[gptalk] Domain User account and GP processing

  • From: "John Bateman" <prankmonkey@xxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 5 Jun 2008 18:58:43 +1000

Hi.

Say we have a software distribution product which uses AD for policy
resolution. So for example, if we wanted a particular machine to have a
certain piece of software, we simply add it to an AD group which has the
software policy assigned to it and away it goes. We can also do this with
users (so a user can be put into an AD group), however it is a little
different. In this instance we have the idea of mandatory and optional
software. If we assign a policy to an AD group and give it the attribute of
optional, the user can install if they wish but it will not be forced. As
all users are part of the Domain Users group if say a piece of software was
packaged that all staff could install, but would be optional, then an AD
group would be created and Domain Users group would be added to the group.
This has led to quite a number of AD groups and as users are all part of
Domain Users then they also belong to these groups (at least 40). Computer
accounts are not part of nearly as many. 

Please note: we do not use GP software distribution, we have a product we
use.

Now my questions:

1. Assuming that no AD groups are changed for a day nor are any group policy
objects. If a user logs in, policy processing does not occur as it does not
detect any changes in GPO or group membership (or WMI filters). If we then
add Domain Users to a new AD group, processing would then occur on the next
login correct?

2. Is this a common scenario with software distribution products that use AD
to resolve policy?

3. Is there a maximum number of groups it is generally accepted a user
should (rather than could) be part of that would not impact login
performance?

cheers



***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: