Software packages are re-deployed if a GPO is deleted in AD and then exported again from GPA. (NETIQKB55506)

  • 7755506
  • 02-Feb-2007
  • 01-Feb-2008

Resolution

fact
NetIQ Group Policy Administrator 4.x

fact
NetIQ Group Policy Administrator 5.0

symptom
Software packages are re-deployed if a GPO is deleted in AD and then exported again from GPA.

symptom
If a Software deployment GPO is deleted in AD, and restored by re-exporting it from the repository, and the software was set to uninstall when it falls out of the scope of management. then all of the software deployed by the GPO will be uninstalled and reinstalled when the policy refreshes.

cause

This is expected behavior. Similar to restoring a GPO from backup that was deleted using native tools, it is possible that:

  • Cross-GPO upgrade relationships that upgrade applications in the GPO being restored, if any, are not preserved after restore. A cross-GPO upgrade is one where the administrator has specified that an application should upgrade another application, and the two applications are not deployed in the same GPO. Note that cross-GPO upgrade relationships are preserved when applications?in the GPO being restored?upgrade applications in other GPOs.
  • If the client has not yet seen that the GPO has been deleted (either because the user has not re-logged on or rebooted since the deletion of the GPO), and the application was deployed with the option to ?Uninstall this application when it fall out of scope of management,? then the next time the client logs on:
    • Published apps that the user has previously installed will be removed.
    • Assigned applications will be uninstalled before re-installation. 

This behavior occurs because when the GPO is restored, the object in Active Directory that represents the application (the "deployment object") is assigned a new GUID. Because the GUID is different than the GUID of the original deployment object, Windows interprets this as a different application.

The solution is to restore the GPO using the original GUID for the deployment object. However, because the GUID is controlled by Active Directory, the only way to re-use the original GUID is to re-animate the tombstone of the deleted deployment object. Tombstone re-animation is a new feature of Windows Server 2003.



fix

Group Policy Administrator currently does not attempt to re-animate the tombstone of a deleted deployment object when exporting a GPO that was previously imported from AD, but later deleted. An enhancement request has been submitted to include this functionality in a future release.



note
Information in this article was extracted from the following Microsoft Technet Article:

http://technet2.microsoft.com/WindowsServer/en/library/df3ff735-91ff-4cbf-9938-3b4af1d460cc1033.mspx?mfr=true



Additional Information

Formerly known as NETIQKB55506

Feedback service temporarily unavailable. For content questions or problems, please contact Support.