installing software via Site GPO?

[Brian Wilson]

we have one domain which is broken down into 14 sites
located around the country. how do i best install
software gpos? do i create a site gpo for each of the 14
sites? i have read that creating site gpos is a bad thing
but i can not remember/figure out the reasoning behind
this.

software to be installed is office xp in some sites and
office 2003 in others ( prefer assigned to the users ) and
adobe reader 6.0.1 ( prefer published to the users ). do
not want to have software being installed across the wan
where possible.

thank you,

brian

ps...the link from the hub to each spoke is over a
dedicated T1 vpn ( in most cases ). we have at least one
dc in each site with 23 users to 200 users per site ( most
are 35 - 50 users per site ).

 

[Darren Mar-Elia]

Brian-
There is nothing inherently bad in site-linked GPOs, although I admittedly
don't see them used very often. Part of the challenge is that the process by
which a machine determines its site is not 100% reliable. That is, there are
circumstances which could be out of your control that could affect this,
such as availability or lack of proper DNS registrations, busy-ness of DCs
within a site, etc. So, given that, and given the downside of having a
client go to another site to grab a large Office install, you might be
better off using something more "deterministic". For example, if you can
reliably identify users in each location using a security group, you could
create a GPO that contains the applications you wish to deploy and then
permission each app for that site's security group. The package itself would
point to a install path on the local server for that site. Let me know if
that makes sense.

Darren

 

[Brian Wilson]

i think that i understand what you are saying.

i should still create the gpo at the site level but use
group filtering ( get rid of the authenticated users and
use that security group ). the software distribution
folder would naturally reside on the dc in each site so
that there are no wan links in play.

am i getting it right?

brian

 

[Darren Mar-Elia]

Actually I was suggesting linking the GPO to the domain or OU (whichever is
most appropriate) and let the security group filtering drive the delivery of
the app based on their location rather than the user's site location. For
example, let's say I have three sites: New York, Denver and Seattle. I would
create three user groups:

New York Users
Denver Users
Seattle Users

Put users from each site into those groups and then permission the
individual packages within a GPO according to the groups like this:

My Software Deployment GPO:

Office XP (Denver) -- Path: \\denverserver\packages\officexp\setup.msi --
Permissions: Denver Users (Read)
Office XP (NY) -- Path: \\nyrserver\packages\officexp\setup.msi --
Permissions: NY Users (Read)
Office XP (Seattle) -- Path: \\denverserver\packages\officexp\setup.msi --
Permissions: Seattle Users (Read)

The key to this is that you can reliably predict that users don't move
around a lot and that they can easily be identified in each location. If you
were to use site linked GPOs, then you get issues with users moving around
and falling out of the scope of a site-linked GPO, thus causing potential
uninstall-reinstall issues with apps.

Hope that clarifies it.