Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Stone, Getty Images


Published on

Here are the slides from Matt Stone's PuppetConf 2016 presentation called A Tale of Two Hierarchies: Group Policy & Puppet . Watch the videos at

Published in: Technology
  • Be the first to comment

  • Be the first to like this

PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Stone, Getty Images

  1. 1. Group Policy & Puppet A Tale of Two Hierarchies
  2. 2. Matthew Stone @matthewstone (Twitter) @souldo (Puppet Community Stuff) matthewrstone (GitHub)
  3. 3. Let’s Talk Group Policy! •Why are we using Group Policy? •Is it doing what we “need”? •Do we understand what it is doing? •Do we know it’s doing what it’s supposed to? 3
  4. 4. In the beginning… Group Policy was the original abstraction layer for Windows configuration management “Specify intranet Microsoft update service location“ or HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdateAU!UseWUServer HKLMSoftwarePoliciesMicrosoftWindowsWindowsUpdate!WUServer HKLM SoftwarePoliciesMicrosoftWindowsWindowsUpdate!WUStatusServer 4
  5. 5. What DevOps Brings to the Table • Offers new patterns and practices for managing infrastructure. • Encourages consistent, reliable behaviors. • Encourages us to express our infrastructure as code. • Encourages us to be transparent in our processes. • Encourages us to work together. 5
  6. 6. Beginning Our IaC Transformation • Hybrid environment, half Windows, half Linux. • Technology silos are a thing! • GOAL: reduce complexity through automation. • GOAL: integrate existing products and services. • GOAL: build a pipeline from request to delivery. 6
  7. 7. Our Definition of “Code” •All of our infrastructure code should be text based. •All of our infrastructure code should be documented. •All of our infrastructure code should be versioned. •All of our infrastructure code should be “datacenter redundant” and “domain independent”. 7
  8. 8. Our Pipeline Packer
 ( JSON manifest for versioned, up-to-date images. PunchOut
 In-house developed API client tool to consume CSV and covert to JSON Phoenix
 In-house developed REST API and “box cannon” consuming JSON requests. Puppet 
 One would assume you already know what this thing does. 8
  9. 9. Group Policy vs. IaC • Group Policy is not text based, version controlled and does not align with our other efforts for Infrastructure as Code. • Group Policy is strictly tied to the domain, OU and filter from whence it came. • For these reasons, having GPO alongside configuration management in a multiple domain environment can cause inconsistent builds or configuration drift across domains, OUs or WMI filters that aren’t visible to other IT workers. 9
  10. 10. Group Policy != Configuration Management • GPO can apply policy changes to configuration. That is true.
 • Lacks ‘full stack’ capabilities. • Lacks ‘idempotent’ nature. 10
  11. 11. Puppet Enterprise 2016 Console 11 With Puppet Enterprise Console managing all things, we can see a complete overview of everything as it pertains to our system. • OS base configuration. • Packages being installed. • Security settings applied. • Application configuration.
  12. 12. Puppet Enterprise 2016 Console Gotta love those little green checkmarks. 12
  13. 13. You might have a group policy problem… • As the Windows standard for decade(s), it may have been over-relied on. • Hard to track the owner or date of changes unless we can pin to external process. (change control) • You don’t have a ‘console’ experience verifying that things are really as they seem. • The owner of the changes may not understand the underlying changes that are being made on the system. 13
  14. 14. STRATEGERY It’s not a word. 14
  15. 15. Actually… It…IS A WORD?!??!
  16. 16. STRATEGERY It is a word. 16
  17. 17. I didn’t say this was easy… • Puppet has a very explicit view of your system. • Question the user experience. Don’t forklift. • Group management is fairly easy. • Managing user security policy via Puppet is cumbersome. (secedit?) • Local users / groups *is* an option. 17 $features = [ ‘server-gui-mgmt-infra’, ‘server-gui-shell’ ]
 windowsfeature { $features : ensure => absent }
  18. 18. User Rights Assignment 18 User Rights ntrights.exe
 available on the 
 Windows 2003 Resource Kit
  19. 19. Group Policy != Security •What is your security policy? •Think in terms of compliance (HIPAA, SOX, PCI, etc…) •Build your security policy around compliance, not registry keys. •Think in terms of hardening (CIS). 19
  20. 20. Windows Updates 20 puppetlabs/wsus_client
  21. 21. Execs? Aaaargh! • Tools like secedit and auditpol can run as execs. • Or…learn to write modules / types and providers!
  22. 22. “but throwing scripts at stuff works great!”, said everyone. • We want desired state, not ‘script ran’. We need to know if it really happened. • We want the same metadata that describes a system to configure that system. • We really want passwords removed from clear text files. 22
  23. 23. Group Policy != Package Management 23 } Installed by Chocolatey / Puppet } Installed by Group Policy }Installed by a bored ops guy with an idea… Installed by puppet / powershell (provisioning tool)} } Installed by Chocolatey / Puppet Installed by chocolatey (base template)} splunk is expensive}
  24. 24. WHO INSTALLED THIS?!? • Was it automation, group policy or a human? • Why was it installed? What purpose does it serve? • Is there a track record? Perhaps a commit / PR / change request? • What’s the source of the installation? Web? Network? USB disk? • Can we safely remove this mystery thing without impacting the system? 24
  25. 25. Just use chocolatey already… • Chocolatey provides an easy to use way to make package management exist on Windows infrastructure. • Pro versions give you even more superpowers, like resolving dependencies. • We can reduce complexity, like tons of build docs and cross departmental nitpickery. • We can integrate well with puppet, using the Package / File / Service methodology instead of Package / File / Service / Registry / Objects / Files / Rando Command Line Tools. 25
  26. 26. Group Policy != Package Management 26 }Installed by chocolatey / Puppet Installed by puppet / powershell (provisioning tool)} }Installed by Chocolatey / Puppet Installed by chocolatey (base template)} splunk somehow got more expensive between slides, but chocolatey/puppet nonetheless}
  27. 27. Windows as a First Class Citizen? 28
  28. 28. Windows Modules - Forge vs. DSC Forge PSGallery 29
  29. 29. Forge v. Gallery - Specialized Areas Forge PSGallery 30
  30. 30. In the future… • There is a new world of Windows coming. • Docker doesn’t care about your group policies. • Nano doesn’t care about your group policies. • Get to know your registry / objects. • If you are going to abstract, it should be easy to inspect. • Stop dual-managing your Windows infrastructure. 31
  31. 31. Thank You 32