GPO S/W deployment status..?
Some thinking out loud following on from this thread. Any comments, especially thoughts on why anything will or won't work, is ridiculous or whatever are welcome.I spent a couple of hours earlier on a Quick Win[tm] which is a small, relatively quick app you run via a computer startup script:
a) If there have been any changes since last time it trawls through the registry s/w uninstall keys and creates/overwrites a local file containing info for each app.
b) If there have been any new MsiInstaller events since last time these are appended to another file. I still need to think about filtering these events.
c) Creates a H/W inventory and then creates/overwrites a file if that inventory is different from last time.
Any new/changed files are then copied to a network share obtained from a policy setting. Server-side I've made a simple GridView app to display info from the relevant s/w uninstall file that is launched from the ADUC computer context menu. Haven't done viewers for the others yet (I'm not that fond of GUI dev).
So far so good, but I want to add in GPO s/w assignments for a given computer e.g. to easily see that package X was assigned but has installed or failed to install. OK, with enough effort I can trawl through a computer's AD path, find any enabled linked GPOs, figure out if they apply to the computer, find which of those have SI policy and figure out whether the computer has appropriate security permissions for any given package within an applicable GPO.
GetEffectiveRightsFromAcl() will likely get used on any AD GPO/ Package object with non-inherited ACEs unless anyone knows it doesn't work or of an alternative in .net? Undecided, but I'm also contemplating just grabbing the list of applied GPOs (and critically their version numbers) from the registry as part of the client-side s/w uninstall key dumping - would save me working out which ones are relevant to a given computer and could be handy as a "GPO application or maybe Sysvol replication is stuffed" detector.
One way or another the latter should be doable, but what I really want is to be able to R-click an OU to launch an app that displays S/W status for all the computers under that OU.
The bit that's bothering me here is scalability - I'll be happy if it works well enough for hundreds (folk with thousands can go shop) and reading/processing hundreds of simple little files server-side isn't that big a deal. But efficiently sorting out the package assignments, that is checking lots of computers against AD GPO and individual package security permissions, could be a bit tough. Guess I'll have to round up (cache) info about all GPOs in AD that have SI policy, their permissions, packages and any packages specific permissions the start of time - haven't thought any further.
One thing I don't want to do is throw any services/agents at this - I definitely don't want anything running all the time client-side and yeah it would probably help somewhere, but I really don't want (yet another pesky) database running server-side.