DSC vs. GPO vs. SCCM, the case for each.

EVA Post.pngThis is the showdown, guys. In the world of Windows tooling, which tool do we use?

In this post, we’ll cover the general benefits and pros and cons of SCCM vs DSC, and also consider GPO and MDT as well.

Plenty of people have offered their take on this, including my sempai, Declarative Configuration trailblazer and King Chef of the Realm Steven Murawski. I completely respect his opinion on the matter and encourage you to read it.  Murawski – DSC Which Direction Should we Go?.

My view differs slightly from my peers in that my background is in Enterprise Client Management, and I’ve been deploying SCCM since 2011 for customers into the tens of thousands of desktops and servers.

However, I also love to code, so maybe my perspective will help the concepts gel for you.

In my mind, this debate is not really about which tool is the one-true king to use in all cases, but rather about highlighting the strengths of each and noting when they should be used.  I’ll also describe how you deploy operating systems using each product as well.

It’s all about the evolution of tooling

First the Earth cooled, then we got GPO

For all practical purposes, the first true large scale management tool we had for Windows systems in the modern era was Group Policy, or GPO as it is commonly truncated.  This stemmed from Local Security Policy, which is a fancy GUI to control system settings via special registry keys which are locked down from general user editing. Local Security Policy could be shared among systems in a Workgroup which was a big improvement from setting the same configuration on each system.
Continue reading


Skirting around ‘Deny Remote Desktop Access’ GPO Settings

From time to time, I’ll encounter this issue.  You’re troubleshooting an issue and need to Remotely log-on to a workstation.  You’ve effectively got the keys to the kingdom, and yet a desktop workstation GPO prevents you from logging on remotely.  Such a bummer!

Fortunately, if we know how GPO works (mostly by applying registry settings under the HKEY_Current_User\Software\Policies and HKLM:\Software\Policies trees among other places) we can work around this, assuming the appropriate levels of permission.

First, Connect to the Remote Workstation using Computer Manager.  Browse to Services and enable the Remote Registry and Remote Desktop Services.

Next, open Regedit and Connect to Remote Registry Hive or the target workstation.  Browse to HKLM:\System\CurrentControlSet\Control\Terminal Server and change the Reg_DWORD value of fDenyTSConnection to 0 (or 0x00000000 if you love hex).

You should now be able to remote desktop into the workstation.  Depending on how the policies are applied in your domain, this will only last as long as the next policy application period, however.  Normally you’ll get at least one logon out of it.