It has been claimed by some that:
Microsoft Active Directory along with Group Policy Object support for software distribution is everything a customer needs to manage workstations.
Here we will discuss that further.
First let us share two documentation links – fresh from the Microsoft Windows Server 2003 documentation:
- Assessing Microsoft Software Management Solutions
- What is Group Policy Software Installation Extension?
Who better to answer our question – than Microsoft themselves – so quoting from the GM of the Microsoft SMS team – Brad Anderson – on his joint blog on the merits of AD/GPO vs. Microsoft Systems Management Server:
1. Lots of geo locations – GPO customers will need DFS/FRS to replicate content around to those locations to move package sources. SMS does this natively, and the way SMS moves the bits is centrally controlled and the status of that is integrated into the full solution.
2. Laptops – with BITS, the traffic to/from the client can be throttled based upon NIC traffic.
3. Targeting – GP only targets on AD object. SMS can target at these, plus any inventory attribute, in an “anded” way
4. Scheduling – GP installs when the client checks policy – SMS is completely scheduled for sw dist – including offline when doing download and execute.
5. Status – the ability to track success/failure of sw installs is not possible in GP.
6. Non-MSI content – much easier to deliver anything with SMS. GP has to be MSI or ZAP’d
7. Patch deployment – all the patch deployment and compliance that’s natively integrated with SMS. Not sure how you’d even do that in GP without inventory.
8. Versioning – Over time when using GPO’s for software distribution, versioning becomes an increasingly messy situation especially with a lot of apps and especially if you need to pilot prior to full rollout. You typically end up with an ever increasing number of GPO’s, ACL’ed by complex sets of groups, and frequently attached to expanding sets of OU’s.
9. Danger of catastrophe – If software GPO’s have a wide scope and use group ACL’s for targetting, a minor mistake can have catastrophic consequences. My customer had an administrator accidently delete the wrong group and the next morning, several thousand workstations uninstalled all their applications at bootup, since they were no longer in that GPO’s scope of application. (note – then again, with any 1-many action, lack of good testing and process can result in this. You would not BELIEVE how many customers have accused SMS over the years for spreading viruses that they embedded in their packages!!)
Effectively nine reasons to not use Active Directory with GPO for software distribution. Nice reasoning guys.
Now some more commentary from Microsoft:
We’ve have had big customers (100K seats +) try to do GPO for sw distribution over the years , and they’re all now moving off of that and to SMS 2003. Frankly, most customers tried using GPO’s not because they wanted to, but because they didn’t trust SMS 2.0 to do the job. With SMS 2003, that’s all changed.
Now, this is NOT to say that you can’t use GPO for software distribution in certain situations – it’s really optimized for customers that are less geographically challenged and need less control over the deployments.
Again – some telling comments – GPO won’t scale vertically nor horizontally. GPO with Active Directory will not provide the granular control required for administration and distribution.
Final words from the SMS team:
Last piece of advice – PLEASE invest in GP for settings mgmt. This conversation often times comes as an SMS vs GP discussion – but this is more about the one tiny piece of sw dist that GP does vs SMS that invests in the whole product on it. Make sure that you use GP for settings mgmt, use the IntelliMirror stuff for state/data management, etc. These are all super goodness…
To tie it all together:
- Don’t use (Active Directory and) Group Policy Objects to distribute software. Use a secure, scalable software distribution tool instead.
- Use Group Policy for controlling desktop state and configuration.
- Remember – ZENworks gives you all of this – software distribution and Group Policy management without requiring any Active Directory
Trackbacks/Pingbacks