Group Policy: Tips Tricks and Notes from the fieldJeremy MoskowitzGroup Policy MVP and Founder of PolicyPak Software

WIN-B328

Agenda

Un(der) Documented Items

Tips for Speed Freaks

Group Policy Troubleshooting Base Hits

Bonus #1 (For Geeks) … ADM(x) and Group Policy Preferences “Gotchas”

Bonus #2: Special Group Policy Announcements !

Un(der) Documented Items

Un(der) DocumentedAlways use the latest GPMC available

“Most popular” would be the Windows 7 machine / GPMC from RSAT

Suggest: Always use “Latest Greatest” GPMC available

This is different than using “Latest Greatest” ADMX / ADML files / Central Store

Many GPMC versions out there

Un(der) DocumentedAlways use the latest GPMC available

GPPrefs item for IE10

<FilterFile hidden="1" not="0" bool="AND" path="%ProgramFilesDir%\Internet Explorer\iexplore.exe" type="VERSION" gte="1" min="10.0.0.0" max="99.0.0.0" lte="0"/>

Latest GPMC Goodies

Un(der) DocumentedAlways use the latest GPMC available

Better Reporting

Old Style GPMC broke it up to “Summary” (GPOs you got) and “Settings” (settings in those GPOs.)

New Style GPMC “Details” in one-stop shop view

Conflicts easier to detect with “Winning GPO”

Latest GPMC Goodies

Un(der) DocumentedAlways use the latest GPMC available

IPv6 options in some GPPrefs items

Latest GPMC Goodies

Un(der) DocumentedAlways use the latest GPMC available

Check Group Policy “Status”

Latest GPMC Goodies

Un(der) DocumentedAlways use the latest GPMC available

Remote Gpupdate

Targets must be

Windows 7 and later

Latest GPMC Goodies

Demo

IE 10 “Internal Filters”Remote GPupdate

Tips for Speed Freaks

Tips for Speed Freaks

Lots of GPOs in the Group Policy Objects folder

Not Disabling “Unused portion” of GPO

Lots of “stuff” inside a GPO

Block Inheritance and/or Enforced used

Lots and lots of GPOs linked to a user or computer* (see next slide & two slides from now)

Top myths which really don’t cause Group Policy slowdowns…Or any slowdowns at all (Roughly in the order that I hear…)

Tips for Speed Freaks

Login Scripts doing “dumb” things.

Login Scripts doing “really dumb” things.

Login Scripts doing “ridiculously dumb” things.

Startup Scripts doing “dumb” things

Having a home drive “far away”

Lots and lots of GPOs linked to a user or computer* (see next slide)

Top Real Causes for Slowdown at login / startup (but… Group Policy is incorrectly blamed) (Roughly placed in order that I see them…)

Profile being built / Downloaded / First Time

Other various disk contention during startup & login

DNS issues

Services hung on client

Mapping drives or printers that don’t exist

Bad drivers

Tips for Speed Freaks

Lots and lots of GPOs linked to a user or computer… but over a slow link.

Deploying huuuuge Printer Drivers using Group Policy Preferences Printers

Replication issues causing a GPO is malformed and/or broken version number

“Overuse” of Group Policy filtering by AD Group Membership

Using WMI Filters inappropriately / excessively

Actual Group Policy client-side bugs (which typically have actual hotfixes and/or known workarounds)

Top ACTUAL Causes for Group Policy Slowdowns (Roughly in order that I see them…)

Tips for Speed Freaks

“Improves the processing of Group Policies and Group Policy preferences. The performance of computers is improved after you install this rollup update on Windows 7-based computers that have several Group Policy preferences ”

“Improves the Windows Management Instrumentation (WMI) components to reduce the CPU usage and to improve the repository verification performance.”

Fixes: “Logon scripts take a long time to run in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2”

Fixes: “You experience a long logon time when you try to log on to a Windows 7-based or a Windows Server 2008 R2-based client computer that uses roaming profiles”

Bug Inspection – KB 2775511 for Windows 7 SP 1

Tips for Speed Freaks

By default, on Windows clients … Group Policy processing is “deferred” until sometime after computer is started (and sometime after the user is logged in.)

Good news: Everything feels faster (for startups and logins).

Bad news (For Windows 7 clients): If any “part” (CSE) of Group Policy required Sync, the whole login (computer side or user side) must process in Sync mode.

Additional bad news: Login scripts only slow you down at login time …when the profile is being built / downloaded, Start Menu getting warmed up, and so on.

Another Big Topic: Sync vs. Async

Tips for Speed Freaks

Windows 8.1 takes a leap forward in reducing what REQUIRES Sync to be necessarily forced

The Big Problem: Sync vs. Async

Before Windows 8.1 Windows 8.1

Folder RedirectionSoftware InstallationGroup Policy Preferences Drive MapsDisk Quota

Folder RedirectionSoftware Installation

Tips for Speed Freaks

Windows 8.1 “caches” GPOs locally. When Sync is required, read locally, not from AD.Windows 8.1 flips back to async mode when final CSE requiring sync is done processing.Windows 8.1 reduces LDAP requests to Active Directory during all logons.

What this does: • Speeds up login when sync is required• Speeds up login when you have LOTS of GPOs AND you have slow links.

What the caching doesn’t do: Doesn’t keep “ADM(x)-based non-Policies” keys or Group Policy Preferences compliant when working offline.

Windows 8.1 There to Help

Tips for Speed Freaks

Remember login scripts causing disk contention & LOTS of slowdowns at login time?

Windows 8.1 defers login script processing until “later”

Windows 8.1 default: 5 minutes after triggered

Can turn off if desired. (IMHO, when you’ve got SSD’s it’s A-OK)

Windows 8.1 There to Help

Tips for Speed Freaks

Best Case:• Windows 8.1

• All CSEs (including 3rd party ones) run Async

Worst Case (But Useful !):• Test using Use Always wait for the

network at computer startup or login policy setting

as enabled

And/or

• First time ever logging on.

Understand your best and worst case scenarios

Demo

Speed Tests.. Live !

Base Hits for Group Policy Troubleshooting

“Base Hit” skills for Group Policy Troubleshooting

Worst way to troubleshoot: Use Group Policy as a scapegoat for all slowness problems.

Best way to troubleshoot: Actual facts

Ways to get facts:• Reporting

• Eventing

• Tracing

• Windows Performance Analyzer

Reporting

“Base Hit” skills for Group Policy Troubleshooting

“Major news”: Windows Logs | System

“Incremental News”: Applications and Services Logs | Microsoft | Windows | Group Policy | Operational

Eventing

“Base Hit” skills for Group Policy Troubleshooting

“Major news”: Windows Logs | System

“Incremental News”: Applications and Services Logs | Microsoft | Windows | Group Policy | Operational

Eventing

“Base Hit” skills for Group Policy Troubleshooting

New Events when clients are Windows 8.1

EventingEvent Id

Get Applicable GPOs Start 4126

Get Applicable GPOs End Success 5126

Get Applicable GPOs End Fail 7126

GPO process sync mode slowlink detected 6344

GPO Process sync mode NO DC 6345

GPO Process switch sync mode to async 6346

Gpsvc start 4115    

Gpsvc stop 5115

“Base Hit” skills for Group Policy Troubleshooting

And even more…New Events when clients are Windows 8.1

EventingEvent IdGpsvc stop 5115

Gp session start 4117

Gp session return winLogon call 5351

Gp session end 5117

Gp session end with error 7117

Gp save to cache start 4216

Gp save to cache end 5216

Gp save to cache end with error 7216

Gp load from cache start 4217

Gp load from cache end 5217

Gp load from cache end with error 7217

Gp cache first WMI query start 4218

Gp cache first WMI query end 5218

Gp service init start 4116

Gp service init end 5116

Gp policy download start 4257

Gp policy download end 5257

Gp policy download end with error 7257

“Base Hit” skills for Group Policy Troubleshooting

Get Facts about a particular Group Policy Preferences item CSE

Tracing

“Base Hit” skills for Group Policy Troubleshooting

Get Facts about a particular Group Policy Preferences item CSE

Tracing

“Base Hit” skills for Group Policy Troubleshooting

Get Facts about the whole boot and login process

Definitely attend session WIN-B359 2014 Edition: How Many Coffees Can You Drink While Your PC Starts?(Thurs 2:45 PM)

(And review 2013 and 2012 sessions on Channel9)

Windows Performance Analyzer

Demo

Group Policy Eventing

Final Thoughtsthen….Announcements !

Final thoughts (Before Announcements )Other tips, tricks and thoughts to consider

Always use the latest GPMC (and latest ADMX templates.) …

(That’s two separate things.)

Jeremy’s Law: “The First Logon doesn’t matter. Heck, the second login doesn’t matter either.”

Don’t wait until your systems have “cruft” to start troubleshooting.

Just for fun, bring up a Windows 8.1 machine next to a Windows 7 machine.

Troubleshooting is part “Art” and part “Science”.

But don’t blame something that doesn’t have data around it.

Announcing… Announcement 1: Microsoft

announces (right here, right now) a fix for “cPassword” fields in Group Policy Preferences

Problem: cPassword Fields are reversible

Announcing…

What do you get?

http://support.microsoft.com/kb/2962486

• GPMC hotfix to prevent going forward

• PowerShell “detection” script

• Guidance for remediation

Announcing…

Announcement:

Use ANY Group Policy Preferences item…

Shortcuts, Power Settings, VPN Settings, Services, Schedule Tasks, Stop Devices, Start Menu… etc etc..

… Deploy using SCCM or Windows Intune

… even to non-Domain Joined Machines

Bonus: Keep GPPrefs compliant when machines go offline.

Problem: How can you marry the flexibility of Group Policy Preferences with the power and delivery of SCCM and/or Windows Intune?

Announcing…Problem: How do you deliver

GPPrefs and app settings (without Active Directory, SCCM, or Intune?)

Use ANY Group Policy Preferences item…

• Shortcuts, Power Settings, VPN Settings, Services, Schedule Tasks, Stop Devices, Start Menu… etc etc.

Use ANY PolicyPak Application Manager item…

• Firefox, Internet Explorer, Java, Flash, etc., etc.

Deploy over the Internet .. Even to non-Domain Joined Machines … and keep configs compliant.

Announcement:

Built on Azure !

PolicyPak Cloud and/or SCCM / Intune first steps

Step 1: Export items as XML

PolicyPak and GPPrefs with SCCMStep 2 (SCCM): Use familiar SCCM Application Wizard

PolicyPak and GPPrefs with Windows Intune

Step 2 (Intune): Use familiar Managed Software Wizard

PolicyPak and GPPrefs with PolicyPak CloudStep 2 (PolicyPak Cloud): Upload XML items to PolicyPak Cloud

Results with PolicyPak

GPPrefs and your app’s settings get deployed using YOUR choice:

• Group Policy• SCCM• Windows Intune• PolicyPak Cloud

Results:

Downloaded, applied and enforced at Windows client

Additional Resources and Tools

GPanswers.com

Live and Online Training (Public and On-Site classes)

The big green Group Policy book(Cover with Leaf on it is latest)

Group Policy Health Check Consulting(Troubleshooting and advice)

PolicyPak Software

Coming Soon:PolicyPak Compliance Reporter - New Tool !

(Group Policy troubleshooting & reporting for entire OUs)

100% Free Bonus Stuff for attending !

• ADM(x) Myths, Facts and workarounds Video Demos

Go here, then get them via email:TinyURL.com/jmteched1

Doesn’t work for you? Email me directly. jeremym@policypak.com

Video 1 Group Policy: ADM/X Files - why they cannot prevent user shenanigans

Video 2 Group Policy: Understanding ADM-ADMX files Tattooing (and what to do about it)

Video 3 GPPrefs Registry: “Nuke mode” and why users can avoid your GPprefs settings

• PowerShell Script I demo’d (and how-to video) and “Activity ID Filter” I demo’d.

• PolicyPak Cloud Trial

• POSSIBLY win one of my Group Policy Books(No guarantees!... They make me say that.)

Breakout Sessions WIN-B359 2014 Edition: How Many Coffees Can You Drink While Your PC

Starts?(Thurs 2:45 PM)

Related content

Find Me Later At. . .

Microsoft’s MANAGEMENT Booth at 10.45 – 1.00 on Wednesday

Windows Enterprise windows.com/enterprise windowsphone.com/business  

Windows Track Resources

Windows Springboard microsoft.com/springboardMicrosoft Desktop Optimization Package (MDOP)

microsoft.com/mdop Windows To Go microsoft.com/windows/wtg

Windows Phone Developer developer.windowsphone.com

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.