[gptalk] Re: Domain User account and GP processing

  • From: "John Bateman" <prankmonkey@xxxxxxxxx>
  • To: <gptalk@xxxxxxxxxxxxx>
  • Date: Fri, 6 Jun 2008 02:54:53 +1000

Hi Darren,

Thanks for the replies.

I guess the relationship between the product and group policy is to do with
the Domain User account. The software distribution tool relies on AD to
resolve policy on what software users can install. There is essentially two
ways for users to be assigned software - add domain users to an AD group and
assign the software policy to the AD group or add the policy to the top of
the OU where the user accounts reside. Currently we do the former, adding
Domain User to a whole lot of AD groups. Subsequently this means all users
are part of a whole lot of groups. Say for instance we don't touch group
policy or AD. Users login and process policy. Once this is done they
shouldn't process policy unless group membership changes. If we add Domain
Users to a group everyone processes policy again as they have been added to
another group. This could all be avoided if they add the policy to the top
of the user account OU as in essence policy resolution is being done on the
software distribution server.

A little convoluted but thanks for your reply anyway. I have a suspicion
what I've tried to explain (rather poorly :p) is happening and causing
policy to be processed rather more often than it should, which may be an
additional factor in the longer than usual login times I asked about a month
or two ago.

cheers

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Darren Mar-Elia
Sent: Thursday, 5 June 2008 11:47 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: Domain User account and GP processing

John-
I'm a little confused about what this sw. distribution product is doing as
it relates to GP but here goes:

1. If group membership changes, that constitutes a change in the list of
GPOs that apply and so yes, GP would process. 
2. I'm not sure I know what you mean by "using AD to resolve policy". What
policy? GP?
3. There is a maximum size to a process token. Don't remember it now but at
40 groups, you are probably not hitting it. However, performance does
degrade the more groups you have to resolve and evaluate when hitting
resources.

Darren

-----Original Message-----
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of John Bateman
Sent: Thursday, June 05, 2008 1:59 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Domain User account and GP processing

Hi.

Say we have a software distribution product which uses AD for policy
resolution. So for example, if we wanted a particular machine to have a
certain piece of software, we simply add it to an AD group which has the
software policy assigned to it and away it goes. We can also do this with
users (so a user can be put into an AD group), however it is a little
different. In this instance we have the idea of mandatory and optional
software. If we assign a policy to an AD group and give it the attribute of
optional, the user can install if they wish but it will not be forced. As
all users are part of the Domain Users group if say a piece of software was
packaged that all staff could install, but would be optional, then an AD
group would be created and Domain Users group would be added to the group.
This has led to quite a number of AD groups and as users are all part of
Domain Users then they also belong to these groups (at least 40). Computer
accounts are not part of nearly as many. 

Please note: we do not use GP software distribution, we have a product we
use.

Now my questions:

1. Assuming that no AD groups are changed for a day nor are any group policy
objects. If a user logs in, policy processing does not occur as it does not
detect any changes in GPO or group membership (or WMI filters). If we then
add Domain Users to a new AD group, processing would then occur on the next
login correct?

2. Is this a common scenario with software distribution products that use AD
to resolve policy?

3. Is there a maximum number of groups it is generally accepted a user
should (rather than could) be part of that would not impact login
performance?

cheers



***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by
logging into the freelists.org Web interface. Archives for the list are
available at http://www.freelists.org/archives/gptalk/
************************

***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: