ACT I: Introduction
In my mind, one of the things that put Windows over the top in the (cough) post Windows NT4 era was the ability to manage it with this new phenomenon called "Group Policy". If anyone remembers the days of using logon scripts (some still do), AT commands (anyone remember Kixstart?), SMS, and other various methods to manage systems. At Windows 2000, Group Policy was introduced.
So, Group Policy is a great management tool, but nothing's free. With the managability of Group Policy comes the overhead of applying it. So, here's a couple of good practices that really can make this process of cleaning AD a bit easier and make sense of it. I'm not going to go into Group Policy, how it works or even how to troubleshoot it in this blog. I do intend to challenge your thinking on how to implement it.
ACT II: The Disclaimer
Before I get started, some may (as one customer called it) get "butt-hurt" by this blog. Simply put, there is no perfect implementation of Group Policy as there truly is no gold standard how to implement it. If you're reading this blog to challenge your thinking, search out some new ideas, or just outright stalking my digital footprint, this blog is for you. If you're going to stonewall or be critical of this blog, it's just going to upset you, so you may as well click on something else.
I've seen several customer environments and have heard about everything such as "but we're different", "this is just how we do things", "you just don't get it". The simple truth is that the code doesn't function any differently for you than others and the rules of Group Policy are universal, meaning they won't implement differently for you than others, even though your results may vary. Then the classic "Management wants it this way, our hands are tied." That may be true and is the most difficult scenario, but you are also paid for your expertise. See if you can build them a proof of concept and put it in action.
ACT III: The Why and How Appear
But why look into all these settings and thin them down when they work fine as it is? Simply put, I've run into many scenarios where customers were unhappy with the performance of Windows 7 and 8, revolving around Group Policy. They then decide to implement Windows 10 like a 5 year old, and yes, some may be "butt-hurt" here. But a 5 year old will get all muddy playing outside, take a shower, and put their old dirty and smelly clothes back on. So, compare this to the standard "Corporate image", where a brand new Windows 10 install is used and topped with the same old dirty and smelly GPOs that were causing grief in the first place. This is the insanity and madness I hope this blog helps you avoid.
Some general practices
First and foremost, you have to eat your own dogfood. If you are pushing policies onto systems and users that you won't use yourself, then make it right for them and use it yourself. As an IT person, you are a service oriented individual. Don't serve a dish you're not willing to eat yourself.
Use WMI Filters: WMI filters are a great tool to really make the experience flexible. For example: Joe the IT guy needs to keep environments consistent. He logs into a Windows 7 system as his test machine to repro a user issue but uses Windows 10 as his regular desktop. He should have separate policies to do this, so that he applies Windows 7 policies to a Windows 7 system, and Windows 10 policies to a Windows 10 system. He can then experience consistently what the user he is trying to help experiences.
Use the description fields: Let's be honest here, IT people in general aren't big on documentation, and never have been (yes, there are some of you who love it). But, using these description fields effectively will provide critical information who/why/when something was added to a policy. Also, want an easy documentation tool? Simply go to the policy in GPMC, right click the GPO and "Save Report". This will produce a report (that debatably needs a little cleaning) ready for documentation.
Use AGPM: AGPM or "Advanced Group Policy Management" is a tool that assists in versioning and securing changes to Group Policy. It is part of MDOP, the Microsoft Desktop Optimization Pack. This will allow admins to modify GPO, send it to someone else for approval, and deployment. Or even have the same guy do all 3. It's worth it to keep all these versions of GPOs for easy rollback and comparison.
ACT IV: The Case for the User
So why change settings at all? Simply put, the world of Corporate IT has changed a lot since the PC has become widespread. It used to be "If we allow a user to do this, they're going to screw something up and we'll have to go bail them out and fix them". In the older days, computers weren't as common in the home like they are today, and today, it is almost surprising if a user doesn't have some type of computer at home. I challenge that a huge shift has taken place since that old way of thinking in that most users are much more savvy than before, they know how to do more and know how to work on a computer. In some cases, Windows 10 really changed the game in that most users went to it far before businesses adopted it and became used to it. So, I would turn the table here and say that by not allowing a function/setting or a user to do something that they can do on their home PC may generate more calls. Don't be surprised if some of the end users these days can take helpdesk people to school with their knowledge.
Users like the "personal" in personal computer, and many users are smart enough to fix their own issues. Do note I didn't say "let users install anything they want in Windows", that has always been a recipe for increased calls. Does it matter a user has a different color scheme or that their background is made of personal pictures to Hawaii? Does it matter their screen saver is set to Mystify and not Slideshow, or likewise? Let users enjoy these devices and configure them how they want, they do interact with these systems probably more than anyone or anything else at work.
ACT V: The Actual Settings
This will be the painful part, but not as hard as it sounds, some of you may wind up completely tearing down and rebuilding your policies. What you want to do here is simply create a report that contains all of your settings (remember the Save Report trick above). From here, you need to group all of your GPO settings into one of 3 categories. Of course, these are relative to your model, and your business, but be honest with yourself about which setting belongs in which category.
Category 1: Business Critical settings are the most important of all. They can be mandated by the business on a sparing basis and will cause the business damage and a risk to security if not implemented. Some examples of this are logon banners (more from Legal or HR), forcing company policy on drive encryption, or screen savers.
Category 2: Personal Preference and Pet Peave is a tough one. We all love things set up a certain way, and honestly we're all guilty of it (set GPO to suit our likes and needs). Yes, I am talking to you, administrator that is in denial at the moment. 🙂 But seriously, there are some awful settings to me that I'd never use, for example the combination of File Explorer's file preview and single click to open. I would GPO people out of it to keep myself from seeing it, but why? If it makes them happy and productive, let them use it. It's like this, if someone likes liver, sardine, and prune sandwiches, it's not like you have to eat it (and hopefully won't have to smell it).
Category 3: It was like that when I got here is the hardest of them all. The argument is that they don't know what may break if they take it off, and I can counter with them not knowing what it may fix. It could be nothing, honestly. One thing is for sure, less to process means less overhead. This is what testing is for. You may not know who did it or when, but if you sense it is as critical, document it in Description. If you can't justify it, test taking it out.
Along the way, don't forget to document in the description fields.
ACT VI: The Fix and Conclusion
As you go through those categories of settings, if it doesn't fit in Category 1, it's worth the chop (Category 3 takes a little more TLC). But, this is your chance to clean things up, make new policies and really take that Windows Deployment to the next level, and by the way, you server guys - this applies to you too.
Having 10,000 settings at your disposal doesn't mean you have to set them all. Some of this may feel like the IT equivalent of the TLC spinoff "Hoarders: Group Policy". Folks, let go of the past and clean policy for the future. I hope you found this blog to be useful and informative, it was a long one.
— Easy link to my blog: http://aka.ms/leesteve —
If you like my blogs, please share it on social media and/or leave a comment.