Will PowerShell DSC kill GPOs ?

I think the writing on the wall  is clear DSC will kill GPOs for servers.

If you really think about what a  GPO is, it is a big registry hack that is apply to servers joined to a domain. If you have workgroup servers like in the cloud and/or the DMZ, you know there a lot registry keys that need to be change via PowerShell or manually using regedit worst case scenario.

When you change a GPO policy, can you really be  sure when the server took the registry change? Not really, if you are lucky it will take less than 15 minutes and you worst case scenario it  will only apply when a reboot is performed.

Now,  one of the biggest issue that I personally have with GPOs is that you can not really version control them, sometimes you do not even know who made the change and/or when. I know there is AGPM but is not good enough to keep control and it is a little bit clunky.

The other big issue is when regulators ask you for proof that the policies that they require are implemented. Now you have to to run gpresult on the servers and collect the results ; not only that but for HIPPA, SOX, PCI compliance you need to have documentation about the process.

If you have code written in DSC that can be use as your documentation and it will always be up to date. You will be able to version control using repositories like GIT  and know for certain when the policies are applied or not.

When using DSC you can make sure the resources are idempotent and they are pretty  easy to write.  Look at the following example



Configuration MODGPO {
Node $NodeVM {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System'
ValueName = 'LegalNoticeCaption'
ValueData = 'This system is proctected by State and Federal law'
ValueType = 'String'
Configuration NoLockScreenGPO {
Node $NodeVM {
Ensure = 'Present'
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Personalization'
ValueName = 'NoLockScreen'
ValueData = '1'
ValueType = 'DWORD'

view raw


hosted with ❤ by GitHub

As you can see there are two resources one to manage the message of the day (MOD) and the other one for no locking the screen on the node and the only requirement on the servers to have PowerShell V4 or higher.

If you want more information about PowerShell DSC you can find some of it  here



Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s