Archived from groups: microsoft.public.win2000.group_policy (
More info?)
Actually I was suggesting linking the GPO to the domain or OU (whichever is
most appropriate) and let the security group filtering drive the delivery of
the app based on their location rather than the user's site location. For
example, let's say I have three sites: New York, Denver and Seattle. I would
create three user groups:
New York Users
Denver Users
Seattle Users
Put users from each site into those groups and then permission the
individual packages within a GPO according to the groups like this:
My Software Deployment GPO:
Office XP (Denver) -- Path: \\denverserver\packages\officexp\setup.msi --
Permissions: Denver Users (Read)
Office XP (NY) -- Path: \\nyrserver\packages\officexp\setup.msi --
Permissions: NY Users (Read)
Office XP (Seattle) -- Path: \\denverserver\packages\officexp\setup.msi --
Permissions: Seattle Users (Read)
The key to this is that you can reliably predict that users don't move
around a lot and that they can easily be identified in each location. If you
were to use site linked GPOs, then you get issues with users moving around
and falling out of the scope of a site-linked GPO, thus causing potential
uninstall-reinstall issues with apps.
Hope that clarifies it.
--
Darren Mar-Elia
MS-MVP-Windows Management
http://www.gpoguy.com
"Brian Wilson" <anonymous@discussions.microsoft.com> wrote in message
news:3c8f01c47f3e$ebc4f530$a501280a@phx.gbl...
>i think that i understand what you are saying.
>
> i should still create the gpo at the site level but use
> group filtering ( get rid of the authenticated users and
> use that security group ). the software distribution
> folder would naturally reside on the dc in each site so
> that there are no wan links in play.
>
> am i getting it right?
>
> brian
>>-----Original Message-----
>>Brian-
>>There is nothing inherently bad in site-linked GPOs,
> although I admittedly
>>don't see them used very often. Part of the challenge is
> that the process by
>>which a machine determines its site is not 100% reliable.
> That is, there are
>>circumstances which could be out of your control that
> could affect this,
>>such as availability or lack of proper DNS registrations,
> busy-ness of DCs
>>within a site, etc. So, given that, and given the
> downside of having a
>>client go to another site to grab a large Office install,
> you might be
>>better off using something more "deterministic". For
> example, if you can
>>reliably identify users in each location using a security
> group, you could
>>create a GPO that contains the applications you wish to
> deploy and then
>>permission each app for that site's security group. The
> package itself would
>>point to a install path on the local server for that
> site. Let me know if
>>that makes sense.
>>
>>Darren
>>
>>--
>>Darren Mar-Elia
>>MS-MVP-Windows Management
>>http://www.gpoguy.com
>>
>>
>>
>>"Brian Wilson" <anonymous@discussions.microsoft.com>
> wrote in message
>>news:3be301c47f16$70671b70$a401280a@phx.gbl...
>>> we have one domain which is broken down into 14 sites
>>> located around the country. how do i best install
>>> software gpos? do i create a site gpo for each of the
> 14
>>> sites? i have read that creating site gpos is a bad
> thing
>>> but i can not remember/figure out the reasoning behind
>>> this.
>>>
>>> software to be installed is office xp in some sites and
>>> office 2003 in others ( prefer assigned to the users )
> and
>>> adobe reader 6.0.1 ( prefer published to the users ).
> do
>>> not want to have software being installed across the wan
>>> where possible.
>>>
>>> thank you,
>>>
>>> brian
>>>
>>> ps...the link from the hub to each spoke is over a
>>> dedicated T1 vpn ( in most cases ). we have at least
> one
>>> dc in each site with 23 users to 200 users per site (
> most
>>> are 35 - 50 users per site ).
>>>
>>
>>
>>.
>>