Ansible and Windows Project

Hi Ansible Community,

It is my first post here. I am coming to get more information about Windows management with Ansible.

I have been using Ansible for about a year now, and I am able to manage Windows with the WinRM with certificate. My playbooks manage the initial set up for all of the Windows servers (Create ansible user, Set DNS, Join AD, Add AD users to Local Administrator).

What I am wondering is for GPOs. We can agree that all GPOs or LGPOs are linked to Registry Keys in Windows.

At this point I am at a split road. Where I work, we don’t have extensive GPOs from the domain controller, and our structure is not made so we don’t have a central Domain Controller. At this point we have maybe 4-5 environment running a Domain Controller with Simple AD in AWS or AD in AWS. We are looking at potentially having way more in the future. Although we are at a point where we need to securely and configure application, users and other stuff. Usually, I would go and just make GPOs, but we can also agree that GPOs can come repetitive and long to do as it is manual through the GPO manager or AGPM. There is no way I can have a central AD to manage the others.

My question for you guys is: should I use Ansible and the win_regedit module to manage and configure all of our windows machine? or I should keep GPOs and manage it that way and how windows is supposed to be?

I am looking at a solution easy and reproducible where it can scale and provide some kind of version control. Also, money is an important factor, where I do not want to spend much more than what we already use.

Please let me know your thoughts and if you have done something like that, I would be more than happy to get some information.

If you have questions for me, let me know as well!

Thank you very much!

-Simon

This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed here.
If you prefer not to be contacted by Harris Operating Group please notify us.

This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.

Anybody has suggestion concerning Ansible Regedit vs GPO?

Thank you!

-Simon

Hi Simon-Pierre,

GPO’s can be managed using PowerShell. Registry based GPO settings (administrative templates) can be updated through PS as well. Ansible can be used to execute these PS commands. This will help to get you started:
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ee461027(v=technet.10)

Also, in your setup, using Desired State Configuration could be interesting. Just like GPO, it’s build into Windows, but it’s more lightweight, versatile and domain independent. It is, however, not a full replacement for GPO in all cases. DSC can be managed using a dedicated Ansible module. This will help you decide if it’s useful to you:
https://blogs.technet.microsoft.com/ashleymcglone/2017/02/27/compare-group-policy-gpo-and-powershell-desired-state-configuration-dsc/

https://docs.ansible.com/ansible/latest/user_guide/windows_dsc.html

Lastly, I advice against manually setting registry keys. An intermediary tool such as GPO or DSC is there for a reason. It helps audit what is set where and why, from within a configured system. This makes troubleshooting, reverting a key deployment or any small alteration far more comfortable for sysadmins. This is especially true for those who do not have a deep understanding of what your playbooks did to every system they’re responsible for.

Hopefully this helps you decide on what to do.

Regards,
Yarno

Thank you very much Yarno for your insights.

I will look at Powershell and GPO. In theory, I would like something that can be version controlled, which GPO aren’t not the easiest.

I can always investigate DSC, but I was not really interested in it, since I could do the same with an Ansible Playbook and modules outside of the win_dsc module.

Thank you again.

I am definitely curious to see what other people are doing!

-Simon

Anyone has something to say about this subject?

Is playing with Powershell and the GPO comes to the same as playing to the registry directly?

I need to create policies, and Powershell does not seem to be the answer, as not super versatile for GPOs with the cmdlet.

Anyone has more insights on this?

Thank you!

-Simon

This message has been sent on behalf of a company that is part of the Harris Operating Group of Constellation Software Inc. These companies are listed here.
If you prefer not to be contacted by Harris Operating Group please notify us.

This message is intended exclusively for the individual or entity to which it is addressed. This communication may contain information that is proprietary, privileged or confidential or otherwise legally exempt from disclosure. If you are not the named addressee, you are not authorized to read, print, retain, copy or disseminate this message or any part of it. If you have received this message in error, please notify the sender immediately by e-mail and delete all copies of the message.