After consuming a tasty beer and a steak delivered by the hand of God herself (yes, it was *that* awesome) I was thinking about how to frame this topic. Then it dawned on me that the best way is the simple way. You know: simple.
** Effecting outbound configuration management: Group Policy
** Collecting inbound configuration data: Scripting
Got it? Ok, let me try it the complicated and confusing way…
If you want (or need, and let's be honest, it's hard to distinguish between want and need most of the time - isn't it?) to touch a bunch of computers or users to modify settings, lock down things, open up things, add things, take away things, in the registry, files and folders, shortcuts, drive mappings, printer mappings, environment variables, services, networking, screen savers, wallpaper, home pages and favorites, etc. --- then use Group Policy.
If you want or need to scrape data from machines or user sessions, collecting files and registry data, tallying counts of things, installing and patching things, uninstalling and cleaning up things, etc. --- the use Scripting. And even then, check to be sure there isn't a GPO setting that can do it first.
Oh, and one more thing: DO NOT use Group Policy to install software. Yes - it's technically feasible. It's also technically feasible to fornicate with a moose, but you don't do it (at least I hope you don't).
And if you want to grill a steak, don't use scripting or Group Policy. Use a grill.