[gptalk] Re: Domain User account and GP processing

  • From: "Darren Mar-Elia" <darren@xxxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Thu, 5 Jun 2008 06:46:58 -0700

John-
I'm a little confused about what this sw. distribution product is doing as
it relates to GP but here goes:

1. If group membership changes, that constitutes a change in the list of
GPOs that apply and so yes, GP would process. 
2. I'm not sure I know what you mean by "using AD to resolve policy". What
policy? GP?
3. There is a maximum size to a process token. Don't remember it now but at
40 groups, you are probably not hitting it. However, performance does
degrade the more groups you have to resolve and evaluate when hitting
resources.

Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of John Bateman
Sent: Thursday, June 05, 2008 1:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Domain User account and GP processing

Hi.

Say we have a software distribution product which uses AD for policy
resolution. So for example, if we wanted a particular machine to have a
certain piece of software, we simply add it to an AD group which has the
software policy assigned to it and away it goes. We can also do this with
users (so a user can be put into an AD group), however it is a little
different. In this instance we have the idea of mandatory and optional
software. If we assign a policy to an AD group and give it the attribute of
optional, the user can install if they wish but it will not be forced. As
all users are part of the Domain Users group if say a piece of software was
packaged that all staff could install, but would be optional, then an AD
group would be created and Domain Users group would be added to the group.
This has led to quite a number of AD groups and as users are all part of
Domain Users then they also belong to these groups (at least 40). Computer
accounts are not part of nearly as many. 

Please note: we do not use GP software distribution, we have a product we
use.

Now my questions:

1. Assuming that no AD groups are changed for a day nor are any group policy
objects. If a user logs in, policy processing does not occur as it does not
detect any changes in GPO or group membership (or WMI filters). If we then
add Domain Users to a new AD group, processing would then occur on the next
login correct?

2. Is this a common scenario with software distribution products that use AD
to resolve policy?

3. Is there a maximum number of groups it is generally accepted a user
should (rather than could) be part of that would not impact login
performance?

cheers



***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: