Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science

Group Policy: Notes from the Field - Tips, Tricks, and Troubleshooting

advertisement 
Always use the latest GPMC available
“Most popular” would be the Windows 7
machine / GPMC from RSAT
Suggest: Always use “Latest Greatest”
GPMC available
This is different than using “Latest Greatest”
ADMX / ADML files / Central Store
Always use the latest GPMC available
GPPrefs item for IE10
<FilterFile hidden="1" not="0" bool="AND"
path="%ProgramFilesDir%\Internet
Explorer\iexplore.exe" type="VERSION" gte="1"
min="10.0.0.0" max="99.0.0.0" lte="0"/>
Always use the latest GPMC available
Better Reporting
Old Style GPMC broke it up to “Summary” (GPOs
you got) and “Settings” (settings in those GPOs.)
New Style GPMC “Details” in one-stop shop view
Conflicts easier to detect with “Winning GPO”
Always use the latest GPMC available
IPv6 options in
some GPPrefs items
Always use the latest GPMC available
Check Group Policy “Status”
Always use the latest GPMC available
Remote Gpupdate
Targets must be
Windows 7 and later
Lots of GPOs in the Group Policy Objects folder
Not Disabling “Unused portion” of GPO
Lots of “stuff” inside a GPO
Block Inheritance and/or Enforced used
Lots and lots of GPOs linked to a user or computer*
(see next slide & two slides from now)
Login Scripts doing “dumb” things.
Profile being built / Downloaded / First Time
Login Scripts doing “really dumb” things.
Other various disk contention during
startup & login
Login Scripts doing “ridiculously
dumb” things.
DNS issues
Startup Scripts doing “dumb” things
Services hung on client
Having a home drive “far away”
Mapping drives or printers that don’t exist
Lots and lots of GPOs linked to a user
or computer* (see next slide)
Bad drivers
Lots and lots of GPOs linked to a user or computer… but over a slow link.
Deploying huuuuge Printer Drivers using Group Policy Preferences Printers
Replication issues causing a GPO is malformed and/or broken version number
“Overuse” of Group Policy filtering by AD Group Membership
Using WMI Filters inappropriately / excessively
Actual Group Policy client-side bugs (which typically have actual hotfixes
and/or known workarounds)
“Improves the processing of Group Policies and Group Policy preferences. The performance
of computers is improved after you install this rollup update on Windows 7-based computers
that have several Group Policy preferences ”
“Improves the Windows Management Instrumentation (WMI) components to reduce
the CPU usage and to improve the repository verification performance.”
Fixes: “Logon scripts take a long time to run in Windows Vista, in Windows Server 2008,
in Windows 7 or in Windows Server 2008 R2”
Fixes: “You experience a long logon time when you try to log on to a Windows 7-based
or a Windows Server 2008 R2-based client computer that uses roaming profiles”
By default, on Windows clients … Group Policy processing is “deferred” until sometime
after computer is started (and sometime after the user is logged in.)
Good news: Everything feels faster (for startups and logins).
Bad news (For Windows 7 clients): If any “part” (CSE) of Group Policy required Sync,
the whole login (computer side or user side) must process in Sync mode.
Additional bad news: Login scripts only slow you down at login time …
when the profile is being built / downloaded, Start Menu getting warmed up, and so on.
Windows 8.1 takes a leap forward in reducing what REQUIRES Sync to be necessarily forced
Before Windows 8.1
Windows 8.1
Folder Redirection
Software Installation
Group Policy Preferences Drive Maps
Disk Quota
Folder Redirection
Software Installation
Windows 8.1 “caches” GPOs locally. When Sync is required, read locally, not from AD.
Windows 8.1 flips back to async mode when final CSE requiring sync is done processing.
Windows 8.1 reduces LDAP requests to Active Directory during all logons.
What this does:
• Speeds up login when sync is required
• Speeds up login when you have LOTS of GPOs AND you have slow links.
What the caching doesn’t do: Doesn’t keep “ADM(x)-based non-Policies” keys or Group Policy
Preferences compliant when working offline.
Remember login scripts causing disk
contention & LOTS of slowdowns at
login time?
Windows 8.1 defers login script processing
until “later”
Windows 8.1 default: 5 minutes after triggered
Can turn off if desired.
(IMHO, when you’ve got SSD’s it’s A-OK)
Best Case:
• Windows 8.1
• All CSEs (including 3rd party ones) run Async
Worst Case (But Useful !):
• Test using Use Always wait for the network
at computer startup or login policy setting
as enabled
And/or
• First time ever logging on.
Worst way to troubleshoot: Use Group Policy
as a scapegoat for all slowness problems.
Best way to troubleshoot: Actual facts
Ways to get facts:
• Reporting
• Eventing
• Tracing
• Windows Performance Analyzer
“Major news”: Windows
Logs | System
“Incremental News”: Applications
and Services Logs | Microsoft |
Windows | Group Policy |
Operational
“Major news”: Windows
Logs | System
“Incremental News”:
Applications and
Services Logs |
Microsoft | Windows |
Group Policy |
Operational
New Events when clients are
Windows 8.1
Event
Id
Get Applicable GPOs Start
4126
Get Applicable GPOs End Success
5126
Get Applicable GPOs End Fail
7126
GPO process sync mode slowlink detected
6344
GPO Process sync mode NO DC
6345
GPO Process switch sync mode to async
6346
Gpsvc start
4115
Gpsvc stop
5115
And even more…New
Events when clients
are Windows 8.1
Event
Id
Gpsvc stop
5115
Gp session start
4117
Gp session return winLogon call
5351
Gp session end
5117
Gp session end with error
7117
Gp save to cache start
4216
Gp save to cache end
5216
Gp save to cache end with error
7216
Gp load from cache start
4217
Gp load from cache end
5217
Gp load from cache end with error
7217
Gp cache first WMI query start
4218
Gp cache first WMI query end
5218
Gp service init start
4116
Gp service init end
5116
Gp policy download start
4257
Gp policy download end
5257
Get Facts about a particular
Group Policy Preferences
item CSE
Get Facts about a particular
Group Policy Preferences
item CSE
Get Facts about the whole
boot and login process
Definitely attend session
WIN-B359 2014 Edition:
How Many Coffees Can
You Drink While Your PC
Starts?
(Thurs 2:45 PM)
(And review 2013 and 2012
sessions on Channel9)
http://support.microsoft.com/kb/
2962486
100% Free Bonus Stuff for attending !
Go here, then get them via email:
TinyURL.com/jmteched1
Doesn’t work for you? Email me directly.
jeremym@policypak.com
windows.com/enterprise
windowsphone.com/business
microsoft.com/springboard
microsoft.com/mdop
microsoft.com/windows/wtg
developer.windowsphone.com
http://channel9.msdn.com/Events/TechEd
www.microsoft.com/learning
http://microsoft.com/technet
http://microsoft.com/msdn
Related documents
Group Policy Class Notes
Group Policy Class Notes
HV-Open for laptop
HV-Open for laptop
Group Policies
Group Policies
OUHSC Group Policy Objects - OUHSC Information Technology
OUHSC Group Policy Objects - OUHSC Information Technology
Download
advertisement