For quite some time, software distribution through Group Policies worked perfectly fine for our organization. Until about two days ago, when a whole list of applications got wiped out due to malfunctioning Global Catalog server. Local Security Authority process monopolized the CPU to a point of DoS. PCs could no longer see their group memberships, and every application configured to "Remove when computer falls out of scope", did exactly that, first thing in the morning when those PCs came online.

There was nothing catastrophic - Domain Controller was cold rebooted, PCs rebooted following that, and automatically reinstalled those apps. Other than the brief downtime and the 20 min's of embarrassment for IT while trying to figure out what was going on.

To prevent such things from happening in the future, we are now considering to leave apps on PCs falling out of scope of GPO, which is arguably a safer way of managing software.

Not to start up a flame against M$ and their evil ways, but I'd like to encourage you to share real life stories of the potential pitfalls and lessons learned, since many of us rely on ever-proliferating Active Directory for software distribution...
0 Comments   [ - ] Hide Comments


Please log in to comment

Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
Answer this question or Comment on this question for clarity


Never seen that happen yet but wow!
Answered 10/06/2005 by: kkaminsk
Ninth Degree Black Belt

Please log in to comment
Old post, but I wanted to add some input here.

My organization encountered this problem today. Most of the 2600 or so machines in our office pulled off all group policy assigned apps off all machines that booted this morning. Aside from the inconvenience of that, we had exceptionally slow log in times as we have 4 redundant DC's that apparently don't like it when all client machines pull from them at once.

My thanks for the heads up revizor, I read this post long back and was able to quickly diagnose the problem. Rebooting the DC's fixed the issue, and rebooting the client machines allowed all of the applications to reinstall, but it was overall a very painful experience.
Answered 01/10/2007 by: Bladerun
Green Belt

Please log in to comment
We had a similiar problem other then with our 2000+ workstations we had this issue

All the apps removed due to a PAC error. Still no cause found the only fix was a patch that you have to request from microsoft which removes that PAC validation methods.

All our applications got removed and we are still recovering
Answered 04/22/2008 by: ShakeDown1
Yellow Belt

Please log in to comment