Convert Group Policy to use PowerShell DSC
I think it's time for an overhaul of Group Policy and GP Preferences. You can still keep the GUI to allow everyone to have something familiar, but I would love to see if Group Policy can be converted to start using PowerShell DSC under the hood. I think this would make things much simpler in terms of deployment and wouldn't require logon/logoff or restarts anymore (unless you wanted a script to run at those times). For everything else like IE/Edge settings, registry settings, mapped drives/printers, desktop backgrounds and such I think having everything exposed in PowerShell would both make it more secure (as we've recently seen with the SMB signing problems) and easier to troubleshoot. It might even make it easier to deploy a Linux version of Group Policy since DSC can work against Linux...
https://github.com/microsoft/baselinemanagement might be useful. It explicitly has “ConvertFrom-GPO”. It doesn’t support all GP resources yet, though.
Hey Anon, if you found it on github that's probably the best place to raise support questions. I'm not familiar with the tool and the owner of it probably isn't looking here, sorry.
I am running into an issue with scan tools. I am building DSC from GPO successfully (Thank you, GItHub) but the scan tools do not see the settings and flag as "opens." I am specifically using a widely used SCAP Compliance tool. Any insight?
Nick Fields commented
Thanks for moving this, I would say most of my frustration is in two areas: The inconsistency with which GP settings are managed (split between Policies and Preferences, which came out of acquisition over a decade ago) and the difficulty even to this day in GP processing/reporting/debugging on clients. For example take a recent setting "Hardened UNC Paths". I would expect this to be in the Windows Settings\File System or maybe Admin Templates\Filesystem, but instead it's in a new section called Admin Templates\Network\Network Provider all by itself. Most of the "Help" text is in the "Options" section and obscures the actual options that need to be set. Other sections like Admin Tempates\System\Removable Storage Access are in their own folder instead of in the Admin Templates\System\Filesystem folder. If there was a little more rhyme or reason to how settings were organized it might make GPOs easier to build and teach others to create/maintain. When it comes to troubleshooting Group Policy, there is the GP Operational Event Log, but many different types of errors are buried in the same event IDs (particularly in the Client Side extensions) and outside of some GUIDs there isn't much to go on in many cases so your search engine of choice becomes the place to research an error. In PS DSC you do have some of the same situations with event IDs, but you at least have good quality error streams to look at and some modules to help you sift through the data on either a single local or remote system, or more easily pull in logs from a whole bunch of systems on demand to analyze them. I'm not arguing that PS DSC can do everything that Group Policy can do (yet), but I think it's worth exploring if adding some of the things that Sebastian mentions below (logon/logoff triggers, delegation, loopback processing) could have equivalents in PS 6.0 or beyond that would make it worth having PS DSC slide in underneath GP as the "Make it so" engine that I'm always hearing about. It's okay if nothing ever happens with this idea, but if I could do one thing, could I manage the IE Site to Zone mappings with PowerShell DSC? Our list has I believe around 600 entries in it, and tends to crash the GPMC when we try to save it when we add another site. /rant
Sebastian N. commented
This is just not feasible. Yes, DSC and GPO overlap in some points yet they're entirely different approaches to system management:
GPO/GPPs in particular differ from DSC in that they not only cover system management but also user management which DSC will never be able to achieve. Logon/Logoff triggers, OU links, WMI Filtering, Loopback processing, delegation, AD central store replication are just some of the things that you don't get with DSC.
Hi Nick... if you go to github.com/gpoguy, you will find a script to convert ADMX to DSC resource. It actually goes to a GPO and grabs configured data from Regsitry.pol and create DSC resources. Nice little tool and the beginning of what you are looking for. There could be more there to party on and add to. Not only other extensions but additional capabilities. DSC in v5 has some additional capabilities that could be exploited.