1

I am looking for a way to manage Group Policy across a number of domains, some in the same forest and others in separate forests. I haven't seen this done before and can't find anything around the DevOps space to say it could be done via DSC or some other tool.

Essentially what I am trying to do is get consistency across multiple domains and have a uniform way to apply it to all. This is in preparation to apply a group of CIS related tweaks out to approximately 6 domains.

Would DSC be ideal for this?

Laywah
  • 99
  • 7

1 Answers1

0

This is a great question. We maintain a set of baseline Group Policy Objects that contain settings shared between multiple domains and use our configuration management process to ensure they are updated together once changes are tested and approved. The GPO update in each domain isn't automated. Changes are tested first before exporting the settings and importing into each domain.

Depending on the expected impact, we may want to deploy the change systematically rather than all at once. And we may need to coordinate the change with down-level customers. Having this automated would be nice, but we wouldn't have as much control over the deployment. It is very rare to make such changes in a stable production environment, but when you do, it should be carefully controlled.

I am curious to hear how others manage it. DSC can do nearly anything, as long as you develop it.

twconnell
  • 902
  • 5
  • 13
  • Thanks for the advice, have you looked into using https://docs.microsoft.com/en-us/powershell/scripting/dsc/quickstarts/gpo-quickstart?view=powershell-6 ? is this how your using Configuration Management? – Laywah Dec 15 '19 at 22:52
  • No, we have not replaced Group Policy with DSC. Still doing things old school ;) – twconnell Dec 20 '19 at 16:07