Windows Insider

A Treatise on IT Fiefdoms

If you want to get the most out of Windows administration tools like Group Policy preferences (GPPs), you need to break down those walls.

Unlike most departments, IT for much of its history has managed to exist as a meritocracy. If you're the smarter IT professional, or at least the one with the most intelligent "wins," you'll probably go farther than your peers.

While that meritocracy thrusts more responsibilities onto those most capable, it sometimes comes with a dark side: fiefdoms.

Spend time with any IT pros and you'll hear the stories: The server team ignores requests from the desktop team. The e-mail administrators aren't allowed to access the network team's monitoring tools. The database group won't talk to the folks managing the virtual environment.

Some of these communication breakdowns are appropriate because of separation of duties. I remember having access to both root and domain admin at a former employer. My bosses put their foot down after finding me trolling for "enable" to complete my personal triumvirate. If you didn't follow my stab at humor, that would give me root (Unix/Linux), enable (Cisco) and domain admin (Windows).

Others difficulties are direct results of the meritocracy itself. I once knew an e-mail administrator who did everything in her power to ensure she always clicked all the buttons. In her mind, she'd earned her post managing that complex (and archaic) system. Maintaining its arcane ways solo brought job assurance, until the Family and Medical Leave Act took her away for 12 weeks. Minor chaos ensued.

GPP Horror Stories
There's one story I hear over and over that leaves me speechless with frustration. It pertains to Group Policy and Group Policy preferences (GPPs) -- or, more specifically, doesn't deal with them. These two tools are baked into every Active Directory setup everywhere, and over their 10-plus-year lifespan have only gotten more powerful and more effective. Group Policy delivers a built-in infrastructure for controlling application and OS configurations. GPPs add custom control over virtually every aspect of the Windows OS, as well as the applications it runs.

That's the custom part of GPPs: With them, and a little elbow grease, a reasonably savvy IT pro can deliver just about any configuration for any application anywhere.

Even formerly challenging OS configurations are reduced to a couple of clicks with this technology. Devices? Restricted. Internet Explorer settings? Delivered. Local Users and Groups? Configured. Even printers, scheduled tasks and start menu items, for goodness sake, can be automatically provisioned to desktops anywhere, with full targeting support across any of 27 different constraints. With GPPs, I can set a user's default printer to the nearest color printer, but only when they're running Adobe Photoshop, on a laptop, connected to a specific domain, with more than 4GB of RAM, on Wednesdays -- scratch that -- Wednesday afternoons, and if they're a member of the marketing group.

But here's my complaint, the thesis of my treatise: This power has desktops written all over it. Indeed, it can be used for server configurations (most notably Remote Desktop Services servers), but in the story I keep hearing, the punch line goes like this: "We're not allowed access to GPPs because they're handled by the Active Directory team."


Take Back the Power
It's high time for a second look at the fiefdoms in our organizations. Some of them are absolutely necessary; others are inadvertently creating extra work for those outside the "in" crowd.

Most important (and I direct this to the members of the proverbial Active Directory team): The actions others are performing to get around these technologies they can't have ... well, those actions will scare you even more.

About the Author

Greg Shields is a senior partner and principal technologist with Concentrated Technology. He also serves as a contributing editor and columnist for TechNet Magazine and Redmond magazine, and is a highly sought-after and top-ranked speaker for live and recorded events. Greg can be found at numerous IT conferences such as TechEd, MMS and VMworld, among others, and has served as conference chair for 1105 Media’s TechMentor Conference since 2005. Greg has been a multiple recipient of both the Microsoft Most Valuable Professional and VMware vExpert award.

comments powered by Disqus

Reader Comments:

Wed, Sep 12, 2012

I'm on the AD team and the Desktop Engineering team, we seperate stuff out, so the Citrix guys can put whatever GPOS they want on the Citrix OUs, servers can run wild with Server OUs and we can do what we need with the People and Hardware (desktop/laptop) OUs. If you break your stuff we'll help you, but everyone knows the danger of their stuff going down, so we have little issues. Still a better way to have versioning and control like advanced group policy manager would be great...

Tue, Sep 11, 2012 Large Enterprise Corp Headquarters in Michigan

I'm on the Active Directory team. Delegating edit rights to GPOs to dozens of local site techs is one of the cool secrets to creating an unstable network. If GPOs just had a delegation option for "GPP-Edit" or one for each, along the lines of "GPP-Printer-Edit" or "GPP-Drive Mapping-Edit" it would help on this. We're not control freaks, but when GPOs bring down a site, the AD guys are the one to catch it.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.