A previous company I worked for had installed some company wide security software. It basically installed a root kit that scanned every executable, adding 250ms to boot time for any app. The problem manifested when shell scripts that used to take seconds started taking minutes or hours.

When this started happening, I thought that I had installed some malware. In the process of debugging the problem, I ended up finding & disabling the root kit through trial and error. When my machine started working properly again, I came to understand I had disabled the corporate security "malware". I reported the problem to corporate just as others started to report having the same slowdown error. They told me the vendor of the software was impressed I had been able to find it, let alone disable it. I believe their words were "you shouldn't have been able to do that".

I didn't get into any trouble. By reporting the problem, I actually helped kickstart the removal of that software from anyone's laptop where shell access was required. The vendor never could fix the performance problem, and eventually our company resorted to trusting the developers again.

> Windows is a great operating system. What IT departments do to Windows turns it into a nightmare.

That's a great bumper sticker.

There are so many cases you find of people's Windows complaints where the questions are "Why does Windows even allow GPO to hurt users that badly?" and "Why does your IT staff hate you so much personally that they configured Windows into that particular contortion?"

The Unix world has decades of tales of the "sysadmin from hell" / BOFH, of course, but something about Windows administration just seems to elevate to almost universal "art form" across every company, but at the same time has managed to make it "business as usual" rule rather than the to-be-irked-by exception. On no other operating system would that level of IT micromanagement and terrible "security products" be accepted, and on just about no other platform would people just as easily assume it to be OS "bugs" or "inabilities" rather than the forced masochism of some local BOFH.

> "Why does Windows even allow GPO to hurt users that badly?" and "Why does your IT staff hate you so much personally that they configured Windows into that particular contortion?"

Typically its because the GPO configuration has 15 years of kludge and your IT department is under resourced and doesn't have the ability to spend 6 months sifting through and testing all of it.

In Windows environments group policy is often one of the biggest piles of technical debt.

I think that is certainly a part of it, but I think there is a part of it that is much, much worse than that. Every time Microsoft reduces the number of user-hostile GPOs, there are certain Fortune 500 companies that complain (presumably in a lot of cash). Almost every GPO probably has at least one BDSM fetishist of IT Admin with too much corporate budget cash and not enough sense.

But a big problem is how cult-like certain GPO setups have become. Asking my IT Department casually, 90% of the worst GPO settings we enforce at my current job are "mandated" in the agreements and contracts with a certain, supposedly prophetic (but unarguably profiteer) vendor of over-priced databases and accounting software "to keep their software working as intended". (Which may be quite accurate if their software is truly intended for the slow torture they provide from a user's perspective.)