Darren Mar-Elia CTO and Founder SDM Software

Derek Melber President

BrainCore.Net

Derek Melber Author of Group Policy Resource Kit by MSPress

Author, speaker, consultant for BrainCore.Net

Group Policy/AD MVP for the past 10 years

Darren Mar-Elia CTO & Founder, SDM Software, Inc.

Group Policy MVP for the last 10 years

30+ years in Software and IT

Founder of popular GPOGUY.COM site

Founded in 2006

Experts in Group Policy and Group Policy Management Products

Products include: GPO Reporting Pak

GPO Compare & GPO Exporter

Group Policy Automation Engine PowerShell automation to read/write GP settings

GPAA (Group Policy Auditing and Attestation) Group Policy Change Auditing and Attestation

To be released in Q1

Number of GPOs

Deciding if GPO/settings apply Security filtering

WMI filters

Group Policy Preference Item-level Targeting

Conflicts/Duplicate settings in different GPOs

Changes to settings per CSE

Synchronous settings

Changes to entire GPO… version number changes

1 GPO vs 5000 GPOs Organize settings within GPOs that make sense

Helps with troubleshooting

Helps with finding a setting

Common to organize based on contents Internet Explorer

Security

Desktop/Start menu

Software

Security filtering

WMI filters

Group Policy Preference Item-level Targeting

Use security filtering, WMI filters, and GPP ILT on limited basis

Link GPOs as close to object(s) being controlled as possible

Typically at OU level… even sub-OU level

Use security filtering and WMI filtering as secondary to linking to OU

Default GPOs have existing settings

Better to reduce number of conflicts between GPOs

Conflicts cause processing time

Conflicts can be difficult to troubleshoot

Duplicate settings Are not a problem with results

Do cause additional processing time

Don’t alter the Default Domain Policy or the Default Domain Controllers Policy

Create new GPOs and configure with higher precedence No confidence a patch, SP, or upgrade won’t alter/reset default GPOs

Each CSE controls an area/settings within GPO

When one setting within CSE changes, all configured settings across all GPOs included under the CSE must process

Group computer settings into their own GPOs Disable User settings Organize computer objects into their own OUs

Group User settings into their own GPOs Disable Computer settings Organize user objects into their own OUs

Synchronous – settings apply in series and all settings in all GPOs must apply before computer is accessible

Asynchronous – desktop is accessible before all GPO settings apply

XP+ default is to apply Asynchronous

Can force Synchronous all the time by enabling policy at Computer Configuration\Admin Templates\System\Logon\Always Wait for Network at Computer Startup and User Logon

But you pay a performance penalty at every boot or logon

Synchronous settings Folder Redirection

Software installation

Microsoft Disk Quota

Group Policy Preference Drive Mappings

Changes to synchronous settings force next startup/logon to be synchronous

Each process interval calculates the GPOs that need to be applied If the process interval determines that the GPO list has changed, it will cause a complete refresh of all GPOs and all settings

Security group filter changes Security group membership changes WMI filter add or remove Linking or unlinking of a GPO

Goal is to try to minimize the number of GPOs that must be processed when something changes

0

5

10

15

20

25

30

35

40

Background Refresh, No changes Background Refresh, Forced

CSE

Core

Each GPO has a version number Version number is incremented each time user/computer setting within GPO changes

Computer changes = increments by 1’s User changes = increments by 65536’s

When GPO version number changes… All CSE related settings in the GPO must process If a synchronous setting is contained within GPO, next startup/logon will be synchronous (regardless of Asynchronous setting)

Difficult to analyze existing environment with native tools

Difficult to design GPOs based on these design criteria, easier to group based on topic, role, location, etc.

Inefficient GP designs can cause substantial delays at startup and logon

Up to 30% or more depending upon what’s going on in the GPOs

Conflicting or duplicate settings

GPO changes to synchronous CSEs that force synchronous processing

Enabling synchronous processing all the time

WMI Filters and esp. ‘expensive’ queries

Expensive GPP Item-Level Targeting

Loopback Merge Mode

Visit http://sdmsoftware.com/group-policy-management-products/ to view and register for our products

Visit www.sdmsoftware.com/blog to read SDM Software Founder Darren Mar-Elia’s thoughts on Group Policy

Contact us at sales@sdmsoftware.com for questions on products

darren@sdmsoftware.com derek@derekmelber.com