In the past year, we've seen Active Directory (AD) finally come off most company's drawing boards and onto their networks. That's good news, but now that we're all using AD, have you noticed what AD doesn't do? And no, I don't mean the obvious forests-are-inflexible complaint; I'd say that it lacks consistency in its administrative tools and, worse, lacks boldness in its attempted scope. Here's what I mean.
First, take Group Policy. It's a neat tool for centrally controlling desktops, if what you want to control happens to have an associated Group Policy Object (GPO). But most things don't. For example, I turn off XP's "network crawler" feature on my systems because it creates unnecessary network chatter through pointless broadcasts. To do so, I open My Computer, navigate to Tools, Folder Options, View, and clear the check box for the first option "Automatically search for network folders and printer."
Simple enough to do? Of course. But I don't want to walk around to individual desktops and manually turn off the feature on each machine. I'd like to create a custom GPO based on the registry setting that corresponds to the "Automatically search for network folders and printer" setting. But I can't do that because it's not a registry entry on its own--it's just part of a registry entry. Wouldn't it be great if this item--and all the other items on the View tab, for example--had corresponding Group Policy settings? Well, it'd be more than great; it would fulfill the promise of Group Policy. Group Policy is supposed to let me control workstations and servers centrally, but it doesn't. Instead, Group Policy lets me centrally exercise some of the control that I have over workstations and servers. For the other tasks, it's worn-out shoe leather and elbow grease.
And Group Policy isn't the only technology that needs to offer more power. Sometimes the command line offers a better way to manage systems, so let me next suggest that anything you can accomplish through a GUI should be possible with Group Policy, as well as through the command line. One of the things that I've always found attractive about Linux is that it lets me turn the GUI on or off, as desired. When I finish performing my administrative tasks on a server, I'd like to be able to turn off the GUI to recapture CPU and RAM and unload the video drivers, a potential source of blue screens. One security best practice is to turn off unnecessary services to reduce the attack surface; what a boon to be able to remove the GUI's potential as an attack surface.
Some of my command-line wishes might soon come true. Longhorn is slated to include Microsoft Scripting Host (MSH), a broad-reaching overhaul of the command line. One part of the MSH team's vision includes a window on the desktop that reveals the command-line equivalent of every GUI button that you click. If this new technology lives up to it's hype, it will be a great tool for learning to use the command line.
AD also gave us a tool for centrally distributing applications such as Microsoft Office and the handful of programs designed to use the Windows Installer (.msi) file format. Unfortunately, few programs appear as .msi files. There are packaging tools available that make existing files into .msi files, but they're either expensive or cumbersome and pointed mainly at deploying applications. And what about drivers? Ask any administrator for a list of the 10 problems he or she would most like to see Microsoft solve, and most will include "Update drivers centrally." Providing that service shouldn't be difficult; it could just be an enhancement to Microsoft Software Update Services (SUS). Let me suggest that Microsoft consider including the following enhancements in Longhorn or, better, in service packs for Windows 2003, Windows 2000, and Windows XP. - 1. Extend Group Policy to support most everything that the GUI exposes. - 2. Extend the command line so that you can use it to accomplish anything you can accomplish through the GUI. - 3. Develop a version of Windows Server with a detachable GUI that would release resources. - 4. Extend software distribution to simplify driver distribution and updates, particularly printer drivers.
Nearly every day, someone asks me for a few killer reasons to upgrade from some version of Windows to another. The truth is that although I like Windows 2003 and XP, they mainly offer a large array of cool, convenient, or desirable features. Wouldn't it be great to have a few Longhorn features that were stone-cold "gotta-have-em" enhancements?
Register
We are planning on rolling out 2003 AD to our office LAN this coming summer. A big improvement over our NT 4.0 network but I totally agree with you in this article. The attractiveness of Linux is the ability to turn off the GUI if not needed. Image how many die hard Linux users would convert to Windows if Microsoft could give us the option to turn off the GUI especially on the server end. Anyways, I always look forward to your articles and to tell you the truth, I am using your "Mastering Windows 2003" to roll it out Windows 2003. A great book!!!
Fabio Vasco June 16, 2004