So after the recent meeting, here's some of the queries being thrown DEM's way from the GP guys:
1. Establish whether or not DEM has an all or nothing stance regarding User Policy GPO's
2. User Policy currently configures Security Settings - are these able to be persisted via DEM?
3. The ability to enforce settings currently set in User Policy, if a settings is configured in DEM, does it restrict users from modifying
4. Configuration of Admin Templates, is DEM 100% comprehensive in that respect?
5. Folder redirection, and drive mapping
This is a basic overview of queries so far.
1 person found this helpful
- Not sure what's meant by "all or nothing" here. DEM's ADMX-based settings "co-exist" with user registry policy settings from GPOs in that DEM will not overwrite existing registry settings in policy keys (i.e. GPO "wins".)
- The ADMX-based settings feature only supports registry settings, so no.
- The ADMX-based settings feature only supports settings in "official" policy keys. In a default Windows installation, non-admin users have no modify permissions on those keys.
- Not sure what's meant here.
- DEM can be used to configure Microsoft's folder redirection feature. Note that DEM does not have the option to move existing folder content to the new, redirected location.
DEM can be used to map drives.
Thanks for the response, the current Group Policy admins are nitpicking DEM so to save further time answering an array of questions:
Where is the cut off between what DEM can do vs Group Policy? It is possible to use one and not the other, or do they work best in tandem?
Our ultimate goal is to ensure settings aren't doubling up between the two to prevent a conflict of control, and to create a clear baseline of what tool controls what.
Makes sense. There's a definite overlap between some of the DEM functionality and Group Policy, so it's good to have clearly defined who's responsible for what.
There are also quite some things that Group Policy can do (computer settings, security configuration, software installation, for instance) that DEM does not – some of that might change over time, but we're definitely not looking to get feature parity with Group Policy.
On the other hand, DEM allows you to do all kinds of things that Group Policy does not support.
Maybe some other forum users can shed some more light on this, by describing how they've implemented this in their environments.
There are also quite some things that Group Policy can do (computer settings, security configuration, software installation, for instance) that DEM does not
^^^^^^^^^^^Feature request ^^^^^^
For user-based setting make sure the loopback policy is set correctly, its the "ONLY" gpo I allow over our vdi objects. I set it to replace so anything above is being ignored, and let UEM work on the user settings all on its own. Everything else in virtual desktops is placed in the parent image. We do do a little group policy for the physical desktops, but we avoid it if possible, gpo processing is too slow.
I can keep wishing.... maybe next year. Group policy needs to go the way of the floppy.