The sorry state of Group Policy Preferences
I have come to the conclusion that Group Policy Preferences, a feature of Windows introduced last year, is simultaneously incredibly useful and diabolically broken.
This will be an uncharacteristic rant for me, because unlike many of my fellow tech bloggers, I have few issues with Microsoft. Sadly, I wasted several hours today grappling with their failings, and for no good reason.
On the one hand, Group Policy Preferences provides an easy-to-use set of features for configuring workstations on a Windows Server network that could previously only be achieved using scripting, which is decidedly not easy-to-use. I started using this functionality very soon after it was released by Microsoft, and became an advocate for it on various technical forums.
Sadly, my experience has exposed a multitude of failings:
- It isn’t reliable. This is sadly typical of products that Microsoft buy-in from another company and rebrand. Group Policy Preferences (GPP) started life as a product called PolicyMaker by DesktopStandard, a company which itself went by the name AutoProf until 2005. I’m told that the previous versions were quite reliable. Since the buyout and subsequent integration as a standard Windows feature, that is no longer true. Setting up a user’s ODBC connection, for example, would be an incredibly useful feature, if it ever worked. Even when GPP does work, it logs frequent and spurious error messages to the computer’s Event log.
- Some of the functionality works in completely unintuitive ways. I discovered early on that if you want to filter settings based on the Active Directory security group a computer or user belongs to, you can’t use a nested group. Only direct members of a group are enumerated. This is fundamentally opposed to the very concept of how security grouping works in every other facet of Windows Server. This renders the security group filtering functionality largely useless. It’s also excruciatingly irritating.
- Worst of all, Microsoft seems to be absolutely brain-dead about which of their products includes it. For Windows XP, Server 2003, and Vista, a patch is required to allow workstations to receive the GPP settings from the server.. This patch installs automatically using Windows Update. However, when Windows XP Server Pack 3 was released, someone at Microsoft was convinced that the patch was included in the Service Pack, and so Windows Update did not offer the patch to machines running SP3. This was wrong, and meant we had to manually patch every computer we installed after SP3 was released. Microsoft eventually admitted their mistake and corrected it a few months later. That was irritating, but forgiveable.
Unfortunately, when Service Pack 2 for Windows Vista was released this April, the exact same thing happened. Worse still, if you try to install the GPP patch on Vista SP2 manually via KB943729, you are told the update does not apply to your system, and can only install it using an unsupported hack. This problem was spotted before SP2 was released to the public. At least one Microsoft MVP knew about it, but apparently that person wasn’t listened to by the development team as they blundered their way into the same screw-up they made a year earlier with XP.
To make such a mistake once is amateur. To make it twice is shameful. This is the sort of idiocy I expect from Adobe and HP, not from Microsoft.
The good news? Well, Windows 7 actually does include Group Policy Preferences out of the box, without needing any patch, and it seems more reliable than in previous versions. Hopefully Microsoft have finally stopped treating it like the illegitimate step-brother of regular Group Policy and I can all go back to revelling in how useful it is. For now, however, I’m stuck with a dirty hack in my build process and a bitter taste in the back of my throat.