group policy: notes from the field - tips, tricks, and troubleshooting
TRANSCRIPT
Group Policy: Tips Tricks and Notes from the fieldJeremy MoskowitzGroup Policy MVP and Founder of PolicyPak Software
WIN-B328
AgendaUn(der) Documented Items
Tips for Speed Freaks
Group Policy Troubleshooting Base Hits
Bonus #1 (For Geeks) … ADM(x) and Group Policy Preferences “Gotchas”
Bonus #2: Special Group Policy Announcements !
Un(der) Documented Items
Un(der) DocumentedAlways use the latest GPMC available
“Most popular” would be the Windows 7 machine / GPMC from RSATSuggest: Always use “Latest Greatest” GPMC availableThis is different than using “Latest Greatest” ADMX / ADML files / Central Store
Many GPMC versions out there
Un(der) DocumentedAlways use the latest GPMC available
GPPrefs item for IE10<FilterFile hidden="1" not="0" bool="AND" path="%ProgramFilesDir%\Internet Explorer\iexplore.exe" type="VERSION" gte="1" min="10.0.0.0" max="99.0.0.0" lte="0"/>
Latest GPMC Goodies
Un(der) DocumentedAlways use the latest GPMC available
Better ReportingOld Style GPMC broke it up to “Summary” (GPOs you got) and “Settings” (settings in those GPOs.)New Style GPMC “Details” in one-stop shop viewConflicts easier to detect with “Winning GPO”
Latest GPMC Goodies
Un(der) DocumentedAlways use the latest GPMC available
IPv6 options in some GPPrefs items
Latest GPMC Goodies
Un(der) DocumentedAlways use the latest GPMC available
Check Group Policy “Status”
Latest GPMC Goodies
Un(der) DocumentedAlways use the latest GPMC available
Remote GpupdateTargets must be Windows 7 and later
Latest GPMC Goodies
Demo
IE 10 “Internal Filters”Remote GPupdate
Tips for Speed Freaks
Tips for Speed Freaks
Lots of GPOs in the Group Policy Objects folderNot Disabling “Unused portion” of GPOLots of “stuff” inside a GPOBlock Inheritance and/or Enforced usedLots and lots of GPOs linked to a user or computer* (see next slide & two slides from now)
Top myths which really don’t cause Group Policy slowdowns…Or any slowdowns at all (Roughly in the order that I hear…)
Tips for Speed Freaks
Login Scripts doing “dumb” things.Login Scripts doing “really dumb” things.Login Scripts doing “ridiculously dumb” things.Startup Scripts doing “dumb” thingsHaving a home drive “far away”Lots and lots of GPOs linked to a user or computer* (see next slide)
Top Real Causes for Slowdown at login / startup (but… Group Policy is incorrectly blamed) (Roughly placed in order that I see them…)
Profile being built / Downloaded / First TimeOther various disk contention during startup & loginDNS issuesServices hung on clientMapping drives or printers that don’t existBad drivers
Tips for Speed Freaks
Lots and lots of GPOs linked to a user or computer… but over a slow link.Deploying huuuuge Printer Drivers using Group Policy Preferences PrintersReplication issues causing a GPO is malformed and/or broken version number“Overuse” of Group Policy filtering by AD Group MembershipUsing WMI Filters inappropriately / excessivelyActual Group Policy client-side bugs (which typically have actual hotfixes and/or known workarounds)
Top ACTUAL Causes for Group Policy Slowdowns (Roughly in order that I see them…)
Tips for Speed Freaks
“Improves the processing of Group Policies and Group Policy preferences. The performance of computers is improved after you install this rollup update on Windows 7-based computers that have several Group Policy preferences ”“Improves the Windows Management Instrumentation (WMI) components to reduce the CPU usage and to improve the repository verification performance.”Fixes: “Logon scripts take a long time to run in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2”Fixes: “You experience a long logon time when you try to log on to a Windows 7-based or a Windows Server 2008 R2-based client computer that uses roaming profiles”
Bug Inspection – KB 2775511 for Windows 7 SP 1
Tips for Speed Freaks
By default, on Windows clients … Group Policy processing is “deferred” until sometime after computer is started (and sometime after the user is logged in.)Good news: Everything feels faster (for startups and logins).Bad news (For Windows 7 clients): If any “part” (CSE) of Group Policy required Sync, the whole login (computer side or user side) must process in Sync mode.
Additional bad news: Login scripts only slow you down at login time …when the profile is being built / downloaded, Start Menu getting warmed up, and so on.
Another Big Topic: Sync vs. Async
Tips for Speed Freaks
Windows 8.1 takes a leap forward in reducing what REQUIRES Sync to be necessarily forced
The Big Problem: Sync vs. Async
Before Windows 8.1 Windows 8.1 Folder RedirectionSoftware InstallationGroup Policy Preferences Drive MapsDisk Quota
Folder RedirectionSoftware Installation
Tips for Speed Freaks
Windows 8.1 “caches” GPOs locally. When Sync is required, read locally, not from AD.Windows 8.1 flips back to async mode when final CSE requiring sync is done processing.Windows 8.1 reduces LDAP requests to Active Directory during all logons.What this does: • Speeds up login when sync is required• Speeds up login when you have LOTS of GPOs AND you have slow links.
What the caching doesn’t do: Doesn’t keep “ADM(x)-based non-Policies” keys or Group Policy Preferences compliant when working offline.
Windows 8.1 There to Help
Tips for Speed Freaks
Remember login scripts causing disk contention & LOTS of slowdowns at login time?Windows 8.1 defers login script processing until “later”Windows 8.1 default: 5 minutes after triggeredCan turn off if desired. (IMHO, when you’ve got SSD’s it’s A-OK)
Windows 8.1 There to Help
Tips for Speed Freaks
Best Case:• Windows 8.1• All CSEs (including 3rd party ones) run
AsyncWorst Case (But Useful !):• Test using Use Always wait for the
network at computer startup or login policy setting
as enabledAnd/or
• First time ever logging on.
Understand your best and worst case scenarios
Demo
Speed Tests.. Live !
Base Hits for Group Policy Troubleshooting
“Base Hit” skills for Group Policy Troubleshooting
Worst way to troubleshoot: Use Group Policy as a scapegoat for all slowness problems.Best way to troubleshoot: Actual factsWays to get facts:• Reporting• Eventing• Tracing• Windows Performance Analyzer
Reporting
“Base Hit” skills for Group Policy Troubleshooting
“Major news”: Windows Logs | System“Incremental News”: Applications and Services Logs | Microsoft | Windows | Group Policy | Operational
Eventing
“Base Hit” skills for Group Policy Troubleshooting
“Major news”: Windows Logs | System“Incremental News”: Applications and Services Logs | Microsoft | Windows | Group Policy | Operational
Eventing
“Base Hit” skills for Group Policy Troubleshooting
New Events when clients are Windows 8.1
Eventing Event IdGet Applicable GPOs Start 4126Get Applicable GPOs End Success 5126Get Applicable GPOs End Fail 7126GPO process sync mode slowlink detected 6344
GPO Process sync mode NO DC 6345GPO Process switch sync mode to async 6346
Gpsvc start 4115 Gpsvc stop 5115
“Base Hit” skills for Group Policy Troubleshooting
And even more…New Events when clients are Windows 8.1
EventingEvent IdGpsvc stop 5115Gp session start 4117Gp session return winLogon call 5351Gp session end 5117Gp session end with error 7117Gp save to cache start 4216Gp save to cache end 5216Gp save to cache end with error 7216Gp load from cache start 4217Gp load from cache end 5217Gp load from cache end with error 7217Gp cache first WMI query start 4218Gp cache first WMI query end 5218Gp service init start 4116Gp service init end 5116Gp policy download start 4257Gp policy download end 5257Gp policy download end with error 7257
“Base Hit” skills for Group Policy Troubleshooting
Get Facts about a particular Group Policy Preferences item CSE
Tracing
“Base Hit” skills for Group Policy Troubleshooting
Get Facts about a particular Group Policy Preferences item CSE
Tracing
“Base Hit” skills for Group Policy Troubleshooting
Get Facts about the whole boot and login processDefinitely attend session WIN-B359 2014 Edition: How Many Coffees Can You Drink While Your PC Starts?(Thurs 2:45 PM)(And review 2013 and 2012 sessions on Channel9)
Windows Performance Analyzer
Demo
Group Policy Eventing
Final Thoughtsthen….Announcements !
Final thoughts (Before Announcements )Other tips, tricks and thoughts to consider
Always use the latest GPMC (and latest ADMX templates.) …
(That’s two separate things.)Jeremy’s Law: “The First Logon doesn’t matter. Heck, the second login doesn’t matter either.”
Don’t wait until your systems have “cruft” to start troubleshooting. Just for fun, bring up a Windows 8.1 machine next to a Windows 7 machine.
Troubleshooting is part “Art” and part “Science”.
But don’t blame something that doesn’t have data around it.
Announcing… Announcement 1: Microsoft
announces (right here, right now) a fix for “cPassword” fields in Group Policy Preferences
Problem: cPassword Fields are reversible
Announcing…
What do you get?
http://support.microsoft.com/kb/2962486
• GPMC hotfix to prevent going forward
• PowerShell “detection” script
• Guidance for remediation
Announcing…
Announcement:
Use ANY Group Policy Preferences item…Shortcuts, Power Settings, VPN Settings, Services, Schedule Tasks, Stop Devices, Start Menu… etc etc..… Deploy using SCCM or Windows Intune … even to non-Domain Joined MachinesBonus: Keep GPPrefs compliant when machines go offline.
Problem: How can you marry the flexibility of Group Policy Preferences with the power and delivery of SCCM and/or Windows Intune?
Announcing…Problem: How do you deliver
GPPrefs and app settings (without Active Directory, SCCM, or Intune?) Use ANY Group Policy Preferences item…• Shortcuts, Power Settings, VPN Settings,
Services, Schedule Tasks, Stop Devices, Start Menu… etc etc.
Use ANY PolicyPak Application Manager item…• Firefox, Internet Explorer, Java, Flash, etc.,
etc.Deploy over the Internet .. Even to non-Domain Joined Machines … and keep configs compliant.
Announcement:
Built on Azure !
PolicyPak Cloud and/or SCCM / Intune first steps
Step 1: Export items as XML
PolicyPak and GPPrefs with SCCMStep 2 (SCCM): Use familiar SCCM Application Wizard
PolicyPak and GPPrefs with Windows IntuneStep 2 (Intune): Use familiar Managed Software Wizard
PolicyPak and GPPrefs with PolicyPak CloudStep 2 (PolicyPak Cloud): Upload XML items to PolicyPak Cloud
Results with PolicyPak
GPPrefs and your app’s settings get deployed using YOUR choice:
• Group Policy• SCCM• Windows Intune• PolicyPak Cloud
Results:
Downloaded, applied and enforced at Windows client
Additional Resources and ToolsGPanswers.comLive and Online Training (Public and On-Site classes)The big green Group Policy book(Cover with Leaf on it is latest)Group Policy Health Check Consulting(Troubleshooting and advice)
PolicyPak SoftwareComing Soon:PolicyPak Compliance Reporter - New Tool !
(Group Policy troubleshooting & reporting for entire OUs)
100% Free Bonus Stuff for attending !• ADM(x) Myths, Facts and workarounds Video
Demos
Go here, then get them via email:TinyURL.com/jmteched1Doesn’t work for you? Email me directly. [email protected]
Video 1 Group Policy: ADM/X Files - why they cannot prevent user shenanigans
Video 2 Group Policy: Understanding ADM-ADMX files Tattooing (and what to do about it)
Video 3 GPPrefs Registry: “Nuke mode” and why users can avoid your GPprefs settings
• PowerShell Script I demo’d (and how-to video) and “Activity ID Filter” I demo’d.
• PolicyPak Cloud Trial• POSSIBLY win one of my Group Policy Books
(No guarantees!... They make me say that.)
Breakout Sessions WIN-B359 2014 Edition: How Many Coffees Can You Drink While Your PC
Starts?(Thurs 2:45 PM)
Related content
Find Me Later At. . . Microsoft’s MANAGEMENT Booth at 10.45 – 1.00 on Wednesday
Windows Enterprise windows.com/enterprise windowsphone.com/business
Windows Track Resources
Windows Springboard microsoft.com/springboardMicrosoft Desktop Optimization Package (MDOP)
microsoft.com/mdop Windows To Go microsoft.com/windows/wtgWindows Phone Developer developer.windowsphone.com
ResourcesLearning
Microsoft Certification & Training Resourceswww.microsoft.com/learning
msdnResources for Developers
http://microsoft.com/msdn
TechNetResources for IT Professionals
http://microsoft.com/technet
Sessions on Demandhttp://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.