Software Deployment

Sorry if I'm a bit dense about this but...

Are you assigning to Users or Computers ? re your users / computers all in the same OU? (surely not). Can you not, therefore, assign the policy to individual OUs or groups until all Users / Computers have the software ?

The setup that I walked into on this job is that certain core apps are assigned to all domain computers or users, there is no separation by OU.

The rest of our apps are all assigned to their own groups within a single OU. We assign software by adding users/computers to those groups.


EDIT: To clarify, I need to upgrade some of the core apps.

I see!

Interesting question. I have often wondered if there was a way of 'moving' a software assignment from one policy to another, without causing a reinstallation.

What would happen if an additional GPO assigned the same software to the user/computer. Presumably it would not be installed again if it referenced the same MSI. That being the case, then presumably it would not be un-installed if the original assignment were then removed. If these presumptions were correct, then the assignment could be duplicated at a more granular level, then the original assigments removed.

Interesting thought. I'll do some testing & report back when I can confirm or deny this.

One of the things we do alot of is moving apps to the Enterprise level instead of business unit. This cuts down on having massive amounts of GPO's to monitor for change. If the app starts with say Retail at the BU level and then Sales want it. We move it to Enterprise level and remove it from the Sales BU without uninstalling it for the users. We then add it to Enterprise level and add a group from each BU to that Enterprise policy. Now the Retail ppl already have it so it doesnt reinstall and the Sales ppl get it on reboot.

If you place the app at the top domain level and ACL it to a software group then you can deploy to Business Unit level from there in a staged process to save on network saturation.

So you create a Enterprise policy group, and then drop groups of users into that do deploy?

That brings up a good fundamental question. If I have an application assigned to all authenticated users, and I assign an additional new group to that application that has all users in it, and then remove the assignment to all authenticed users, will the app reinstall on users' machines?

I think as long as the GPO hasn't changed the application won't reinstall.

However if you do create a new GPO (which installs the same app. as a previous GPO) the application will be reinstalled.

Ilikebananas: Are u saying if an application has been deployed to be uninstalled when it falls out of the scope of management, the application won't be removed from the client?

Now if the application has been configured to be removed from the client when it falls out of the scope of management, won't the application be removed when the policy no longer applies? So when a new policy deploying the same app. is applied to the client, doesn't it make logical sense that the app. will be reinstalled.


According to MS, the only time an application won't reinstall is when the share location is till the same, application name is still the same and the path to the application is the same.

However I can confirm to you that if you remove the app. mgt. entry (HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\AppMgmt\..........) which tracks the deployed application from the registry, the application will be redeployed.

In my experience as long as our groups are on the same level of the object tree, the apps shouldn't reinstall.

For example suppose you have several machine GPOs linked here:
forest|Domains|Domain_Name|Workstns|City_Name-wkstns|Type(ie laptop or desktop)
You should be able to move them here without an issue:
forest|Domains|Domain_Name|Workstns|City_Name-wkstns|NEW_Type(ie laptop or desktop)

But if you add an OU or move up one you can trigger a bunch of re-installations.
forest|Domains|Domain_Name|Workstns|City_Name-wkstns|NEW_OU|Type(ie laptop or desktop)

In my case I moved workstations from a development OU to a production OU and went up a level in the tree. That caused every core application to reinstall. A full reinstall.

forest|Domains|Domain_Name|Workstns|DEVELOPMENT|City_Name-wkstns|laptop

to

forest|Domains|Domain_Name|Workstns|City_Name-wkstns|laptop

Not pretty. This was with Machine Configuration not User Configuration. I'm not sure how it applies to user GPOs.

Oh one more thing, GPO linking has to be the same in both OUs except for those apps you want to change. I also use the built in upgrade function by creating a new GPO for my new app and pointing it to the old GPO as an upgrade target. At machine login the old app uninstalls and the new one installs.

We also assign apps through the single GPO high up in the OU hierarchy, and configure ACLs for computer groups.
For the company-wide stage roll-outs, we normally take reverse approach: assign the application to the Domain Computers, and do a Deny on the stage roll-out group. The stage roll-out group essentially is populated with the list of all of the PCs inside the company. As the roll-out progresses, we remove the PCs out of the staged group.
The advantage of this approach is that the new PCs, when they come online, are automatically assigned the software, so you don't have to search for the newly built PCs one month down the road. Plus you get a better perception of what it would take to complete the roll-out.

As far as the question of falling out of the scope of the software package, and then getting into the scope - the application will not get uninstalled & reinstalled, unless you specify to remove the application when it falls out of the scope...