>
    >> >> All good applications are available for multiple platforms.

    >>
    >> > Only if that is part of your circular definition of a good app in the
    >> > first place.

    >>
    >> > What if one of your users wants a platform that isn't supported by
    >> > one/ some/all your existing apps? What happens to user choice then?
    >> > Or do those apps suddenly stop being good and you drop them?

    >>
    >> Did I say "all good applications are available on all platforms"?

    >
    > You said:
    >
    > "All good applications are available for multiple platforms."
    >
    > Which implies that an app only available for only one platform cannot
    > possibly be good. That is completely laughable.


    Name 5 good applications (defined as efficient, lean, fast, well written,
    feature complete, and easy to use) available on only one platform.


    > You also said:
    >
    > "What if you have a heterogeneous environment and you want to have all
    > applications available for all platforms?"


    .... all platforms in that heterogeneous environment".


    > and
    >
    > "What about user choice?"
    >
    > Which as the number of users increases, the likelihood of these
    > statements conflicting with each other rises.


    I did not say "extensive user choice". I was referring to the choice of
    platform.


    > Obviously this hypothetical Sweetpea Corp will need to either
    >
    > a) restrict which platforms or apps users can choose from or
    > b) give up having all apps available for all platforms or
    > c) both of the above
    >
    > to avoid the situation that arises when a user chooses something that
    > won't run some of your existing apps.


    For example, all good browsers are available for multiple platforms.

    All good office productivity suites are available for multiple platforms.

    All good image and audio editors are available for multiple platforms.

    Ditto for pretty much anything I can think of just now.


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Sweetpea, Jul 12, 2010
    #16
  17. Lawrence D'Oliveiro

    Sweetpea Guest

    On Mon, 12 Jul 2010 23:23:19 +1200, EMB wrote:

    > On 12/07/2010 7:20 p.m., Sweetpea wrote:
    >
    >> There are several open source drop-in replacements for MS Exchange.

    >
    > Name even one. You can't.


    http://www.zarafa.com/

    http://www.scalix.com/

    There - two.

    And there were other solutions that looked very good, but weren't
    specifically targetting working with MS Outlook.


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Sweetpea, Jul 12, 2010
    #17
  18. Lawrence D'Oliveiro

    AD. Guest

    On Jul 12, 10:13 pm, Sweetpea <> wrote:
    > On Mon, 12 Jul 2010 01:57:14 -0700, AD. wrote:
    > > Which implies that an app only available for only one platform cannot
    > > possibly be good. That is completely laughable.

    >
    > Name 5 good applications (defined as efficient, lean, fast, well written,
    > feature complete, and easy to use) available on only one platform.


    Well despite your subjective and restrictive definition of 'good', I
    should only need one to disprove your blanket statement.

    TortoiseSVN
    iptables (ok, that was a joke)
    OpenBSDs smtpd and openbgpd (might've been ported by now)
    OmniGraffle (or even Visio for that matter)
    TextMate
    BBEdit
    Powershell
    SQL Server
    3ds Max
    Cinema 4D

    And that's from someone who mainly just uses cross platform apps - I'm
    sure a regular Mac or Windows user could come up with a far better /
    more accurate list.


    > For example, all good browsers are available for multiple platforms.


    Well IE 8 was relatively good, and IE 9 looks like it will be a good
    one.

    >
    > All good office productivity suites are available for multiple platforms.


    Haha, as much as I dislike it MS Office is the closest thing to a good
    office suite by your definition.

    >
    > All good image and audio editors are available for multiple platforms.


    Yeah right

    >
    > Ditto for pretty much anything I can think of just now.


    That just shows limits of your imagination.

    --
    Cheers
    Anton
     
    AD., Jul 12, 2010
    #18
  19. Lawrence D'Oliveiro

    Sweetpea Guest

    On Tue, 13 Jul 2010 06:25:36 +1200, EMB wrote:

    > On 11/07/2010 12:00 a.m., Sweetpea wrote:
    >> On Sat, 10 Jul 2010 15:13:56 +1200, EMB wrote:
    >>
    >>>> We also looked into ZenWorks, but we managed to dump a lot of
    >>>> software that wasn't pre-packaged as MSI's, or which would be
    >>>> complicated to transform into an MSI.
    >>>
    >>> We haven't found anything yet that we can't package into an MSI. It
    >>> helps that we have a staff member who is bloody good at doing that.

    >>
    >> What if you have a heterogeneous environment and you want to have all
    >> applications available for all platforms?

    >
    > Why would we want to? What we have meets the needs of the business, is
    > a completely known quantity and has good commercial support available.


    I don't care whether or not you actually want to in your actual day job.
    It was a hypothetical situation.


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Sweetpea, Jul 12, 2010
    #19
  20. Lawrence D'Oliveiro

    Sweetpea Guest

    On Tue, 13 Jul 2010 06:54:54 +1200, EMB wrote:

    > On 13/07/2010 12:23 a.m., Sweetpea wrote:
    >> On Mon, 12 Jul 2010 23:23:19 +1200, EMB wrote:
    >>
    >>> On 12/07/2010 7:20 p.m., Sweetpea wrote:
    >>>
    >>>> There are several open source drop-in replacements for MS Exchange.
    >>>
    >>> Name even one. You can't.

    >>
    >> http://www.zarafa.com/

    >
    > Oh look, the open source version doesn't fully support Outlook. So that
    > ain't a drop in open-source replacement for Exchange.
    >>
    >> http://www.scalix.com/

    >
    > Oh look, yet again the open-source version is crippleware missing many
    > Exchange features.


    I agree that they do not work 100% with MS Outlook without also having
    the extra bits that are only supplied when you stump up with the moolah.


    >> There - two.

    >
    > There are, as I correctly stated, *none*.


    Bullshit. They are all built on open source software, and released under
    open source licenses.


    > There's another slight issue with the "drop-in replacement" you claim.
    > Neither of them will run in an Windows environment. That's a moderately
    > important requirement in a lot of businesses running Windows servers -
    > that a product we supportable within their existing skill base.


    So replace the MS Windows server with something good. Why should you
    actually want to run MS windows as a server in any case - it is a toy OS.


    --
    "Filtering the Internet is like trying to boil the ocean"
     
    Sweetpea, Jul 12, 2010
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Tyler Cobb
    Replies:
    6
    Views:
    18,750
    Tyler Cobb
    Oct 19, 2005
  2. John Smith
    Replies:
    3
    Views:
    510
    Nico Kadel-Garcia
    Jan 10, 2004
  3. Briscobar

    OT: Happy SysAdmin Day

    Briscobar, Jul 28, 2006, in forum: MCSE
    Replies:
    2
    Views:
    411
    BD [MCNGP]
    Jul 28, 2006
  4. AB

    ten free SysAdmin tools

    AB, Oct 29, 2006, in forum: Computer Security
    Replies:
    0
    Views:
    419
  5. =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=

    Group policy with no group

    =?Utf-8?B?UGhvZW5peCBDeWNsaXN0?=, Mar 15, 2007, in forum: Wireless Networking
    Replies:
    1
    Views:
    526
    Jack \(MVP-Networking\).
    Mar 15, 2007
Loading...

Share This Page