Solved Is not bringing PCs in Domain is a sin?
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
huh? Does anything other then MS Products use registry settings? or is compatible with MS registry settings?
No, but it is MS workstations that we are talking about
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
huh? Does anything other then MS Products use registry settings? or is compatible with MS registry settings?
No, but it is MS workstations that we are talking about
Out of context it looks like I'm talking weird... I was pretty sure nothing else did/does... but Daniel's comment was weird and pulled my question.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
huh? Does anything other then MS Products use registry settings? or is compatible with MS registry settings?
No, but it is MS workstations that we are talking about
Out of context it looks like I'm talking weird... I was pretty sure nothing else did/does... but Daniel's comment was weird and pulled my question.
Why? He was talking about GPO, and GPO manages registry settings on Windows. What about his statement made you ask about other OSes?
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Salt stack will get there some day
Salt in general can probably do it - but requires a lot on the administrators side to know how to create (are they called playbooks?) and the specifics of registry entries to create those playbooks.one can say the same thing about GPO. GPO isn't trivial, you just already learned it. And it's ridiculously hard to manage. Salt isn't any harder, it's actually probably a bit easier.
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Salt stack will get there some day
Salt in general can probably do it - but requires a lot on the administrators side to know how to create (are they called playbooks?) and the specifics of registry entries to create those playbooks.one can say the same thing about GPO. GPO isn't trivial, you just already learned it. And it's ridiculously hard to manage. Salt isn't any harder, it's actually probably a bit easier.
Really? Is there a GUI that walks you through all of the options with full explanations on those options? Perhaps there are - but what I saw was that you had to hand write everything for Salt, lookup everything - know the reg keys to reference, etc. not true?
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
huh? Does anything other then MS Products use registry settings? or is compatible with MS registry settings?
No, but it is MS workstations that we are talking about
Out of context it looks like I'm talking weird... I was pretty sure nothing else did/does... but Daniel's comment was weird and pulled my question.
It was certainly a weird comment and I apologize. I was well meaning to saying Windows Devices.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Is there a GUI that walks you through all of the options with full explanations on those options?
You ask this as if the GPO GUI makes this easy. It doesn't.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Perhaps there are - but what I saw was that you had to hand write everything for Salt, lookup everything - know the reg keys to reference, etc. not true?
Right. Which is REALLY easy. Easier than the GPO GUI for a lot of people. Certainly for me. GPO is easy for some tasks, and really hard for others. The GUI makes it unnecessarily hard. Sure you can do it without the GUI, but that's not easy like Salt.
You are associating GUI with easy and text with hard, which is simply not the case at all.
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
Perhaps there are - but what I saw was that you had to hand write everything for Salt, lookup everything - know the reg keys to reference, etc. not true?
Right. Which is REALLY easy. Easier than the GPO GUI for a lot of people. Certainly for me. GPO is easy for some tasks, and really hard for others. The GUI makes it unnecessarily hard. Sure you can do it without the GUI, but that's not easy like Salt.
You are associating GUI with easy and text with hard, which is simply not the case at all.
I guess we are just on opposite sides of this. I do consider the GUI to make using GPOs easy... you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
I do consider the GUI to make using GPOs easy...
Except it doesn't make it easy. The GUI is necessary to make GPOs "not as hard". That's not the same.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.
RSOP needed as a tool kind of shows just how hard it is. GPO is considered one of those beastly things to track with any size shop.
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.
RSOP needed as a tool kind of shows just how hard it is. GPO is considered one of those beastly things to track with any size shop.
Yeah, group policy can be set to target an object in many ways. The only way to know every GPO targeted to an object is checking on the client itself with gpresult, or rsop otherwise.
-
@Obsolesce said in Is not bringing PCs in Domain is a sin?:
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
@Dashrender said in Is not bringing PCs in Domain is a sin?:
you can sift through them looking for options - you can also google through to find where to set options.. whatever suits your fancy.
RSOP needed as a tool kind of shows just how hard it is. GPO is considered one of those beastly things to track with any size shop.
Yeah, group policy can be set to target an object in many ways. The only way to know every GPO targeted to an object is checking on the client itself with gpresult, or rsop otherwise.
Right, but if doing anything beyond extreme basics, GPO gets really hard to track and finding settings can be a bear.
Working as an MSP, GPOs are a nightmare because everyone uses them differently and settings are so easy to be buried so deeply. Text files with everything clear and exposed that you can just audit with easy searches seems leaps and bounds easier.
-
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
Right, but if doing anything beyond extreme basics, GPO gets really hard to track and finding settings can be a bear.
Working as an MSP, GPOs are a nightmare because everyone uses them differently and settings are so easy to be buried so deeply. Text files with everything clear and exposed that you can just audit with easy searches seems leaps and bounds easier.Keeping your GPOs simplified and concise makes them super easy to manage and navigate. We only do one task per GPO. We often have a hundred GPOs in AD.
Here's a sample list of GPOs
And here is an entire GPO:
Super easy to manage. I'm not saying opening the XML is not also easy. But the GUI is stupid easy.
-
@JasGot said in Is not bringing PCs in Domain is a sin?:
@scottalanmiller said in Is not bringing PCs in Domain is a sin?:
Right, but if doing anything beyond extreme basics, GPO gets really hard to track and finding settings can be a bear.
Working as an MSP, GPOs are a nightmare because everyone uses them differently and settings are so easy to be buried so deeply. Text files with everything clear and exposed that you can just audit with easy searches seems leaps and bounds easier.Keeping your GPOs simplified and concise makes them super easy to manage and navigate. We only do one task per GPO. We often have a hundred GPOs in AD.
Here's a sample list of GPOs
And here is an entire GPO:
Super easy to manage. I'm not saying opening the XML is not also easy. But the GUI is stupid easy.
Yes, but the point isn't that it can be done well, the point is that it's most often NOT done well, therefore causing a lot of work for people coming in after the fact.
There's always a correct/best and efficient way to do things. But with Microsoft tech, it's too easy to do it bad and incorrectly due to ignorance, so that's often the case.
-
@JasGot said in Is not bringing PCs in Domain is a sin?:
Keeping your GPOs simplified and concise makes them super easy to manage and navigate. We only do one task per GPO. We often have a hundred GPOs in AD.
That's the problem. MSPs (like NTG) normally deal with GPO in a "someone left us this mess" mode where the way GPO works makes it insanely hard to untangle. Getting pristine environments to set up ourselves is uncommon. AD is almost never deployed new, it's almost always already in place with this stuff already well messed up.
Not that that is GPO's fault, but the way that GPO relies on slow and complicated GUI interfaces makes it so much harder than necessary.
-
OK, the point of easy to read txt files is a huge bonus on the other side.
-
@Dashrender said in Is not bringing PCs in Domain is a sin?:
OK, the point of easy to read txt files is a huge bonus on the other side.
And easy to parse. Searching on where a computer is mentioned or something else is so fast. Even when it isn't a human doing it.
But it's also super easy to put into GitLab, verify changes with another person, roll back changes, check changes over time, copy changes to another environment, review outside of the box (we often do GPO changes remotely so that the GUI becomes slower and less easy to read), etc.
You can make lots of ways with GPO to overcome the limitations, but the fixes are all extra work and only edge you towards the simple benefits of text files. Using DevOps methodologies with GPO is way harder than it needs to be, for example. Totally doable, but not so insanely straightforward.
-
-
Thanks a lot for nice insights.
