What is your primary method of deploying software with Group Policy?

Microsoft may recommend a small number of GPOs be assigned to machines/users for performance reasons. However, I have seen a few dozen GPOs assigned to a machine with minimal impact. How do you do it?

0 Comments   [ + ] Show comments

Answers (18)

Posted by: DBrands 18 years ago
Senior Yellow Belt
Our deployment is based on user assignment. All our users should be able to log on everywhere they can without having to miss applications needed for their work. We use one application per GPO so we can have more flexibility cause most users are unique qua software. We know about the limit Microsoft tells us but havent encountered it yet ... except for one time in testphase. One specific user got around 70 policys and none of them where applied. We worked our way back to around 50 untill it suddenly worked.

Personally i dont think we're using the most useable method so would like to here from you guys how you are handeling.

Posted by: dbaldwin 18 years ago
Senior Yellow Belt
We assign application to the machine because assigning them to the user would take to long at logon for repackaged applications (unless you re-architected them correctly). Depending on the application it may me the only one in the GPO or like our Base Computer Configuration Policy it might have 12 applications assigned to Authenticated Users. We have all of our computers in one OU which has about 185 GPO's filtered by the group security of the computer. My computer belongs to 27 groups. This keeps the group membership of the user (allowing them access to resources) seperate from the group membership of their machine (allowing them access to software). That's my take anyway. Thanks. DB.
Posted by: brianpmorris 17 years ago
Yellow Belt
We use one GPO that conatins multiple applications wich deploys to the computer based on its security group membership. We then use RIS to build the PC and a script is applied to the machine dependant on is OU adds the workstaion to a variety of security groups which then installs tohe applications as required
Posted by: rasmsn3 17 years ago
Yellow Belt
Currently we have a managed computers OU which contains OU's that are labled after Asset tags.

OU 000 to 099
OU 100 to 199

and so on. We use ris to install a cd based image and the asset tag ou's apply default software that everyone gets. We then apply all optional software at the computers_managed OU and it is filtered by group. We originally went with this structure to limit network utilization when updating an app that was on everyones machine (We do it by groups of 100 machines). This further limits bandwith usage because machines in each 100 group can be on 1 of 25 subnets.
Posted by: MSIMaker 17 years ago
2nd Degree Black Belt
I work for a bank with 30,000 users and we use DFS and Group policy to handle deployment of software. Our users have both desktop and laptops and tend to roam a bit. Our business units have their own OU in both the User domain and Machine domain.

Depending on the business stream we tend to cater for roaming users but try to machine deploy where possible.

We use an Enterprise policy for the Winzips and Adobe Reader type apps that everyone gets and then create GPO's for each stream.

User based software and settings comes from the User OU and the rest from the other domain.

We have alot of GPO's and while this method works well.....we have had to monitor it for lag in logging in etc.
Posted by: greenmagnet 17 years ago
Senior Yellow Belt
Hi MSI Maker!

I've just started with an organisation about 2/3rds the size of yours and we're currently debating the merits of GPO based software deployment. Rumours abound of the inability of GPO deployment to scale that far. A couple of questions if I may:

How many GPOs do you have and how many packages within each?
From your other posts I gather you have slow links. How slow are your slow links and how many sites are on those slow links?
Do you force reboots on your users to get the apps to install and if so how?

Posted by: oofemioo 17 years ago
Blue Belt
I work in a bank where the previous outsourcing coy. deployed several applications using one GPO.

The above scenario doesn't scale properly and it also inhibits troubleshooting because once you remove a pc from the group applying the GPO, all applications the GPO deploys get removed.

I'd stick with one app. per GPO.
Posted by: bkelly 17 years ago
Red Belt
Just kicking this post to the top so our new members will see it. Interesting results so far- how do you do it?
Posted by: kkaminsk 17 years ago
9th Degree Black Belt
I worked at a site last summer that did all software via two GPOs. One for machines the other was for users. There were about 6,000 users and it seemed stable.
Posted by: Sweede 17 years ago
Second Degree Green Belt
I work with One primary OU and one Test OU

I have 150 GPO's on my primary OU, mostly as Computerpackages

Deployment option:
Uninstall when it falls out of scope

I have only a few Userpackages I use this to apply usersettings when they are needed.

I have one GPO where i add security by adding folders if a package needs permission to a specifik folder or file

Mostly I have One Applikation Package per GPO

We have A web based system where we can type a users initials or name and thereby see witch computers he is the owner of

we have made a system that prompts the user if he logs on a computer where he has not been logged on before and askes If he is the primary user. The same system collects information about Bios version diskspace and so, and stores it in a SQL table.

Thereby we can easily manage witch computername to add to one specific GPO appGroup.

Most of our GPO are added to Authenticated Users and therefore applied when computer is Installed by RIS

We have about 750 Computers and Users

Posted by: sejacru 16 years ago
Second Degree Blue Belt
Hello bkelly,

We use ibm director (Remote deployment Manager) to push a syspreped image (per type machine) to the workstation. The workstations use pxe boot to connect to the rdm server where they register there self. We make a dynamic group where we put all computers from one department. You can also drag and drop a task (lets say the task `image`) onto a dynamic group. Normaly this is unicast but we replaced some files so now we have multicast. When the computers connect to the server the GPO is activated. We have one GPO with all the basic software applications our users need, adobe acrobat reader, office 2003, some fonts, trend micro etc. These GPO is installed on every computer. We have about 2300 pc´s and notebooks. After this is done the other GPO takes effect. We have one software package per gpo. We have started with this in januari so over 1 year we have about 750 GPO´s

greetings sejacru
Posted by: revizor 16 years ago
Third Degree Blue Belt
1 GPO, 140 Apps, all assigned to computers. ACLs set up for software distribution groups. Works like a charm.
The policy does contain some user settings, mainly pre-configuration for apps, removal of annoyances, and the things I was too lazy to set up self-healing (HKCUs) for.

What scares me the most is that for some reason someone deletes that GPO or some major security group - this will definitely be hell breaking loose for us.

Is there a hard limit on the # of packages one can put into a single GPO?
Posted by: sejacru 16 years ago
Second Degree Blue Belt
1 GPO for all you applications is pretty scary to my. I dont know if there is a limit but i have heard that when you put a lot of apps in one gpo, the workstations gettig slow when processing the gpo. Do you know if this is correct?

greeting sejacru
Posted by: revizor 16 years ago
Third Degree Blue Belt
Apparently we aren't at that point yet. Actually the consensus is that consolidation of group policies is less taxing than branching off multiple policies, as there's overhead for policy processing...

We used to have 5-7 GPOs for just software deployments, and, oh boy, we were happy to bring those all under one roof. Makes management of those easier.

Once again, no noticeable performance degradation...
Posted by: Bladerun 16 years ago
Green Belt
Same here. 1 GPO, roughly 280 packages assigned within it (25% computer, 75% user).

No significant lag that we've observed.

And it blows me away that some people here have 150+ gpo's in a single OU. Our server architects instilled in me a borderline psychotic paranoia about exceeding the recommended 10 GPO's per user.

Currently no user in our domain has more than 10 GPO's assigned to them. If you guys are telling me that you've got 150 w/ little to no lag, then that may soon change ;)
Posted by: AngelD 16 years ago
Red Belt
I think that having 1 application per GPO were a good choice before "Assigned Software Sequence Manager" was invented to manage in which order the applications should be install through Active Directory.

Now best practise would be to have either all user and machine deployment in one GPO or separate them into two GPOs and use ASSM to sort that task, as we do to make management easier.
Posted by: IanE 16 years ago
Senior Yellow Belt
OK I'm curious....

I've never worked with user-targeted applications so this might be a stupid question... If a user logs into a machine with a large-ish app assigned to the, does it install at login? Then does it uninstall at logoff? Does this not make for huge login times...?

As far as our deployments go, we assign (as a rule) 1 MSI per computer-GPO. The most GPOs we have assigned to an OU is 40, but I'm going to look at rationalising this soon as we're getting close to this 50 'limit' and it's the annual software deployment funday......
Posted by: WiseMonkey3 18 years ago
Senior Yellow Belt
This is what I like to do for managing applications easily in an AD enviro.
I create 1 GPO for Workstation Assigned Apps , and 1 GPO for Apps that are going to be assigned or published to the user.
This way you can quickly see & Manage all the apps that are going to be forced onto workstations in one GPO. (ie; the GPO for workstation apps will have a list under the "Computer Configuration - Software Settings - Software Installation". And the User Apps GPO will be listed under "User Configuration - Software Settings - Software Installation").
These 2 GPO's dont have any other Group Policy settings, just the software Installation with all the apps for the OU. I have placed around 300 apps mainly published to the User GPO, and around 17 assigned apps for the Workstation GPO and had no probs other than it takes a little bit to load all the apps when viewing the User ones.

WiseMonkey 3 (:O)
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.

Don't be a Stranger!

Sign up today to participate, stay informed, earn points and establish a reputation for yourself!

Sign up! or login


This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ