Friday, January 14, 2011

Like I said: Scripting vs Group Policy

After consuming a tasty beer and a steak delivered by the hand of God herself (yes, it was *that* awesome) I was thinking about how to frame this topic.  Then it dawned on me that the best way is the simple way.  You know: simple.

** Effecting outbound configuration management: Group Policy

** Collecting inbound configuration data: Scripting

Got it?  Ok, let me try it the complicated and confusing way…

If you want (or need, and let's be honest, it's hard to distinguish between want and need most of the time - isn't it?) to touch a bunch of computers or users to modify settings, lock down things, open up things, add things, take away things, in the registry, files and folders, shortcuts, drive mappings, printer mappings, environment variables, services, networking, screen savers, wallpaper, home pages and favorites, etc. --- then use Group Policy.

If you want or need to scrape data from machines or user sessions, collecting files and registry data, tallying counts of things, installing and patching things, uninstalling and cleaning up things, etc. --- the use Scripting.  And even then, check to be sure there isn't a GPO setting that can do it first.

Oh, and one more thing: DO NOT use Group Policy to install software.  Yes - it's technically feasible.  It's also technically feasible to fornicate with a moose, but you don't do it (at least I hope you don't).

And if you want to grill a steak, don't use scripting or Group Policy.  Use a grill.

3 comments:

Marc C. said...

Group Policy software installs work fine. I have never had a problem in the 7-8 years I have been doing so. Why the concern?

skatterbrainz said...

Yes. Technically they can work fine. Pushing small stuff to a reasonable number of computers. But you get no analytics like SCCM or Altiris, to know what's going on until you listen for the crash at the other end. Also, when techs get excited about the idea and decide to push Office, AutoCAD, Inventor and Adobe CS5 with it and wonder why the network doesn't work anymore. For FileZilla, 7-zip and the like it's ok. But pushing Office 2010 to 5,000 computers in short time is not recommended via GPO.

Marc C. said...

You are completely correct. I guess I should also say that I am extra careful with GPO driven software deployment and I'm just really jealous I don't have a better (software deployment) tool!