View Blog

Mar 2006

Newsletter #15

  • My Rant: Why imaging? Why SMS?
  • Get a signed copy of...
    • my GP book: Group Policy, Profiles and IntelliMirror
    • my Windows & Linux Integration book
  • Public Group Policy Intensive Training and Workshop Schedule Update
  • Upcoming appearances and schedule
  • Thanks Netpro!
  • Subscribe, Unsubscribe, and Usage Information

This issue is (I’m sorry folks) a rant. It’s not about the war, or politics—but about something close to us, that we can all rally behind: disk imaging and management products.

So, without further ado, my rant.

After I rant for a while, I'll give you an update on my 2006 Group Policy Class Schedule and suggest some other great stuff for you to check out.

Before I forget—the Sacramento, CA Two-Day Group Policy class is ON for March 30, 31. We have three seats available. If you want one of those seats—sign up soon at

PS: A hearty THANK YOU to the folks who came and saw me and Tom present Win/Lin topics at this season's TechMentor in Orlando. I'm gone now (off to the next thing).. but thanks for brightening our days there -- you were a super audience !

Newsletter Sponsored by: Special Operations Software

Sometimes the out-of-the-box Password Policy in Windows isn't just enough. If you need many Password Policies perActive Directory domain or more granularcontrol of howpasswords can be created you should have a look at Specops Password Policy.

Redmond Magazine says that "Password Policy is easy to install and easy to use. It provides much more granular control and doesn't have a long learning curve."

Click the link to read more on how Specops Password Policy can benefit your organization with increased security.

As Dennis Miller says I don't mean to go off on a rant here

My good friends at TechNet Magazine have recently released their March/April 2006 magazine. And, let me tell you—it’s excellent, specifically, if you’re running SMS to roll out your desktops and/or contemplating using the new Business Desktop Deployment (BDD) to roll out desktops.

And, I have some questions (and please don’t answer me directly via email. Please, please, please answer this question or agree/disagree with this rant by going to my community forum and post your 2 cents there.)

My three questions are:

  1. Why does Microsoft have 7 ways to deploy a desktop?
  2. Why bother with image-style desktop deployments at all? and
  3. Why bother with SMS-style tools?

So, let’s get started on this very special “rant” issue.

Microsofts desktop deployment options

By my count, Microsoft has seven ways of “officially” deploying a desktop: Category 1: via winnt.exe

  • Put in the CD and restart the machine. This basically runs winnt.exe and installs Windows.
  • DOS-style Network boot disk to connect over the network to run winnt.exe
  • WinPE-style to again run winnt.exe (almost the same as a DOS-style network boot disk in practice)
  • Remote Installation Services (via PxE) where winnt.exe gets invoked

Category 2: via image

  • SMS + Operating Systems Deployment Pack (OSD)
  • Business Desktop Deployment (BDD)
    • Standard Edition and
    • Enterprise Edition
  • Vista’s all-new image-based deployment

The methods in Category 1 “build” a PC from scratch, loading Windows step by step (or via answer file), but fundamentally “create” a PC by formatting it and loading each file.

The methods in Category 2 “photocopy” from an image source in Ghost style.

So, here’s the question (again): why bother using either the Zero Touch Deployment for SMS (with the Operating System Deployment pack), the BDD, or the upcoming Vista image-based methods to roll out your desktops?

First of all, unless I’m missing something—these latest tools from Microsoft compete with each other for your desktop rollout attention. Not to mention that Vista will also come with its image-style based deployment mechanism. So, between the BDD, SMS+OSD and Vista’s Imaging mechanism—I’m one confused guy—and I’m trying to understand why each has it’s place.

So, that’s three image-style mechanisms to do the same job. That’s my real question: can someone (anyone) explain why I might choose, say, the BDD over the SMS+OSD even if could deploy both at exactly the same hard and soft costs. (Again, don’t reply here…post about it, at

To me, it seems a main selling point of both the BDD and SMS+OSD appears to be that it will “maintain state” as you do a desktop upgrade from say Windows 2000 to Windows XP. With a little elbow grease, you use the built-in User State Migration tool, shoot up a copy of the user’s important stuff, blast down a new desktop, and restore the important stuff (like desktop backgrounds, etc., etc.)

Great. But again, why bother specifically saving the state?

If you’re using the network to store the important stuff (say, by using Roaming Profiles), and use Group Policy to maintain your application settings, why specifically go out of your way to preserve any of it? Those of you who’ve heard my talks on desktop deployment know it will still be there waiting on the network when you deploy that new desktop to the user.

So, if you want to educate me… please do so. Again, respond by posting to

Beyond the Microsoft image-based deployments

Since I'm already off on a rant here, let me take it one step farther…

Truthfully, I don't even see the point of having any image-style/“photocopy-style” deployments (including other non-Microsoft image-style deployments a la Ghost, PowerQuest, or anything else). Those of you who’ve seen me speak at conferences or those who have taken my more in-depth two-day Group Policy course know my feelings about image based deployments. Yes, they’re fast—but, ultimately, they’re a “photocopy.” To recap the process, you essentially wrap up a “perfect” PC with a set of “core” applications and make a big image. Then, you deploy that image to a zillion machines. And you do it fast.


But, this means several downsides when thinking long term. First, there’s the problem with the “photocopy” aspect in terms of hardware deployment.

Yes, I know—Windows sysprep is supposed to be the answer. Sysprep’s job (especially with the -pnp switch) is to shut the machine down for photocopying. Then, once the photocopied machine is turned back on, it’s supposed to magically discover all the correct hardware, and birds will land on the computer singing and chirping.

Except it’s not guaranteed (especially the birds). Not to mention the problem with photocopying from one machine to another—the required drivers might not be there. If you’re photocopying the same image for a Dell Latitude and an IBM Thinkpad—you let me know how that’s working out for you. If you can sleep at night while doing this, you’re a stronger man than I.

Okay, I’m sure the BDD and SMS+OSD deployment have some provisions to handle this situation. But, I was at a loss on specifically how to add new drivers to either the BDD or SMS+OSD if, say, a new network card showed up in your next desktop shipment. What I am sure of is that in each case, the WinPE image (which provides you the ability to access the image) would indeed need to be tweaked to accommodate this (already a hassle). But my confusion is what about the drivers for when Windows is actually running? If I’m pulling down a fully formed image, how can I jam in new drivers? If you know, and can educate me, please do so.

Even if there is a native way to do this (easy or cumbersome) it appears that Binary Research (the original makers of Ghost) has created something to help fail-safe the process. Their “Universal Imaging Utility” product (found here) is supposed to help inject a bazillion drivers into your images—specifically to remediate this very problem I’m describing.

The next big problem with the photocopy is—it’s obsolete the very day it’s placed into service. Why? Let’s explore a typical photocopy-style rollout. Let’s say we’re deploying our image to 1000 desktops. Just to give it a name, we’ll call our project OurImage 1.0. After rolling out 300 of our 1000 desktops someone on the deployment team realizes they’ve forgotten a critical application patch, or bite-sized application, or a configuration setting, or misspelled a directory, or any number of a 1,000 things that can go wrong during image building. So, the desktop engineering team cleans up the image, and rolls out OurImage 1.1. They then roll out to the next 300 desktops. (And, of course, the problems weren’t big enough to retrofit the first 300 desktops and disrupt users.) So, now, you have 600 desktops deployed: half on OurImage 1.0 and half on OurImage 1.1.

Not ideal, to be sure.

Then, one of the applications in the image has a new minor version (which the manufacturer strongly recommends you start deploying right away). Back to the drawing board, and a new revision, OurImage 1.2, is created. The deployment rollout must go on! And OurImage 1.2 is now deployed to the next 300 clients.

So, now, that’s three somewhat-different images over 900 clients. Now when any of those users calls the helpdesk for help, which version of the image are they using? Remember each version of the image has slightly different application versions tucked inside.

Or, consider this case: the image is rolled out to 300 people—both Sales and Marketing. But Sales is constantly playing around with applications in the image they have no right to even use. Should those applications have ever been in the image at all? Sure,those applications are needed for the Marketing guys. But not for Sales. So what do some IT departments do? They send someone to trot out to the Sales desktops and manually uninstall those applications (or script it, or touch it with SMS or something).

So, it must appear as if I’m “down” on photocopy-style desktop deployments such as Ghost, SMS+OSD or the BDD. It’s not that I’m down on them, just utterly confused why anyone would use them.

With that in mind, what’s my proposed desktop deployment solution?

Group Policy of course (with a little help from Remote Installation Services)!

Why RIS? Because RIS doesn’t “photocopy” an image. It “builds” the computer from scratch, installing just the software it needs in order for Windows to run. And, there are provisions for centrally adding new and updated drivers when new hardware comes out (like NICs, sound cards, etc.).

Why Group Policy? Because you can deploy just the applications you need to just the specific people who need them. If Fred in Sales shouldn’t get an application only Marketing would use, then it’s not in any photocopy where you’d have to worry about it. Fred only pulls down applications Fred needs.

Yes, I know the downside to my strategy. That is, in order for my suggested strategy to be successful, you have to be 100% committed to the MSI promised land (or buy 3rd party Group Policy tools to deploy applications other than only MSI apps).

Now, before you napalm my house—let me wrap up this section with this one thought:

I know lots of people are quite attached to their desktop deployment methods. If something is working for you, and you’re happy—keep on truckin’.

Don't let me stop you.

The main reason I'm down on image-type deployments is for the reasons I mentioned above:

  • Again, first, it’s a photocopy, and even though sysprep -pnp should work from machine to machine, it doesn’t always. If it does work for you—fantastic. Consider yourself blessed, and continue to make use of the speed that photocopying provides.
  • However, consider the second problem: “core applications” in the image make it difficult to customize each user’s experience for them. If you get away from photocopying, you get away from deploying unnecessary apps (or forgetting to put apps in your image).

So again, yes I know RIS is slow. Slower than a photocopy, yes. And, if you’re comfortable photocopying machine to machine to get the OS deployed then, again, keep on doing that. All I’m asking is for you to consider not imbedding the applications in the image.

My problem

Now, if you want to help me out you can explain a few things to me.

  1. If you’re actually using the SMS+OSD—how is it really “zero touch” as it’s touted? I don’t get it. I’ve read countless pieces of documentation, but it still appears as if the client needs to be “seen” by the SMS system in order to zap a new photocopy upon it. That means it needs to be an SMS client. If I’m cracking out a desktop or laptop from the cardboard box and put it on the wire, I’m totally unclear how SMS will “find” this new machine and zap it my corporate photocopy. From what I’m reading it seems (dig this) that the prescription is to actually use RIS to deploy that initial desktop, then get the SMS client loaded, then zap down the remaining applications. Wait a second—that sounds like “The Jeremy Prescription” (except you substitute GPO for SMS!) If I’m missing something, and you’re an expert here, please, please educate me.
  2. The BDD has lots of wizard-driven steps to help you create your photocopy and then deploy it. Why would anyone would use the BDD at all, for any reason, when there are clearly other options which do the job? And, unless I’m looking it wrong, it seems the BDD requires a Ghost-style imaging tool to do the work. Indeed the documentation talks about the Powerquest tool quite a bit. Again, I’m at a loss to understand why the RIS/Group Policy/MSI combo wouldn’t be the preferred way to go here—or just about anywhere.

More stuff to rant about(Or, why I'm already unpopular with the SMS team at Microsoft)

Since I'm ranting about SMS anyway

The issue of TechNet magazine I mentioned has a whole article dedicated to SMS troubleshooting. When people ask me if I’d prefer SMS over Group Policy, I’ll tell them “Even if you gave me all the licenses I need for SMS, I’d still pick Group Policy over it any day.” Yes, yes, I know SMS has more features than Group Policy does.

But a Dodge Caravan has more features than a Mazda Miata. Get the picture?

In the end analysis what are the features people use when they buy that Dodge Caravan, er, SMS? Let’s look:

  • Software Deployment with targeting (which can be done with Group Policy Software Installation and WMI filters)
  • Hardware and software inventory (which can not be done natively with Group Policy but is, I hear, coming soon with 3rd party Group Policy tools.)
  • SMS has Software Metering tools—but no one I know uses it much.
  • SMS has compliance/patch-management tools. I do know some companies which do make use of these—but only because the free WSUS wasn’t yet available, and now they feel like they’re “locked in.”

So, why would I pick Group Policy over SMS even if someone handed me unlimited free licenses? The TechNet article in the same issue entitled “No Desktop Left Behind: SMS Troubleshooting Basics” about sums it up. Not to saturate you with all the steps the author expertly describes, but, holy cow does it ever take some troubleshooting skillz (that’s skillz with a ‘z’) to get to the bottom of things when SMS stops working. In a nutshell: SMS has about a zillion moving parts. The author expertly demonstrates how to “trace” where the problem is within all those moving parts.

In a basic (very basic) comparison, the same operation (software deployment) for Group Policy is refreshingly simple. There are, in short,many fewer moving parts to troubleshoot when things go wrong. Yes, okay, maybe I’m a little biased due to my love of all things Group Policy. And that isn’t to say Group Policy always works, either.

What I am saying, however, is that when Group Policy “breaks” it’s a much easier proposition to figure out where the problem is, then actually get to fixing it. For the record, in case you think I’m making stuff up here to specifically beat up SMS, I am certified in SMS 2.0 and do know a little about what I’m talking about. (And, yes, I know SMS 2003 is a different, though similar animal.)

Simpler is better

Okay, poor SMS. I just beat it up a little bit, and I’m feeling a little guilty here. But, ask yourself if you need a tool like SMS at all.

If you need it—you need it.

But, the question is do you really need it?

I've personally met a handful of people who seem to be with me; ditching SMS and Tivoli (and the like) for a pure Group Policy-based solution to their management.

Here's the thought process: By not introducing an SMS-style tool, you’re reducing complexity.

Again, the Group Policy moving parts are already built-into the operating system.

So, if you can make use of the moving parts inside the box, my advice is to do so.

Now, let me be super-clear before the hate mail comes in from the SMS team (or SMS-style product companies). As I said: if you need it—you need it. That’s the trick, and the trap I see many organizations fall into. Many organizations inadvertently increase their complexity by adding an SMS-style management tool for not a lot of benefit. When I ask people “Why did you end up deploying your SMS-style tool?” The #1 response I get is “We needed a way to distribute software.” And 10% actually use the overall “power features” SMS provides over Group Policy.

So, again, my feeling is that, yes, an SMS-style tool is great—if it truly gives you something you cannot achieve a different way. Again, SMS provides software distribution, hardware and software inventory, patch management, image deployment, and software metering. If you need something on this list that Group Policy cannot do natively (or enhanced with third-party tools) then, yes, go get it.

But, if you don't need it—why introduce it, even if you’re getting the licenses for free?


For the love of Pete (whoever he is) do NOT email me directly about this rant. While I strive to answer everyone’s email, I’m making an exception in this case. It’s not because I don’t love you, it’s because I want you to respond publicly here where we can all talk about it. Key points to talk about:

  • If you’re using the BDD…why? What does the BDD give you that other methods do not?
  • If you’re using SMS+OSD…why? How’s it working out for you?
  • How can you add drivers when Windows runs using the BDD or SMS+OSD?
  • If you’re using the “Jeremy Method” of RIS + Group Policy + MSI, how’s that working out for you? Was getting to the MSI promised land a tough haul? Did you succeed, or give up?
  • Why save user state and restore it using the USMT during the BDD or SMS+OSD process? If you’re using the network properly (redirected MyDocs and Application Data), what precisely are you saving by using the USMT?
  • Has anyone introduced an SMS-like product only to then realize it was overkill and the same task could be performed via Group Policy? How did you handle that?
  • Or, is SMS your life blood and you’re using it for a task I didn’t describe here?

Thanks for listening.

Get signed copies of...

Group Policy, Profiles and IntelliMirror for Windows 2003, Windows XP and Windows 2000 (THIRD EDITION)


Windows & Linux Integration: Hands on Solutions for a Mixed Environment

Do you have the new THIRD EDITION of the Group Policy book? It's got 50 new pages, fully covers XP/SP2 and Windows Server 2003/SP1, an armload of new tidbits here and there, and whole new section on the Security Configuration Wizard.

Order your signed copy today by clicking here.

Additionally available is my new title Windows & Linux Integration: Hands on Solutions for a Mixed Environment from

Oh, and if you own either book, and want to say nice things on Amazon, please do so! That would be great. Thanks! You can do so here: (GPO book) (WinLin book)  

Public Group Policy Intensive Training and Workshop Schedule Update

I've basically lost count at this point of how many people have signed up and taken the two-day Group Policy Intensive training and workshop. Students LOVE it, and managers LOVE the results the training gives.
You BOUGHT and IMPLEMENTED Active Directory—now DO SOMETHING with it.
So, learn to properly drive that "Ferrari" you bought by coming to a class! Classes for first half of 2006 (lots of date changes since the last newsletter. Sorry about that.):
Mar 30-31, 2006: Sacramento, CA—This class is ON. If you want a seat, I suggest you sign up now. Only three seats left!
Apl 18-19: Atlanta, GA
Apr 20-21, 2006: Tulsa, OK (not Okla. City, as previously reported.)
Apr 26-27, 2006 (new class): Richmond, VA
May 15-16, 2006: London, England

Why THESE cities? Because people used the "Suggest a city" form at and ASKED me to have classes here.

Here's hoping you'll take advantage of the opportunity!

Learn more and sign up at: (Don't forget to scroll all the way to the bottom of that page and locate your city!)

Or,if you think you might want your own in-house training (with all the personalized attention that affords), I'd love to join you onsite!

If you have even a handful of in-house people interested in the training, the course pays for itself (as you don't need to ship people offsite!). I'll even travel overseas to the U.K., other parts of Europe, or Japan—or wherever! Have passport, will travel!

Again, while the training course isn't officially endorsed by Microsoft, the class does the have distinction of being a suggested avenue for intense Group Policy training by members of the Group Policy, Microsoft Consulting Services, and Product Support Services teams at Microsoft!

For a public class, sign up online at:
For a private class, just contact me at or call me at 302-351-8408.

Upcoming Appearances and schedule

It's going to be a busy month for me. Embrace the travel! Love the airport. Embrace the security dweebs patting me down. Well, maybe not.

Here's my ever-so-brief schedule.

NetPro Directory Experts Conference: Mar 26 - Mar 29

I'll be speaking on Windows/Linux authentication integration. My speech is 9.15 Tuesday the 28th.

Linuxworld Boston: Apl 3 - Apl 6

Again, on Windows/Linux authentication integration. My specific speech date is 4/4/06 and it'll be at 2.30 PM. Hope to see you there !

WinConnections Orlando: Apl 9 - Apl 12

I'll be speaking on a variety of topics at this WinConnections. "Group Policy Toolbelt", Shared Computer Toolkit" & "Windows–Linux Integration: Authentication Services" and a 3-hour Group Policy Pre-Conference warm-up.

Microsoft Teched Boston: Jun 11 -1 5

Again, on Windows/Linux authentication integration. Don't know my exact speech date yet.

Thanks, Netpro!

Recently Netpro had a cool webinar, and they mentioned us— Neat! Thought I’d return the favor. Here’s how to check out the webinar with a good message for anyone managing Active Directory. WEBCAST: 16 Steps to a healthier and happier Active Directory

Before going about securing Active Directory, you should make sure that certain configurations have not created unexpected security holes. In this webcast, NetPro CTO Gil Kirkpatrick will examine various aspects of Active Directory, from backup to DNS configuration to Group Policy management, that, when executed properly, can ensure a secure installation. Register here.

Subscribe, Unsubscribe, and Usage Information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that, too (but we'll be sad to see you go).

For all Subscription and Unsubscription information, we have a one-stop-shop page at the following address:

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Moskowitz, inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk. If you need personalized attention in any way, just email me:

If you have questions about ordering a book, contact my assistant Jon at: We endeavor to respond to everyone who emails.

Thanks for reading!

Comments (0)

No Comments!