9 Replies Latest reply on Nov 26, 2019 12:14 PM by sjesse

    Group Policy, DEM, or both for Physical Environment?

    Dempseyy93 Novice

      Its been made apparent that our workplace needs to consolidate technologies in order to restructure team responsibilities and eliminate potential conflicts with policy.

       

      We currently use Group Policy, and DEM to manage user profiles for the collection/distribution of various application data at logon (see: User Profile Service, and VMware DEM Service)

       

      What is the best method of handling this data? Should we stick to one technology, and if so, is DEM capable of solely handling these duties from a user profile perspective?

       

      So far we've ran a basic test of the DEM agent in our persistent environment which successfully pulled down user profile data from the UEM directory without much of a hitch.

      If we committed to DEM, will it be capable of handling the full load that Group Policy has previously managed in conjunction with DEM?

        • 1. Re: Group Policy, DEM, or both for Physical Environment?
          DEMdev Master
          VMware Employees

          Hi Dempseyy93,

           

          Can you describe that "full load that Group Policy has previously managed" in a bit more detail?

          • 2. Re: Group Policy, DEM, or both for Physical Environment?
            Dempseyy93 Novice

            So after the recent meeting, here's some of the queries being thrown DEM's way from the GP guys:

             

            1. Establish whether or not DEM has an all or nothing stance regarding User Policy GPO's

            2. User Policy currently configures Security Settings - are these able to be persisted via DEM?

            3. The ability to enforce settings currently set in User Policy, if a settings is configured in DEM, does it restrict users from modifying

            4. Configuration of Admin Templates, is DEM 100% comprehensive in that respect?

            5. Folder redirection, and drive mapping

             

            This is a basic overview of queries so far.

             

            Thanks

            • 3. Re: Group Policy, DEM, or both for Physical Environment?
              DEMdev Master
              VMware Employees

              Hi Dempseyy93,

               

              1. Not sure what's meant by "all or nothing" here. DEM's ADMX-based settings "co-exist" with user registry policy settings from GPOs in that DEM will not overwrite existing registry settings in policy keys (i.e. GPO "wins".)
              2. The ADMX-based settings feature only supports registry settings, so no.
              3. The ADMX-based settings feature only supports settings in "official" policy keys. In a default Windows installation, non-admin users have no modify permissions on those keys.
              4. Not sure what's meant here.
              5. DEM can be used to configure Microsoft's folder redirection feature. Note that DEM does not have the option to move existing folder content to the new, redirected location.
                DEM can be used to map drives.
              1 person found this helpful
              • 4. Re: Group Policy, DEM, or both for Physical Environment?
                Dempseyy93 Novice

                Thanks for the response, the current Group Policy admins are nitpicking DEM so to save further time answering an array of questions:

                 

                Where is the cut off between what DEM can do vs Group Policy? It is possible to use one and not the other, or do they work best in tandem?

                 

                Our ultimate goal is to ensure settings aren't doubling up between the two to prevent a conflict of control, and to create a clear baseline of what tool controls what.

                • 5. Re: Group Policy, DEM, or both for Physical Environment?
                  DEMdev Master
                  VMware Employees

                  Hi Dempseyy93,

                   

                  Makes sense. There's a definite overlap between some of the DEM functionality and Group Policy, so it's good to have clearly defined who's responsible for what.

                   

                  There are also quite some things that Group Policy can do (computer settings, security configuration, software installation, for instance) that DEM does not – some of that might change over time, but we're definitely not looking to get feature parity with Group Policy.

                  On the other hand, DEM allows you to do all kinds of things that Group Policy does not support.

                   

                  Maybe some other forum users can shed some more light on this, by describing how they've implemented this in their environments.

                  • 6. Re: Group Policy, DEM, or both for Physical Environment?
                    sjesse Master
                    vExpert

                    There are also quite some things that Group Policy can do (computer settings, security configuration, software installation, for instance) that DEM does not

                    ^^^^^^^^^^^Feature request ^^^^^^

                    • 7. Re: Group Policy, DEM, or both for Physical Environment?
                      sjesse Master
                      vExpert

                      For user-based setting make sure the loopback policy is set correctly, its the  "ONLY" gpo I allow over our vdi objects. I set it to replace so anything above is being ignored, and let UEM work on the user settings all on its own. Everything else in virtual desktops is placed in the parent image. We do do a little group policy for the physical desktops, but we avoid it if possible, gpo processing is too slow.

                      • 8. Re: Group Policy, DEM, or both for Physical Environment?
                        DEMdev Master
                        VMware Employees

                        Hi sjesse,

                         

                        Funny how you "forgot" to quote my "but we're definitely not looking to get feature parity with Group Policy" statement

                        • 9. Re: Group Policy, DEM, or both for Physical Environment?
                          sjesse Master
                          vExpert

                          I can keep wishing.... maybe next year. Group policy needs to go the way of the floppy.