|
Home > Archive > microsoft.public.cert.exams.mcse > July 2002 > Re: Deploying Windows Installer Packages - Help !
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Re: Deploying Windows Installer Packages - Help !
|
|
| Phil Adams 2002-07-24, 2:25 am |
| Exam 70-270
Source: MCSE Windows XP Pro (McGraw/Hill)
Q. How is software deployed if there is a policy at site level, and a
policy a domain level ?
A. Policies are applied at the local computer level first, then the
site level, next at domain level, and last at the OU level. The site
policy is applied, and then the domain policy is applied. Only users
in the domain receive the software package.
Maybe it's my understanding of group policy (being a newbie!), but
surely if you set the policy up at site level, then this would
override any policy set up at a lower level such as local, OU or
domain ? In the case of the above, would the entire site not receive
the software package ? Surely it should be local, OU, domain and then
site ???
| |
| 70-228 2002-07-24, 4:25 am |
| "Phil Adams" <Philip@mpc.uk.net> wrote in message
> the software package ? Surely it should be local, OU, domain and then
> site ???
Sites "can" span Domains. I put can is parenthesis because it's not required
in any way. I'm not going to do what I did last time and make a suggestion
as to why M$ did something they way they did because a sound drubbing by the
local pedants would soon be upon me :-P. I'll just say "because" and leave
it at that. Most don't use site policies anyway IIRC.
Remember the order makes more sense if you try and think of it as:
The bigger the audience the policy will land on --> The more generic the
actual policy.
This is because policies lower down win.
Thus the order is:
Local -- Okay this one only affects the local machine or user so it breaks
the above but for security you don't want some bright spark changing this
and having it override a more important policies below...
Site -- Can be a hell of a lot of people. Very generic policy (usually no
policy at all)
Domain -- Set our general policies and affect a wide range of people and
probably departments (the one caveat is that password policy set here cannot
be overrided by OU policy below, thus a domain is a security boundary).
OU -- Probably department (possibly location... whatever). Probably where
you start putting Software Installation policies
Sub OU -- You might need greater granularity than just one level of OU and
so software at this level may make more sense.
Sub Sub OU -- Don't go deeper than 6 levels is the general advice (more info
on the limits of this waiting for you to find out and already forgotten by
me :-) )
Just remember LSDOU and you'll be fine for the exams.
Oh a couple of extra little things: Notice there is no Sub-Domain policy
mentioned above. That's because policy doesn't get inherited from above
domains. That catches out a lot of people. Domains are islands when it comes
to that. Also the list is incomplete, old style NT system policies can be
used in there and are beaten by everything including local. Doubt you'll
ever get asked that little one but it's worth knowing.
| |
| Laura A. Robinson 2002-07-24, 9:25 am |
| circa Wed, 24 Jul 2002 07:34:42 GMT, in
microsoft.public.cert.exam.mcse, Phil Adams (Philip@mpc.uk.net) said,
> Exam 70-270
> Source: MCSE Windows XP Pro (McGraw/Hill)
>
> Q. How is software deployed if there is a policy at site level, and a
> policy a domain level ?
>
> A. Policies are applied at the local computer level first, then the
> site level, next at domain level, and last at the OU level. The site
> policy is applied, and then the domain policy is applied. Only users
> in the domain receive the software package.
>
> Maybe it's my understanding of group policy (being a newbie!), but
> surely if you set the policy up at site level, then this would
> override any policy set up at a lower level such as local, OU or
> domain ? In the case of the above, would the entire site not receive
> the software package ? Surely it should be local, OU, domain and then
> site ???
>
No. It is *always* LSDOU, and last applied settings win. The way that
a site level policy would override a lower-level policy is if you set
"No Override", which would force it to be re-processed after the
other policies had been applied.
Laura
--
One man's mundane and boring existence is another man's Technicolor.
-Tick, Strange Days
| |
| brian may 2002-07-27, 12:25 am |
| parenthesis?
"70-228" <Gibhal@kreunk.com> wrote in message
news:9Tu%8.311197$om4.2752874@news.easynews.com...
> "Phil Adams" <Philip@mpc.uk.net> wrote in message
> > the software package ? Surely it should be local, OU, domain and then
> > site ???
>
> Sites "can" span Domains. I put can is parenthesis because it's not
required
> in any way. I'm not going to do what I did last time and make a suggestion
> as to why M$ did something they way they did because a sound drubbing by
the
> local pedants would soon be upon me :-P. I'll just say "because" and leave
> it at that. Most don't use site policies anyway IIRC.
>
> Remember the order makes more sense if you try and think of it as:
> The bigger the audience the policy will land on --> The more generic the
> actual policy.
> This is because policies lower down win.
> Thus the order is:
> Local -- Okay this one only affects the local machine or user so it breaks
> the above but for security you don't want some bright spark changing this
> and having it override a more important policies below...
> Site -- Can be a hell of a lot of people. Very generic policy (usually no
> policy at all)
> Domain -- Set our general policies and affect a wide range of people and
> probably departments (the one caveat is that password policy set here
cannot
> be overrided by OU policy below, thus a domain is a security boundary).
> OU -- Probably department (possibly location... whatever). Probably where
> you start putting Software Installation policies
> Sub OU -- You might need greater granularity than just one level of OU and
> so software at this level may make more sense.
> Sub Sub OU -- Don't go deeper than 6 levels is the general advice (more
info
> on the limits of this waiting for you to find out and already forgotten by
> me :-) )
>
> Just remember LSDOU and you'll be fine for the exams.
>
> Oh a couple of extra little things: Notice there is no Sub-Domain policy
> mentioned above. That's because policy doesn't get inherited from above
> domains. That catches out a lot of people. Domains are islands when it
comes
> to that. Also the list is incomplete, old style NT system policies can be
> used in there and are beaten by everything including local. Doubt you'll
> ever get asked that little one but it's worth knowing.
>
>
| |
| 70-228 2002-07-27, 3:25 am |
| "brian may" <ringuete@hotmail.com> wrote in message
> parenthesis?
In all my huge post the best you could come up with was me using the word
parenthesis when I meant quotes? I'm sure there are at least half a dozen
other little errors in there too. Jeez dude I am often in a bit of a hurry
when I write these things (as I expect most here are too). I make sure the
technical details are as okay as I can but I do kind of expect people to let
the occasional spelling error or wrong word pass.
|
|
|
|
|