"Group Policy has a lot of benefits, but when will Microsoft make it simpler to implement and manage?" This reader question sums up the main points raised in response to this month's survey.
Unlike the two technologies I previously surveyed readers about (SharePoint and Windows Rights Management Services—RMS), Group Policy is widely used and its business value is understood. Nearly 84 percent of respondents use Active Directory (AD); of those, 87 percent also use Group Policy. People report that the main benefits of using Group Policy include security and simplifying software distribution and desktop lockdown. Because users know the benefits, the predominant concerns that this month's survey raised about Group Policy revolve around ease of use, increased functionality (including a desire for more Group Policy−enabled applications—for details, see the Web-exclusive sidebar "Group Policy−Enabled Applications," http://www.windowsitpro.com, InstantDoc ID 44098), and ease of Group Policy Object (GPO) and .adm file management. For details of the survey findings and the questions users asked, see the complete survey results in the Interact! area associated with this article on the Windows IT Pro Web site.
I talked about the survey results with Microsoft's Jackson Shaw (product manager, directory services), Michael Dennis (lead program manager, Group Policy and Windows Update Services—WUS), and Mark Williams (program manager, Group Policy). They greeted the survey data with enthusiasm about learning from and acting on the data. They also encourage you to use the Windows Feedback site (http://www.windowsserverfeedback.com), which has been the source of product improvement requests that the Group Policy team has implemented. (For details about Windows Feedback, see the Web-exclusive sidebar "Give Microsoft Feedback—and Get a Response?" InstantDoc ID 44097.)
Ease of Use
"Why is Group Policy so hard?" asked one reader. Specifically, readers want to easily see what's going to happen if they apply a GPO and to be able to trace modifications to the default settings and determine which GPO is affecting a setting and how. Readers also asked for reporting tools, better management tools, and search functionality. (The survey also included several requests for more reference documentation for GPOs. Mark addresses this topic in the Web-exclusive sidebar "Group Policy Documentation," InstantDoc ID 44099.)
"A considerable number of the survey responses focus on tasks or scenarios that we addressed directly in GPMC as a result of customer feedback, such as backup and copying of GPOs (within and across domains and forests) and Group Policy reports," Mark explained. Jackson added, "It's clear and surprising to me that we probably need a better story around making sure people know about the GPMC."
Readers feel that the Group Policy Management Console (GPMC) is a good start but still needs improvement. One IT pro commented that "GPMC helps users better deal with the complexity of Group Policy but doesn't solve its inherent complexity."
Michael explained how GPMC addresses readers' ease-of-use concerns. "We developed GPMC in response to customer feedback. It's a single place to manage group policies and who policies affect and why. It has a great reporting mechanism for showing you what's inside a single GPO, but also to provide Resultant Set of Policies (RSoP) information based on AD or an individual machine."
For Windows Server 2003 and Windows XP Professional, GPMC includes a "friendly face on RSoP" called Group Policy Results and Modeling. Michael explained that the tool is "for determining what policy settings are applied in Active Directory, or you can query a particular machine for a particular user and policies to see the settings for that machine and user."
When troubleshooting a problem, many administrators wouldn't think to check whether a GPO might be responsible. If you're diagnosing a problem on a machine, how do you know to check policies? Michael replied that if you're using Group Policy, "you should get into the habit of checking the policy settings and asking whether they could be affecting the thing that you're trying to diagnose. Start there. Use the Group Policy Results and Modeling tool."
Another reader concern was automation of GPO management. "This is precisely what the GPMC Object Model (available on any machine running GPMC) is all about," Mark said. "It provides interfaces for copying, moving, and linking GPOs. One specific scenario that GPMC enables is managing GPOs across domain boundaries. The white paper 'Migrating GPOs Across Domains with GPMC' (http://www.microsoft.com/windowsserver2003/gpmc/migrgpo.mspx) covers this topic."
"Can you make settings intuitive and easier to find?" requested one reader. Another asked, "Will there be a search function so that you can search for a variable you want to change instead of having to know where it is?"
Although Microsoft's policy is not to comment on future product direction, Michael made it clear that his team is taking this request seriously. "That's a great idea and it's understood as a customer requirement." To provide some immediate workarounds, he added, "The Explain text for GPOs is in Help, and Help is searchable. Of course, you have to search in one place (i.e., in Help) and implement the functionality in another, but this is a good tip for searching right now."
Jackson added, "When I have my focus set on a particular security option or GPO setting, I just hit F1, and it takes me right to the Help file for that particular GPO setting."
Going beyond searches, Mark gave another tip about filtering the amount of information you get from Gpedit and limiting results to a specific area. "There are a lot of questions on the newsgroups about filtering. Suppose you want to limit the information you get from Gpedit and just target a particular XP machine. In Gpedit, you can go to the View, Options menu and filter to show only the policy settings you want. You can specify a particular OS or service pack, for example. Suddenly, the information that Gpedit returns becomes much smaller."
I asked why people aren't aware of this functionality, and Mark replied, "It's kind of hidden under the View/Options menu. Maybe that's something we should just make a little more evident."
I was impressed that this group went beyond the typical canned answers and tried to provide practical information. But most refreshing was the group members' honesty about areas for improvement and their commitment to improving their product for users.
.adm File Management
The survey raised several questions about the difficulty of Administrative Template (.adm) file management. In response, Mark admitted, "Frankly, we challenged IT pros with the management of .adm files when we released Group Policy in Windows 2000. The manner in which we released .adm files created problems.
"But, since Windows Server 2003, we've introduced new processes and extended our documentation in this area. First, any .adm file we release will now be a superset of any version shipped in earlier versions of the operating system. By way of example, the Windows XP SP2 .adm files include all the policy settings included in the Windows Server 2003 .adm files plus those new for XP SP2. We've published all versions of these .adm files (for Windows 2000 and later) at http://go.microsoft.com/fwlink/?linkid=31057. And we've created a spreadsheet that lists all Administrative Templates policy settings—see http://go.microsoft.com/fwlink/?linkid=15165. In terms of the manner in which .adm files are handled (by default and when managed through policy settings), see the Microsoft article 'Recommendations for Managing Group Policy Administrative Templates (.adm) Files,' http://support.microsoft.com/default.aspx?kbid=816662.
"For an important note about the impact of the XP SP2 versions of the .adm files, see the article '"The following entry in the \[strings\] section is too long and has been truncated" Error Message When You Try to Modify or to View GPOs in Windows Server 2003, Windows XP Professional, or Windows 2000' (http://support.microsoft.com/default.aspx?kbid=842933). Finally, we'll soon be releasing a white paper that describes the .adm file syntax in detail so that you can create your own .adm files."
Complex and Powerful, but Hard
Microsoft prides itself on being a data-driven company, and this column is meant to gauge what readers need so that we can give Microsoft product teams data that they can act on. In the case of Group Policy, what readers want Microsoft to know is that they're using this powerful but complex technology and want to use it more widely. But it's hard!
One reader said it all: "Please, make it more straightforward!" Another reader asked, "Why is it so complex? There are too many options and I am concerned about crippling all my clients with an incorrect setting."
The good news is that the Group Policy team is eager to hear what users want, even if some customer comments are less than positive. Michael and his team are not only open to feedback and incorporate it into their technology as soon as they can, but they actively solicit input.
They also want to help you while they work on implementing improvements. Michael and the team gave me more information than I can put into print, so I invite you to check out this column's online Interact! area and look at Mark's "Group Policy Tips and Tricks" PowerPoint presentation from Microsoft TechEd 2003. You'll also find an audio recording of our conversation, the complete survey results, and an Instant Poll about RSoP.
Please let me know what you think about this column, and don't forget to post your suggestions for Microsoft to the Windows Feedback site. Also, I invite you to test your AD and Group Policy skills in the IT Prolympics at http://www.windowsitpro.com/prolympics. And please tell me what other Microsoft technologies you'd like me to explore in upcoming columns.