Are Windows Administrators Less Likely to Script/Automate?

I wrote this bit as a comment on another blog this morning, and then after typing a thousand words I realized that it would make good fodder as a post on my own blog. The article that I was commenting on was on the topic that Windows administrators are less likely to script and/or automate because Windows uses a GUI and Linux is more CLI-centric. And because Linux is more CLI-focused, it is more natural for a Linux user to get into scripting than it is a Windows user. Without further ado, here is my comment on that article:

This article and these comments suffer from a lack of the presence of a good Microsoft engineer and/or administrator. As is common, this discussion so far has been a bunch of Linux admins complaining that Windows isn't more like Linux, but not offering much substance to the discussion from a pro-Microsoft perspective.

That said, I may be a Microsoft zealot, but I do understand and appreciate Linux. I think it’s a great, fast, modular, infinitely customizable and programmable operating system. So please don’t read this in anger, you Linux admins.

First I want to stay on track and pay respect to the original article, about scripting on Windows. Scripting has been an integral part of enterprise-grade Windows administration ever since Windows entered the enterprise ecosystem. It has evolved and gotten a lot better, especially since Powershell came on the scene, and it will continue to evolve and get better, but we've already been scripting and automating Windows in the enterprise space since the '90s. (Though maybe not as well as we would have liked back then.)

But I will make a concession. There are Windows admins out there that don't script. A lot of them. And I do view that as a problem. Here's the thing: I believe that what made Windows so popular in the first place - its accessibility and ease of use because of its GUI - is also what leads to Windows being frequently misused and misconfigured by unskilled Windows administrators. And that, in turn, leads people to blame Windows itself for problems that could have been avoided had you hired a better engineer or admin to do the job in the first place.

GUIs and wizards are nice and have always been a mainstay of Windows, but I won’t hire an engineer or administrator without good scripting abilities. Even on Windows you should not only know how to script, but you should want to script and have the innate desire to automate. If you find yourself sitting there clicking the same button over and over again, it should be natural for you to want to find a way to make that happen automatically so you can go do other more interesting things. Now that I think about it, that’s a positive character trait that applies universally to any occupation in the world.

And yeah, it was true for a long time that there were certain things in Windows that could only be accomplished via the GUI. But that’s changing – and quickly. For instance, Exchange Server is already fully converted to the point where every action you take in the GUI management console is just executing Powershell commands in the background. There’s even a little button in the management console that will give you a preview of the Powershell commands that will be executed if you hit the ‘OK’ button to commit your changes. SQL Server 2012 will be the first version of SQL that’ll go onto Server Core. (About time.) The list goes on, but the point is that Microsoft is definitely moving in the right direction by realizing that the command line is (and always has been) the way to go for creating an automatable server OS. Microsoft is continuing to put tons of effort into that as we speak.

However, just because scripting on Windows is getting better now doesn’t mean we haven’t already been writing batch files and VB scripts for a long time that do pretty impressive things, like migrate 10,000 employee profiles for an AD domain migration.

I really love Server Core, but it's just a GUI-less configuration of the same Windows we've been using all along. Any decent Windows admin has no trouble using Core, because the command line isn't scary or foreign to them. For instance, one of the comments on this article reads:

"The root of the problem seems to be that Linux started with the command line and added GUIs later, whereas Windows did it the other way around."

I think that's false. Windows started as a shell on top on top of DOS – a command line-only operating system. DOS was still the underpinning of Windows for a long time and even after Windows was re-architected and separated from DOS, the Command Prompt and command-line tools were and still are indispensible. Now I will grant you that Linux had way better shells and shell scripting capabilities than Windows did for a long time, and Microsoft did have to play catch-up in that area. Powershell and Server Core came along later and augmented the capabilities of and possibilities for Windows – but the fact remains we’ve been scripting and automating things using batch files and VB Script for a long time now.

There was also this comment: “Another cause for slow uptake is that Windows skills don't persist.”

Again I would say false. I can run a script I wrote in 1996 on Server 2012 just fine, with no modification. Have certain tools and functions evolved while others have been deprecated? Of course. Maybe a new version of Exchange came out with new buttons to click? Of course – that’s the evolution of technology. But your core skillset isn’t rendered irrelevant every time a new version of the software comes out. Not unless your skillset is very small and narrow.

There was also this comment:

“I also complain that PowerShell is not a "shell" in a traditional sense. It is not a means of fully interacting with the OS. There is no ecosystem of text editors, mail clients, and other tools that are needed in the daily operation and administration of servers and even clients.”

As I mentioned earlier, there are fewer and fewer things every day that cannot be done directly from Powershell or even regular command-line executables. And to the second sentence - I’m not sure if there will ever be a desire to go back to an MS-DOS Edit.exe style text editor or email clients… but I could probably write you a Powershell-based email client in an hour if you really wanted to read your emails with no formatted styles or fonts. :)

So in the end, I think the original article had a good point - there probably are, or were, more Linux admins out there with scripting abilities than Windows admins. But I also think that's in flux and Windows Server is poised in a better position than ever for the server market.

Mortal Countdown

I admit, this one is a little bit macabre. But it's something I was thinking about, and I was thinking about programming at the same time, so I decided to write a C# app for it!



You can use the Setup function of the app to set your birthday in UTC, down to the second if you know it, and how many years you anticipate spending on this mortal coil. (A figure which is subject to change, obviously.) The settings are saved in HKCU so you do not need to reset the info every time you reopen the app. Warning: It's a little creepy when you realize the percentage has crept up every time you hover over the hourglass.

That's pretty much all there is to it. 64-bit Windows and .NET 4 are required. There's no good reason for that other than that I don't like 32-bit Windows and < .NET 4. It's 2012, people.

As always, feel free to hit me with bug reports and enhancement requests.

Here's the executable: Mortal Countdown.exe (40.50 kb)

And here's the source (VS2010): Mortal (64.30 kb)

GPO Application Precedence - "Just Because You Can" Edition

This one really gets back to my roots as a big fan of everything related to Active Directory and Group Policies. Someone had a question yesterday about GPO application that, I admit, gave me pause. It would have been an excellent question for an MCITP exam or a sysadmin interview.

It's also an example of a GPO strategy that might be too complicated for its own good.

The basic behavior of Group Policy application order is well-known by almost every Windows admin. Let's review:

  • Local policies are applied first.
  • Then policies linked at the site level.
  • Then policies linked at the domain level.
  • Then GPOs linked to OUs in order such that policies linked to "higher" OUs apply first, and the policies linked "closest" to the object go last.
  • If multiple GPOs are linked at the same level, they go from the bottom-up. (AKA by Link Order)
  • Last writer wins, i.e., each subsequent GPO overwrites any conflicting settings defined in earlier GPOs. Settings that do not conflict are merged.
  • Enforce (formerly known as No Override,) Block Inheritance and Loopback Processing can be used at various levels of the aforementioned hierarchy in various combinations to augment the behavior of GPO application.
So that seems like a pretty simple system, but it's just flexible enough that you can get into some confusing situations with it. For instance, take the following OU structure:
(OU)All Servers
       +--(OU)Terminal Servers

The Terminal Servers OU is a Sub-OU of the All Servers OU. Now, let's link two different policy objects to each of the OUs:

(OU)All Servers [Servers_GPO]
       +--(OU)Terminal Servers [TS_GPO]

So using what we know, we assume that a computer object in the Terminal Servers OU will get all the settings from Servers_GPO, and then it will receive settings from TS_GPO, which will overwrite any conflicting settings from Servers_GPO.

Now let's put the Enforced flag on Servers_GPO:

(OU)All Servers [Servers_GPO-ENFORCED]
       +--(OU)Terminal Servers [TS_GPO]

Now the settings in Servers_GPO will win, even if they conflict with settings in TS_GPO. But let's go one step further. What happens if you also Enforce TS_GPO?

(OU)All Servers [Servers_GPO-ENFORCED]
       +--(OU)Terminal Servers [TS_GPO-ENFORCED]

Which GPO will win?  Had I been taking a Microsoft exam, I might have had to flip a coin. I have to admit, I had never considered this scenario. If neither policy was enforced, we know TS_GPO would win. If Servers_GPO was enforced and TS_GPO was not enforced, then we know Servers_GPO would win. But what about now?

And furthermore, why would anyone want to do that? I can't explain what goes on in some administrator's heads when they're planning these things out, but luckily I did have Technet at my disposal:

You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced. GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link always has precedence. By default, GPO links are not enforced.

So with that, we should be able to surmise that the parent GPO - Servers_GPO - will win. A little testing confirmed it - the higher-level GPO takes precedence over a lower-level GPO even when they're both enforced.

I might call this one of those "just because you can, doesn't mean you should" sort of administrative practices.

Passive-Aggressive Configuration Management FTW

I was doing a little deep investigation of the Windows DNS Cache service today, and I discovered that the process checks for the existence of this registry value upon startup:


Needless to say, the configuration setting doesn't appear to be publicly documented.  Whatever it does though, I sense some latent hostility toward some API owner. It wouldn't be the first time Microsoft has let Registry settings with silly names slip through the cracks.

Server 2012 - Out with the Old, In with the New

I came across this Technet article that details features that are being removed or deprecated as of Windows Server 2012.  Below are a few of my inane and probably ill-informed thoughts:

"AD Federation Services - Support for using Active Directory Lightweight Directory Services (AD LDS) as an authentication store is removed"

I guess this means AD FS can only store authentication information in AD now? I know that some people use it, but I think I wouldn't mind seeing AD LDS go altogether.

"Oclist.exe has been removed. Instead, use Dism.exe."

I'm all for consolidating redundant tools and putting all the various bits of related functionality in one place.

  • "The Cluster Automation Server (MSClus) COM application programming interface (API) has been made an optional component called FailoverCluster-AutomationServer which is not installed by default. Cluster programmatic functionality is now provided by the Failover Cluster API and the Failover Cluster WMI provider.
  • The Cluster.exe command-line interface has been made an optional component called FailoverCluster-CmdInterface which is not installed by default. Cluster command-line functionality is provided by the Failover Cluster PowerShell cmdlets.
  • Support for 32-bit cluster resource DLLs has been deprecated. Use 64-bit versions instead."

I'm also behind the move to a united effort based on Powershell. Knowing that you can use Powershell to manage all the parts of your server, as opposed to a hundred separate CLI executables is a good thing. I also like deprecating 32-bit junk... although that is going to cause some heartburn for some enterprises, as uprooting 15 year-old technology in a big enterprise can often be like pulling teeth. Actually more like getting approval from Congress first before you commence pulling teeth.

"Support for Token Rings has been removed."

Oh no what ever will I do without my token ring network!? Oh wait that's right, 1972 called and they want their network back. Next thing you know they'll be telling me to get rid of Banyan Vines too!

"Versions of Microsoft SQL Server prior to 7.0 are no longer supported. Computers running Windows Server 2012 that connect to computers running SQL Server 6.5 (or earlier) will receive an error message."

This is another interesting one. A lot of very large companies rely on really old SQL servers... I see a lot of painstaking migrations in my near future.

  • "ODBC support for 16- and 32-bit applications and drivers is deprecated. Use 64-bit versions instead.
  • ODBC/OLEDB support for Microsoft Oracle is deprecated. Migrate to drivers and providers supplied by Oracle.
  • Jet Red RDBMS and ODBC drivers are deprecated."

Ouch again! Microsoft seems to really be emphasizing "stop using old shit, k thx."*

(* not an actual Microsoft quote)

"The Subsystem for UNIX-based Applications (SUA) is deprecated. If you use the SUA POSIX subsystem with this release, use Hyper-V to virtualize the server. If you use the tools provided by SUA, switch to Cygwin's POSIX emulation, or use either mingw-w64 (available from or MinGW (available from for doing a native port."

I for one am glad to see this go. Just make a *nix VM if you need to fork() so badly.

  • "The WMI provider for Simple Network Management Protocol (SNMP) is deprecated because the SNMP service is being deprecated.
  • The WMI provider for the Win32_ServerFeature API is deprecated.
  • The WMI provider for Active Directory is deprecated. Manage Active Directory with PowerShell cmdlets.
  • The WMI command-line tool (Wmic) is deprecated. Use PowerShell cmdlets instead.
  • The namespace for version 1.0 of WMI is deprecated. Prepare to adapt scripts for a revised namespace."

All good stuff. Dropping off the really old vestigial junk, and consolidating everything under the banner of Powershell.

There are a few more bullet points in the original article, but those were the ones I cared most about. I'm a little surprised to see them cutting ties with 32-bit SQL, but I'm glad they're doing it. It's going to cause some work for people (like me) who still use large, distributed SQL systems to start migrating, but we'll all be better off in the long run.