/build/static/layout/Breadcrumb_cap_w.png

Pitfalls of AD/GPO software distribution

For quite some time, software distribution through Group Policies worked perfectly fine for our organization. Until about two days ago, when a whole list of applications got wiped out due to malfunctioning Global Catalog server. Local Security Authority process monopolized the CPU to a point of DoS. PCs could no longer see their group memberships, and every application configured to "Remove when computer falls out of scope", did exactly that, first thing in the morning when those PCs came online.

There was nothing catastrophic - Domain Controller was cold rebooted, PCs rebooted following that, and automatically reinstalled those apps. Other than the brief downtime and the 20 min's of embarrassment for IT while trying to figure out what was going on.

To prevent such things from happening in the future, we are now considering to leave apps on PCs falling out of scope of GPO, which is arguably a safer way of managing software.

Not to start up a flame against M$ and their evil ways, but I'd like to encourage you to share real life stories of the potential pitfalls and lessons learned, since many of us rely on ever-proliferating Active Directory for software distribution...

0 Comments   [ + ] Show comments

Answers (3)

Posted by: Bladerun 17 years ago
Green Belt
1
Old post, but I wanted to add some input here.

My organization encountered this problem today. Most of the 2600 or so machines in our office pulled off all group policy assigned apps off all machines that booted this morning. Aside from the inconvenience of that, we had exceptionally slow log in times as we have 4 redundant DC's that apparently don't like it when all client machines pull from them at once.

My thanks for the heads up revizor, I read this post long back and was able to quickly diagnose the problem. Rebooting the DC's fixed the issue, and rebooting the client machines allowed all of the applications to reinstall, but it was overall a very painful experience.
Posted by: ShakeDown1 16 years ago
Yellow Belt
1
We had a similiar problem other then with our 2000+ workstations we had this issue
http://blogs.msdn.com/spatdsg/archive/2007/03/07/pac-validation.aspx

All the apps removed due to a PAC error. Still no cause found the only fix was a patch that you have to request from microsoft which removes that PAC validation methods.

All our applications got removed and we are still recovering
Posted by: kkaminsk 19 years ago
9th Degree Black Belt
0
Never seen that happen yet but wow!
Rating comments in this legacy AppDeploy message board thread won't reorder them,
so that the conversation will remain readable.
 
This website uses cookies. By continuing to use this site and/or clicking the "Accept" button you are providing consent Quest Software and its affiliates do NOT sell the Personal Data you provide to us either when you register on our websites or when you do business with us. For more information about our Privacy Policy and our data protection efforts, please visit GDPR-HQ