In case you hadn’t seen it, an article came out last week on Betanews that talked about the fact that MS will be removing GPMC (Group Policy Management Console) from Vista when SP1 ships. This story was blogged heavily, although I have yet to see any blogs that talked about the gross inaccuracies in this article by the author, Scott Fulton. Scott’s got his facts about GP and GPMC so wrong that I have to wonder why he was reporting on GPMC in the first place. He even quoted my friend and fellow Group Policy MVP Derek Melber, who didn’t even know he was being quoted for this article! I find that just the slightest bit lame, though I suppose its common practice these days.
In any case, rather than focusing on the errors in the article right now (I’ll get to that in a bit), I think its worth talking about this decision in general. Its funny because this probably falls into one of those "you’re damned if you do and you’re damned if you don’t" categories for Microsoft. Back when GPMC first shipped, out-of-band of the OS, I’m sure Microsoft heard complaints that it should be in the OS, since it became such a crucial part of managing GP for many shops. So, they went and did the most logical thing–they put it in the box in Vista. But to do that resulted in GPMC having to become part of the behemoth that is the Operating System release cycle at MS. This has obvious limitations if you know how glacially things move within MS when it comes to OS revs. Once inside the OS, they could no longer rev the GPMC and make enhancements to it on their own schedule. Everything had to be tied to the OS releases, which aren’t exactly snappy if you hadn’t noticed .
In addition, I’m sure more than a few large customers pointed out that having GPMC on every Vista install presented some…er…uncomfortable risks. Namely, in order for a normal user to process GPO’s, they have to be able to read them. No biggie–its not like they can edit them. But, with GPMC installed on every desktop, any joe user with normal non-administrative rights in the domain can open GPMC and view the settings on any GPO they have read access to! Further, they can also backup all GPOs that they have read permissions on, to, say, their USB keys, and then take those backups to their friendly neighborhood hacker, who now has a pretty good picture of the security configuration of their AD environment (in the worst case scenario, that is).
So bottom line is that I think its a good idea, for the reasons I’ve mentioned and probably a few others, that GPMC will not ship in the OS and will require some kind of separate administrative install.
Now, to the Betanews article and the inaccuracies that lead one to believe that removing GPMC from the OS is tantamount to going back to NT 4. Let’s see, where to begin…ok, how about this one:
Scott writes, "In fact, Microsoft’s explanation appears to kick the whole notion of GPO ubiquitousness out the window, replacing it with its 1990s viewpoint that system security is best achieved when the tools everyday users are given are too difficult for them to bother with.
That conclusion can be drawn through the resumed reliance upon GPEDIT.MSC as the sole GPO mechanism in Vista."
Darren scratches his head incredulously and asks, "HUH?" Removing GPMC from Vista does absolutely nothing to reduce the manageability of GP. It just means that administrators have to explicitly download it. It will run on Vista, and Server 2008. The second part of his sentence is just bizarre. GPEdit.msc is just a MMC snap-in tool focused on the local GPO. It has absolutely nothing to do with the presence or absence of GPMC. In fact, with no GPMC installed on a system today, you can still launch GP Editor focused on an AD GPO fairly easily (see the FAQ item within the following section on my site: http://www.gpoguy.com/FAQs.htm#General), if you know what you’re doing. They are two different tools, as anyone that has used them knows.
Here’s another classic, "In other words, it will be considered more appropriate to edit and manage GPOs through Windows Server. That means a big network with an AD domain or forest. It also means, please don’t expect to effectively manage a small network using Vista alone."
Darren continues to shake his head in wonder and notes that, again, GPMC will still be available for Vista–it will just be a separate install. So, no, no one is telling you you have to run GPMC on Windows Server. Also, the part about small networks is simply inaccurate. GPMC does and has always required AD to work. You simply can’t use it on non-AD networks. In fact, if you don’t have AD, you have to essentially touch each local GPO on each machine manually to affect configuration changes.
There are so many other basically wrong statements about general GPO function earlier in the article that its a wonder to me that this thing even got published. In any case, the news is out, so what do you think? Does it matter to you that GPMC will no longer be on every Vista system you roll out?