VMware Horizon Community
Dempseyy93
Enthusiast
Enthusiast
‎11-21-2019 06:41 PM
Jump to solution

Group Policy, DEM, or both for Physical Environment?

Its been made apparent that our workplace needs to consolidate technologies in order to restructure team responsibilities and eliminate potential conflicts with policy.

We currently use Group Policy, and DEM to manage user profiles for the collection/distribution of various application data at logon (see: User Profile Service, and VMware DEM Service)

What is the best method of handling this data? Should we stick to one technology, and if so, is DEM capable of solely handling these duties from a user profile perspective?

So far we've ran a basic test of the DEM agent in our persistent environment which successfully pulled down user profile data from the UEM directory without much of a hitch.

If we committed to DEM, will it be capable of handling the full load that Group Policy has previously managed in conjunction with DEM?

Reply
1 Solution

Accepted Solutions
DEMdev
VMware Employee
VMware Employee
‎11-26-2019 07:50 AM
Jump to solution

Hi Dempseyy93,

Makes sense. There's a definite overlap between some of the DEM functionality and Group Policy, so it's good to have clearly defined who's responsible for what.

There are also quite some things that Group Policy can do (computer settings, security configuration, software installation, for instance) that DEM does not – some of that might change over time, but we're definitely not looking to get feature parity with Group Policy.

On the other hand, DEM allows you to do all kinds of things that Group Policy does not support.

Maybe some other forum users can shed some more light on this, by describing how they've implemented this in their environments.

View solution in original post

Reply
0 Kudos
9 Replies
DEMdev
VMware Employee
VMware Employee
‎11-24-2019 06:55 AM
Jump to solution

Hi Dempseyy93,

Can you describe that "full load that Group Policy has previously managed" in a bit more detail?

Reply
0 Kudos
Dempseyy93
Enthusiast
Enthusiast
‎11-24-2019 03:21 PM
Jump to solution

So after the recent meeting, here's some of the queries being thrown DEM's way from the GP guys:

1. Establish whether or not DEM has an all or nothing stance regarding User Policy GPO's

2. User Policy currently configures Security Settings - are these able to be persisted via DEM?

3. The ability to enforce settings currently set in User Policy, if a settings is configured in DEM, does it restrict users from modifying

4. Configuration of Admin Templates, is DEM 100% comprehensive in that respect?

5. Folder redirection, and drive mapping

This is a basic overview of queries so far.

Thanks

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee
‎11-25-2019 02:18 AM
Jump to solution

Hi Dempseyy93,

  1. Not sure what's meant by "all or nothing" here. DEM's ADMX-based settings "co-exist" with user registry policy settings from GPOs in that DEM will not overwrite existing registry settings in policy keys (i.e. GPO "wins".)
  2. The ADMX-based settings feature only supports registry settings, so no.
  3. The ADMX-based settings feature only supports settings in "official" policy keys. In a default Windows installation, non-admin users have no modify permissions on those keys.
  4. Not sure what's meant here.
  5. DEM can be used to configure Microsoft's folder redirection feature. Note that DEM does not have the option to move existing folder content to the new, redirected location.
    DEM can be used to map drives.
Reply
Dempseyy93
Enthusiast
Enthusiast
‎11-25-2019 12:28 PM
Jump to solution

Thanks for the response, the current Group Policy admins are nitpicking DEM so to save further time answering an array of questions:

Where is the cut off between what DEM can do vs Group Policy? It is possible to use one and not the other, or do they work best in tandem?

Our ultimate goal is to ensure settings aren't doubling up between the two to prevent a conflict of control, and to create a clear baseline of what tool controls what.

Reply
0 Kudos
DEMdev
VMware Employee
VMware Employee
‎11-26-2019 07:50 AM
Jump to solution

Hi Dempseyy93,

Makes sense. There's a definite overlap between some of the DEM functionality and Group Policy, so it's good to have clearly defined who's responsible for what.

There are also quite some things that Group Policy can do (computer settings, security configuration, software installation, for instance) that DEM does not – some of that might change over time, but we're definitely not looking to get feature parity with Group Policy.

On the other hand, DEM allows you to do all kinds of things that Group Policy does not support.

Maybe some other forum users can shed some more light on this, by describing how they've implemented this in their environments.

Reply
0 Kudos
sjesse
Leadership
Leadership
‎11-26-2019 10:50 AM
Jump to solution

There are also quite some things that Group Policy can do (computer settings, security configuration, software installation, for instance) that DEM does not

^^^^^^^^^^^Feature request Smiley Happy ^^^^^^

Reply
sjesse
Leadership
Leadership
‎11-26-2019 10:56 AM
Jump to solution

For user-based setting make sure the loopback policy is set correctly, its the  "ONLY" gpo I allow over our vdi objects. I set it to replace so anything above is being ignored, and let UEM work on the user settings all on its own. Everything else in virtual desktops is placed in the parent image. We do do a little group policy for the physical desktops, but we avoid it if possible, gpo processing is too slow.

Reply
DEMdev
VMware Employee
VMware Employee
‎11-26-2019 12:11 PM
Jump to solution

Hi sjesse,

Funny how you "forgot" to quote my "but we're definitely not looking to get feature parity with Group Policy" statement Smiley Happy

Reply
0 Kudos
sjesse
Leadership
Leadership
‎11-26-2019 12:14 PM
Jump to solution

Smiley Sad I can keep wishing.... maybe next year. Group policy needs to go the way of the floppy.

Reply