Desired State Configuration

DSC vs Group Policy: In Plain English!

Standard

Internet, we meet again!

No, it didn’t take me 14 months to write this article, i just had a bad case of fleas that took a while to shake off (metaphorically, of course).

As you already know, Windows server 2012R2 is already being shipped with the new PowerShell feature/framework: Desired State Configuration. In this article i will list a summary of key differences between group policy and DSC, in ENGLISH.
Microsoft provided us several tools to manage Windows, other than GP and DSC (e.g. SCCM DCM, InTune), but I wanted to compare those two specifically because they are free, mainly.
Enough chit-chat, differences, in no particular order:

  • DSC, by using MOF files (which are not proprietary to Windows), can manage Linux boxes, while group policy (currently) can’t.
  • DSC can use any MOF file created by any future 3rd party product that can potentially leverage DSC as a policy engine.
  • DSC is easy to extend (the only limit is PowerShell’s potency), whereas extending Group Policy can be really daunting.
  • DSC writes all errors in the Windows event logs when things go south, while not all Group Policy settings does that.
  • DSC periodic configuration refresh checks for updates every 15 mins by default, whereas Group Policy’s background refresh can take up to 120 mins.
  • DSC stores the required config and resources locally, so even if there is no network connection, configuration refresh WILL occur, whereas group policy requires connections to AD and SYSVOL to perform its background refresh.
  • DSC config/policy can be applied to workgroup machines, thus your DMZ machines will never be out of shape again, whereas group policy requires the machine to be in an AD domain.
  • DSC, while declarative, does not have any GUI (yet), while group policies GUI is easy to use and well known.
  • DSC is more complex to apply, whereas Group Policy is click-driven.
  • DSC provides centralized triggering of configuration distribution, while Group Policy relies on the GP client to trigger refreshes.
  • Group Policy uses a combination of event-driven (like computer startup and user logon) mechanisms, while DSC does not have anything like it yet.
  • DSC tattooes its changes on the machine, that means when a DSC config item is no longer applied, its changes does not revert back to its original state, whereas “most” Group Policy settings are not tattooed (GPP is another story).
  • DSC scripts is more human-readable than a raw Group Policy file.
  • In my opinion, DSC is more likely to be used on Servers, while Group Policy is still for both servers and clients (excluding perimeter machines).

That’s it, short and simple, I hope you’ve found it useful. Let me know what do you think by leaving a comment below.
Until next year (hopefully not), have a great one!