Author Posts

July 31, 2018 at 8:03 pm

We've managed to migrate to DSC for 99% of our configuration settings. Unfortunately, we still have to rely on GPO's for user-based settings applied to groups of computers using loopback. It would be really nice to get rid of that last 1%.

Ultimately, GPO's with loopback are changing registry settings for any user that logs into the computer. But I can't find any hint that DSC can do such a thing. Am I missing something? Are there any plans to provide such functionality?

If the answer to both is "no", does anyone have creative solutions? For instance, perhaps my DSC config could create a scheduled task with an "at log on" trigger which would execute as the user who just logged on? Could I make my own DSC module that would somehow modify NTUSER.DAT in C:\Users\Default, and also test/set the same settings in the registry for each existing user profile?


July 31, 2018 at 8:07 pm

DSC wasn't really engineered as a replacement for GP, especially for client computers. So it's not directly capable of user settings – and whatever it does do “tattoos” the registry in a way GP doesn't. I don't know how creative you could get without getting really fragile; a scheduled task would still need to run in the user's context, which is hard to pull off – and wouldn't work the same as DSC. It'd become a real maintenance nightmare.

Can I ask what's bad about GP that you need to replace it? Like, it's absolutely designed to do user settings without being hacky.

July 31, 2018 at 8:39 pm

It's not that GP is bad. We use DSC on many RDS servers and Windows client systems, to which we also have a number of loopback settings applied. So looked at one way, when you consider the list of settings being applied to a list of computers, some settings are applied by GPO and some by DSC. I don't like the inconsistency. For example, when someone asks me "Do these computers all auto-lock after x minutes of inactivity" I look in GP, but when someone asks concerning the same computers, "Do they all have Windows Error Reporting enabled?" I look at DSC.

But I supposed that if you look at it another way, we have all user settings in GPO and all machine settings in DSC. But when you use loopback, the waters get muddy.