Windows Insider

A Treatise on IT Fiefdoms

If you want to get the most out of Windows administration tools like Group Policy preferences (GPPs), you need to break down those walls.

• By Greg Shields
• 08/01/2012

Unlike most departments, IT for much of its history has managed to exist as a meritocracy. If you're the smarter IT professional, or at least the one with the most intelligent "wins," you'll probably go farther than your peers.

While that meritocracy thrusts more responsibilities onto those most capable, it sometimes comes with a dark side: fiefdoms.

Spend time with any IT pros and you'll hear the stories: The server team ignores requests from the desktop team. The e-mail administrators aren't allowed to access the network team's monitoring tools. The database group won't talk to the folks managing the virtual environment.

Some of these communication breakdowns are appropriate because of separation of duties. I remember having access to both root and domain admin at a former employer. My bosses put their foot down after finding me trolling for "enable" to complete my personal triumvirate. If you didn't follow my stab at humor, that would give me root (Unix/Linux), enable (Cisco) and domain admin (Windows).

Others difficulties are direct results of the meritocracy itself. I once knew an e-mail administrator who did everything in her power to ensure she always clicked all the buttons. In her mind, she'd earned her post managing that complex (and archaic) system. Maintaining its arcane ways solo brought job assurance, until the Family and Medical Leave Act took her away for 12 weeks. Minor chaos ensued.

GPP Horror Stories
There's one story I hear over and over that leaves me speechless with frustration. It pertains to Group Policy and Group Policy preferences (GPPs) -- or, more specifically, doesn't deal with them. These two tools are baked into every Active Directory setup everywhere, and over their 10-plus-year lifespan have only gotten more powerful and more effective. Group Policy delivers a built-in infrastructure for controlling application and OS configurations. GPPs add custom control over virtually every aspect of the Windows OS, as well as the applications it runs.

That's the custom part of GPPs: With them, and a little elbow grease, a reasonably savvy IT pro can deliver just about any configuration for any application anywhere.

Even formerly challenging OS configurations are reduced to a couple of clicks with this technology. Devices? Restricted. Internet Explorer settings? Delivered. Local Users and Groups? Configured. Even printers, scheduled tasks and start menu items, for goodness sake, can be automatically provisioned to desktops anywhere, with full targeting support across any of 27 different constraints. With GPPs, I can set a user's default printer to the nearest color printer, but only when they're running Adobe Photoshop, on a laptop, connected to a specific domain, with more than 4GB of RAM, on Wednesdays -- scratch that -- Wednesday afternoons, and if they're a member of the marketing group.

But here's my complaint, the thesis of my treatise: This power has desktops written all over it. Indeed, it can be used for server configurations (most notably Remote Desktop Services servers), but in the story I keep hearing, the punch line goes like this: "We're not allowed access to GPPs because they're handled by the Active Directory team."

Ouch.

Take Back the Power
It's high time for a second look at the fiefdoms in our organizations. Some of them are absolutely necessary; others are inadvertently creating extra work for those outside the "in" crowd.

Most important (and I direct this to the members of the proverbial Active Directory team): The actions others are performing to get around these technologies they can't have ... well, those actions will scare you even more.