Tuesday, July 1, 2014

Why you need to manage your GPO’s from a Windows 8.1 and not with an RDP session to a Server 2012 r2

Inspired by Jeremy Moskowitz and his blog “RSAT is not Evil” http://www.gpanswers.com/rsat-is-not-evil/ I decided to give my 5 cents on this matter as well.

Most of my customers have adopted a style of administering their GPO’s from a central Server by establishing an RDP connection to it instead of using RSAT from a Windows 8.1 machine. This is not the case with just 8.1 and Server 2012 R2 but I’ll use them as an example. There are positive sides to using a server of course:

  1. A centralized location which always has the right ADMX-files even if no CentralStore has been created
  2. No need to install RSAT on workstations

But there are drawbacks as well which are the reasons why I on the other hand never do it but instead always use a management workstation for it:

  1. There are only 2 free RDP instances available on a server while infinite amount of RSAT’s can be used
  2. The most important: GPMC uses the underlying OS to gather settings you can administer even if you have a Central Store or the most up to date ADMX-files!

Let’s dig in to the second one a bit more with an example. Let’s say I have a scenario where my Boss asks me to:

  1. Change the startup type of WebClient service to Disabled to make connections to unknown UNC paths quicker
  2. Only allow the “Weather” Modern App on our Windows 8.1 machines

Here’s how the settings look from Windows Server 2012 R2 server:

image

image

And here’s what it looks like from GPMC installed on a Windows 8.1 machine:

image

image

Cheers,

Sami

No comments:

Post a Comment