Geeks With Blogs
derekf's blog On C#, repackaging applications, and deploying via group policy...

This one is more for my benefit than for yours... the base question for this one is a question that I've been asked more than once at work, and even more than once by the same person.  I figure if I write it out, perhaps I'll be able to explain it better.

Okay - first, the players.

Two domains.  Let's call them DomA and DomB.

Two users.  We can call them UserA and UserB, and for the sake of discussion, we'll put them in their own domains: DomA\UserA and DomB\UserB.

Two app policies (published apps) - one per domain.  Let's call them AppPolicyDomA and AppPolicyDomB to make it easy.

A couple of apps per policy.  Let's go with one that's locked down with a domain-specific group (DomA\MyAppGroup and DomB\MyOtherAppGroup) and one that's open to Authenticated Users.  I don't think I'll need app names.

Okay, given all these players, the base question is:

"If a user from DomB logs onto a machine in DomA, what apps will he (or she) be able to install?"

One opinion that was expressed was that because Loopback Merge was turned on, it'd redirect processing back to the user's own domain.  That's not actually right though, and here's why.

Any given machine - be it in DomA or in DomB, will get only those policies that are linked to that specific machine's OU... and that's going to be domain-specific.  So, the contents of the user's Add/Remove programs will be those apps in those policies that are linked to that machine's OU and the user has rights to -- loopback merge or not, there's nothing that would tell this machine in DomA to go look at DomB's AppPolicyDomB to pull down the list. 

So.. what would DomB\UserB be able to install if he logged onto a machine in DomA?

1) Any app open to "Authenticated Users".  This could be a problem if the domains have different licensing schemes (DomA has a site license for the exact number of DomA users, etc).

2) Any app where DomB's user account is a member of the DomA group.  In our environment, that's pretty much none of them. 

3) All apps assigned to the machine will already be installed. 

Now, you could conceivably use WMI filtering to prevent the Auth Users apps from being available. Filtering was ruled out at a level well above my pay grade so I've done no digging into this one.

Okay, this may not have helped so much, but at least I can point folks at this next time they ask.

Posted on Tuesday, August 7, 2007 9:02 PM | Back to top


Comments on this post: App Distribution across domains

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © derekf | Powered by: GeeksWithBlogs.net