You are on page 1of 51

WIN-B328

Group Policy: Tips


Tricks and Notes
from the field
Jeremy Moskowitz
Group Policy MVP and
Founder of PolicyPak
Software

Agenda
Un(der)
Documented
Items

Tips for
Speed Freaks

Group Policy
Troubleshootin
g Base Hits

Bonus #1 (For Geeks) ADM(x) and Group Policy Preferences


Gotchas
Bonus #2: Special Group Policy Announcements !

Un(der) Documented
Items

Un(der) Documented
Always use the latest GPMC available
Many GPMC versions out there
Most popular would be the Windows 7
machine / GPMC from RSAT
Suggest: Always use Latest Greatest
GPMC available
This is different than using Latest
Greatest ADMX / ADML files / Central
Store

Un(der) Documented
Always use the latest GPMC available
Latest GPMC Goodies
GPPrefs item for IE10
<FilterFile hidden="1" not="0" bool="AND"
path="%ProgramFilesDir%\Internet
Explorer\iexplore.exe" type="VERSION"
gte="1" min="10.0.0.0" max="99.0.0.0"
lte="0"/>

Un(der) Documented
Always use the latest GPMC available
Latest GPMC Goodies
Better Reporting
Old Style GPMC broke it up to Summary
(GPOs you got) and Settings (settings in
those GPOs.)
New Style GPMC Details in one-stop shop
view
Conflicts easier to detect with Winning GPO

Un(der) Documented
Always use the latest GPMC available
Latest GPMC Goodies
IPv6 options in
some GPPrefs items

Un(der) Documented
Always use the latest GPMC available
Latest GPMC Goodies
Check Group Policy Status

Un(der) Documented
Always use the latest GPMC available
Latest GPMC Goodies
Remote Gpupdate
Targets must be
Windows 7 and later

Demo
IE 10 Internal Filters
Remote GPupdate

Tips for Speed


Freaks

Tips for Speed Freaks


Top myths which really dont cause Group Policy slowdowns
Or any slowdowns at all (Roughly in the order that I hear)
Lots of GPOs in the Group Policy Objects folder
Not Disabling Unused portion of GPO
Lots of stuff inside a GPO
Block Inheritance and/or Enforced used
Lots and lots of GPOs linked to a user or computer*
(see next slide & two slides from now)

Tips for Speed Freaks


Top Real Causes for Slowdown at login / startup
(but Group Policy is incorrectly blamed) (Roughly placed in order that I see
them)

Login Scripts doing dumb things.


Login Scripts doing really dumb
things.
Login Scripts doing ridiculously
dumb things.

Profile being built / Downloaded / First


Time
Other various disk contention during
startup & login
DNS issues

Startup Scripts doing dumb things

Services hung on client

Having a home drive far away

Mapping drives or printers that dont


exist

Lots and lots of GPOs linked to a user


or computer* (see next slide)

Bad drivers

Tips for Speed Freaks


Top ACTUAL Causes for Group Policy Slowdowns
(Roughly in order that I see them)

Lots and lots of GPOs linked to a user or computer but over a slow link.
Deploying huuuuge Printer Drivers using Group Policy Preferences Printers
Replication issues causing a GPO is malformed and/or broken version number
Overuse of Group Policy filtering by AD Group Membership
Using WMI Filters inappropriately / excessively
Actual Group Policy client-side bugs (which typically have actual hotfixes
and/or known workarounds)

Tips for Speed Freaks


Bug Inspection KB 2775511 for Windows 7 SP 1
Improves the processing of Group Policies and Group Policy preferences. The
performance
of computers is improved after you install this rollup update on Windows 7-based
computers that have several Group Policy preferences
Improves the Windows Management Instrumentation (WMI) components to
reduce
the CPU usage and to improve the repository verification performance.
Fixes: Logon scripts take a long time to run in Windows Vista, in Windows Server
2008,
in Windows 7 or in Windows Server 2008 R2

Tips for Speed Freaks


Another Big Topic: Sync vs. Async
By default, on Windows clients Group Policy processing is deferred until
sometime
after computer is started (and sometime after the user is logged in.)
Good news: Everything feels faster (for startups and logins).
Bad news (For Windows 7 clients): If any part (CSE) of Group Policy required
Sync,
the whole login (computer side or user side) must process in Sync mode.

Additional bad news: Login scripts only slow you down at login time
when the profile is being built / downloaded, Start Menu getting warmed up, and

Tips for Speed Freaks


The Big Problem: Sync vs. Async
Windows 8.1 takes a leap forward in reducing what REQUIRES Sync to be
necessarily forced

Before Windows 8.1

Windows 8.1

Folder Redirection
Software Installation
Group Policy Preferences Drive
Maps
Disk Quota

Folder Redirection
Software Installation

Tips for Speed Freaks


Windows 8.1 There to Help
Windows 8.1 caches GPOs locally. When Sync is required, read locally, not from
AD.
Windows 8.1 flips back to async mode when final CSE requiring sync is done
processing.
Windows 8.1 reduces LDAP requests to Active Directory during all logons.
What this does:
Speeds up login when sync is required
Speeds up login when you have LOTS of GPOs AND you have slow links.

What the caching doesnt do: Doesnt keep ADM(x)-based non-Policies keys or

Tips for Speed Freaks


Windows 8.1 There to Help
Remember login scripts causing disk
contention & LOTS of slowdowns at
login time?
Windows 8.1 defers login script
processing until later
Windows 8.1 default: 5 minutes after
triggered
Can turn off if desired.
(IMHO, when youve got SSDs its A-OK)

Tips for Speed Freaks


Understand your best and
worst case scenarios
Best Case:

Windows 8.1

All CSEs (including 3rd party ones) run


Async

Worst Case (But Useful !):

Test using Use Always wait for the


network
at computer startup or login policy setting
as enabled
And/or

Demo
Speed Tests.. Live !

Base Hits for Group


Policy
Troubleshooting

Base Hit skills for Group


Policy Troubleshooting
Reporting
Worst way to troubleshoot: Use Group
Policy
as a scapegoat for all slowness problems.
Best way to troubleshoot: Actual facts
Ways to get facts:

Reporting

Eventing

Tracing

Windows Performance Analyzer

Base Hit skills for Group


Policy Troubleshooting
Eventing
Major news: Windows
Logs | System
Incremental News:
Applications and Services
Logs | Microsoft | Windows |
Group Policy | Operational

Base Hit skills for Group


Policy Troubleshooting
Eventing
Major news:
Windows
Logs | System
Incremental News:
Applications and
Services Logs |
Microsoft | Windows
| Group Policy |
Operational

Base Hit skills for Group


Policy Troubleshooting
Eventing
New Events when clients
are Windows 8.1

Event

Id

Get Applicable GPOs Start

4126

Get Applicable GPOs End Success

5126

Get Applicable GPOs End Fail

7126

GPO process sync mode slowlink


detected

6344

GPO Process sync mode NO DC

6345

GPO Process switch sync mode to


async

6346

Gpsvc start

4115

Gpsvc stop

5115

Base Hit skills for Group


Policy Troubleshooting
Eventing
And even moreNew
Events when clients
are Windows 8.1

Event

Id

Gpsvc stop

5115

Gp session start

4117

Gp session return winLogon call

5351

Gp session end

5117

Gp session end with error

7117

Gp save to cache start

4216

Gp save to cache end

5216

Gp save to cache end with error

7216

Gp load from cache start

4217

Gp load from cache end

5217

Gp load from cache end with error

7217

Gp cache first WMI query start

4218

Gp cache first WMI query end

5218

Gp service init start

4116

Gp service init end

5116

Gp policy download start

4257

Gp policy download end

5257

Base Hit skills for Group


Policy Troubleshooting
Tracing
Get Facts about a particular
Group Policy Preferences
item CSE

Base Hit skills for Group


Policy Troubleshooting
Tracing
Get Facts about a particular
Group Policy Preferences
item CSE

Base Hit skills for Group


Policy Troubleshooting
Windows Performance
Analyzer
Get Facts about the
whole boot and login
process
Definitely attend
session WIN-B359 2014
Edition: How Many
Coffees Can You Drink
While Your PC Starts?
(Thurs 2:45 PM)
(And review 2013 and
2012 sessions on

Demo
Group Policy Eventing

Final Thoughts
then.
Announcements !

Final thoughts (Before


Announcements
)
Other tips,

Always use the latest GPMC (and latest ADMX templates.)

tricks and
thoughts
to consider

(Thats two separate things.)


Jeremys Law: The First Logon doesnt matter. Heck,
the second login doesnt matter either.
Dont wait until your systems have cruft to start
troubleshooting.
Just for fun, bring up a Windows 8.1 machine next to a
Windows 7 machine.
Troubleshooting is part Art and part Science.
But dont blame something that doesnt have data around it.

Announcin
g
Problem: cPassword Fields
are reversible

Announcement 1: Microsoft
announces (right here, right
now) a fix for cPassword
fields in Group Policy
Preferences

Announcin
g
http://support.microsoft.com/
kb/2962486

What do you get?


GPMC hotfix to prevent
going forward
PowerShell detection
script
Guidance for remediation

Announcin
g
Problem: How can you marry the

flexibility of Group Policy


Preferences with the power and
delivery of SCCM and/or Windows
Intune?
Use ANY Group Policy Preferences item
Shortcuts, Power Settings, VPN Settings,
Services, Schedule Tasks, Stop Devices, Start
Menu etc etc..
Deploy using SCCM or Windows Intune
even to non-Domain Joined Machines
Bonus: Keep GPPrefs compliant when
machines go offline.

Announcement:

Announcin
g
Problem: How do you deliver

GPPrefs and app settings (without


Active Directory, SCCM, or Intune?)

Announcement:

Use ANY Group Policy Preferences item


Shortcuts, Power Settings, VPN Settings,
Services, Schedule Tasks, Stop Devices,
Start Menu etc etc.
Use ANY PolicyPak Application Manager item
Firefox, Internet Explorer, Java, Flash, etc.,
etc.
Deploy over the Internet .. Even to nonDomain Joined Machines and keep configs
compliant.

Built on
Azure !

PolicyPak Cloud and/or SCCM / Intune first


steps

Step 1: Export items as XML

PolicyPak and GPPrefs with SCCM


Step 2 (SCCM): Use familiar SCCM Application
Wizard

PolicyPak and GPPrefs with Windows Intune


Step 2 (Intune): Use familiar Managed Software
Wizard

PolicyPak and GPPrefs with PolicyPak Cloud


Step 2 (PolicyPak Cloud): Upload XML items to PolicyPak
Cloud

Results with PolicyPak


Results:
Downloaded, applied and
enforced at Windows client

GPPrefs and your apps settings


get deployed using YOUR choice:

Group Policy
SCCM
Windows Intune
PolicyPak Cloud

Additional Resources and Tools


GPanswers.com

PolicyPak Software

Live and Online Training


(Public and On-Site classes)

Coming Soon:
PolicyPak Compliance Reporter - New Tool !

The big green Group Policy


book
(Cover with Leaf on it is
latest)

(Group Policy troubleshooting & reporting for entire


OUs)

Group Policy Health Check


Consulting
(Troubleshooting and advice)

100% Free Bonus Stuff for attending !


ADM(x) Myths, Facts and workarounds Video
Demos
PowerShell Script I demod (and how-to video)
and Activity ID Filter I demod.
PolicyPak Cloud Trial
POSSIBLY win one of my Group Policy Books
(No guarantees!... They make me say that.)

Go here, then get them via email:


TinyURL.com/jmteched1
Doesnt work for you? Email me directly.
jeremym@policypak.com

Video 1

Group Policy: ADM/X Files why they cannot prevent


user shenanigans

Video 2

Group Policy:
Understanding ADM-ADMX
files Tattooing (and what to
do about it)

Video 3

GPPrefs Registry: Nuke


mode and why users can
avoid your GPprefs settings

Related content
Breakout Sessions
WIN-B359 2014 Edition: How Many Coffees Can You Drink While Your PC
Starts?
(Thurs 2:45 PM)

Find Me Later At. . .


Microsofts MANAGEMENT Booth at 10.45
1.00 on Wednesday

Windows Track Resources


Windows Enterprise windows.com/enterprise
windowsphone.com/business

Windows Springboard
microsoft.com/springboard
Microsoft Desktop Optimization Package
(MDOP)
microsoft.com/mdop
Windows To Go microsoft.com/windows/wtg
Windows Phone Developer
developer.windowsphone.com

Resources
Learning
Sessions on Demand

http://channel9.msdn.com/Events/Tec
hEd

TechNet
Resources for IT Professionals

http://microsoft.com/technet

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn
Resources for Developers

http://microsoft.com/msdn

Complete an evaluation and enter


to win!

Evaluate this session


Scan this
QR code
to evaluate
this session.

2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be
interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR
STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.