Darren Mar-Elia CTO and Founder SDM Software
Derek Melber President
BrainCore.Net
Derek Melber Author of Group Policy Resource Kit by MSPress
Author, speaker, consultant for BrainCore.Net
Group Policy/AD MVP for the past 10 years
Darren Mar-Elia CTO & Founder, SDM Software, Inc.
Group Policy MVP for the last 10 years
30+ years in Software and IT
Founder of popular GPOGUY.COM site
Founded in 2006
Experts in Group Policy and Group Policy Management Products
Products include: GPO Reporting Pak
GPO Compare & GPO Exporter
Group Policy Automation Engine PowerShell automation to read/write GP settings
GPAA (Group Policy Auditing and Attestation) Group Policy Change Auditing and Attestation
To be released in Q1
Number of GPOs
Deciding if GPO/settings apply Security filtering
WMI filters
Group Policy Preference Item-level Targeting
Conflicts/Duplicate settings in different GPOs
Changes to settings per CSE
Synchronous settings
Changes to entire GPO… version number changes
1 GPO vs 5000 GPOs Organize settings within GPOs that make sense
Helps with troubleshooting
Helps with finding a setting
Common to organize based on contents Internet Explorer
Security
Desktop/Start menu
Software
Security filtering
WMI filters
Group Policy Preference Item-level Targeting
Use security filtering, WMI filters, and GPP ILT on limited basis
Link GPOs as close to object(s) being controlled as possible
Typically at OU level… even sub-OU level
Use security filtering and WMI filtering as secondary to linking to OU
Default GPOs have existing settings
Better to reduce number of conflicts between GPOs
Conflicts cause processing time
Conflicts can be difficult to troubleshoot
Duplicate settings Are not a problem with results
Do cause additional processing time
Don’t alter the Default Domain Policy or the Default Domain Controllers Policy
Create new GPOs and configure with higher precedence No confidence a patch, SP, or upgrade won’t alter/reset default GPOs
Each CSE controls an area/settings within GPO
When one setting within CSE changes, all configured settings across all GPOs included under the CSE must process
Group computer settings into their own GPOs Disable User settings Organize computer objects into their own OUs
Group User settings into their own GPOs Disable Computer settings Organize user objects into their own OUs
Synchronous – settings apply in series and all settings in all GPOs must apply before computer is accessible
Asynchronous – desktop is accessible before all GPO settings apply
XP+ default is to apply Asynchronous
Can force Synchronous all the time by enabling policy at Computer Configuration\Admin Templates\System\Logon\Always Wait for Network at Computer Startup and User Logon
But you pay a performance penalty at every boot or logon
Synchronous settings Folder Redirection
Software installation
Microsoft Disk Quota
Group Policy Preference Drive Mappings
Changes to synchronous settings force next startup/logon to be synchronous
Each process interval calculates the GPOs that need to be applied If the process interval determines that the GPO list has changed, it will cause a complete refresh of all GPOs and all settings
Security group filter changes Security group membership changes WMI filter add or remove Linking or unlinking of a GPO
Goal is to try to minimize the number of GPOs that must be processed when something changes
0
5
10
15
20
25
30
35
40
Background Refresh, No changes Background Refresh, Forced
CSE
Core
Each GPO has a version number Version number is incremented each time user/computer setting within GPO changes
Computer changes = increments by 1’s User changes = increments by 65536’s
When GPO version number changes… All CSE related settings in the GPO must process If a synchronous setting is contained within GPO, next startup/logon will be synchronous (regardless of Asynchronous setting)
Difficult to analyze existing environment with native tools
Difficult to design GPOs based on these design criteria, easier to group based on topic, role, location, etc.
Inefficient GP designs can cause substantial delays at startup and logon
Up to 30% or more depending upon what’s going on in the GPOs
Conflicting or duplicate settings
GPO changes to synchronous CSEs that force synchronous processing
Enabling synchronous processing all the time
WMI Filters and esp. ‘expensive’ queries
Expensive GPP Item-Level Targeting
Loopback Merge Mode
Visit http://sdmsoftware.com/group-policy-management-products/ to view and register for our products
Visit www.sdmsoftware.com/blog to read SDM Software Founder Darren Mar-Elia’s thoughts on Group Policy
Contact us at [email protected] for questions on products
Top Related