Excuse my ignorence but what is the best way to install a newer version of a program using Group Policy? For example, we have already deployed Adobe Flash Player 9 Active X and now I have version 10 that I want to deploy. Do I just create a new group policy and remove the old one? I ask because I notice there is an Upgrades tab when you create a new Group Policy Software Installation and you have the option to Add "Packages that this package will upgrade". I've never used this option so not sure if I should be.

Hope you can help.

0 Comments   [ + ] Show Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.


Creating new policies hurts performance a bit. Just add the new version into the same policy, make sure it's set to update (replace), and off you go.
When comfortable, you can delete the old version out of the policy...
Answered 12/22/2008 by: revizor
Third Degree Blue Belt

Please log in to comment
Cheers revizor. This raises another question though. I've already got a group policy for flash player 9 deployed to about 3000 computers. Say I choose to add flash player 10 to this like you've suggested and despite my testing there is a problem and its hanging on 50% of the computers. That's a lot of computers with problems.

I guess what I'm saying is despite all the testing in the world I wouldn't want to deploy any app or update to everyone at once. How do you handle this? I'm aware you can use security groups etc but if I suddenly change the permissions on my existing GPO to only apply to one office, will this affect the rest of the offices that still have only version 9 installed deployed through the original GPO?

This wasn't a problem when I installed v9 first time around because I linked the GPO to the office when I was ready. I spose I could go around disabling or unlinking the offices but again I don't know what affect that would have on the ones that already had this software deployed.

Cheers for your help matey!
Answered 12/23/2008 by: cellardoor
Senior Yellow Belt

Please log in to comment
How do you handle this? Having been at sites which used both, I'd say the 'New policy' route is the most flexible. It allows you to trickle-feed your updates to a restricted audience and gauge its efficacy without endangering the entire OU. Sure it takes longer because the old version has to be removed first but how often do such updates occur? Your users are already all too familiar with the delay while software gets installed by GP so what's another few minutes?
Answered 12/24/2008 by: VBScab
Red Belt

Please log in to comment
You can apply ACLs to entire GPOs, as well as to the individual packages, meaning you can stage roll-out of a package by configuring ACLs on the given assigned package to only be available to members of a certain group. Bear in mind that the policy ACL is processed first, and those objects that see into the GPO then process package ACL (standard share and NTFS permissions do apply afterwards, but I do not recommend filtering through file system or share permissions, as it will generate unnecessary errors in the application log for the computers/users).
I would, in your case, add upgrade for Flash into an existing policy and go into package properties > Security, and do editting of permissions there, making the new package available to the roll-out group only. You have the flexibility of populating the group gradually, and once you hit everyone, you can "flip" the ACL to "Domain Computers", or whatever you intended target audience would be...
Answered 12/26/2008 by: revizor
Third Degree Blue Belt

Please log in to comment
Answer this question or Comment on this question for clarity