Systems Management

Creating new policies hurts performance a bit. Just add the new version into the same policy, make sure it's set to update (replace), and off you go.
When comfortable, you can delete the old version out of the policy...

Cheers revizor. This raises another question though. I've already got a group policy for flash player 9 deployed to about 3000 computers. Say I choose to add flash player 10 to this like you've suggested and despite my testing there is a problem and its hanging on 50% of the computers. That's a lot of computers with problems.

I guess what I'm saying is despite all the testing in the world I wouldn't want to deploy any app or update to everyone at once. How do you handle this? I'm aware you can use security groups etc but if I suddenly change the permissions on my existing GPO to only apply to one office, will this affect the rest of the offices that still have only version 9 installed deployed through the original GPO?

This wasn't a problem when I installed v9 first time around because I linked the GPO to the office when I was ready. I spose I could go around disabling or unlinking the offices but again I don't know what affect that would have on the ones that already had this software deployed.

Cheers for your help matey!

How do you handle this? Having been at sites which used both, I'd say the 'New policy' route is the most flexible. It allows you to trickle-feed your updates to a restricted audience and gauge its efficacy without endangering the entire OU. Sure it takes longer because the old version has to be removed first but how often do such updates occur? Your users are already all too familiar with the delay while software gets installed by GP so what's another few minutes?

You can apply ACLs to entire GPOs, as well as to the individual packages, meaning you can stage roll-out of a package by configuring ACLs on the given assigned package to only be available to members of a certain group. Bear in mind that the policy ACL is processed first, and those objects that see into the GPO then process package ACL (standard share and NTFS permissions do apply afterwards, but I do not recommend filtering through file system or share permissions, as it will generate unnecessary errors in the application log for the computers/users).
I would, in your case, add upgrade for Flash into an existing policy and go into package properties > Security, and do editting of permissions there, making the new package available to the roll-out group only. You have the flexibility of populating the group gradually, and once you hit everyone, you can "flip" the ACL to "Domain Computers", or whatever you intended target audience would be...