bonus #1 (for geeks) … adm(x) and group policy preferences “gotchas” bonus #2: special group...
TRANSCRIPT
Group Policy: Tips Tricks and Notes from the fieldJeremy MoskowitzGroup Policy MVP and Founder of PolicyPak Software
WIN-B328
Agenda
Un(der) Documented Items
Tips for Speed Freaks
Group Policy Troubleshooting Base Hits
Bonus #1 (For Geeks) … ADM(x) and Group Policy Preferences “Gotchas”
Bonus #2: Special Group Policy Announcements !
Un(der) Documented Items
Un(der) DocumentedAlways use the latest GPMC available
“Most popular” would be the Windows 7 machine / GPMC from RSAT
Suggest: Always use “Latest Greatest” GPMC available
This is different than using “Latest Greatest” ADMX / ADML files / Central Store
Many GPMC versions out there
Un(der) DocumentedAlways use the latest GPMC available
GPPrefs item for IE10
<FilterFile hidden="1" not="0" bool="AND" path="%ProgramFilesDir%\Internet Explorer\iexplore.exe" type="VERSION" gte="1" min="10.0.0.0" max="99.0.0.0" lte="0"/>
Latest GPMC Goodies
Un(der) DocumentedAlways use the latest GPMC available
Better Reporting
Old Style GPMC broke it up to “Summary” (GPOs you got) and “Settings” (settings in those GPOs.)
New Style GPMC “Details” in one-stop shop view
Conflicts easier to detect with “Winning GPO”
Latest GPMC Goodies
Un(der) DocumentedAlways use the latest GPMC available
IPv6 options in some GPPrefs items
Latest GPMC Goodies
Un(der) DocumentedAlways use the latest GPMC available
Check Group Policy “Status”
Latest GPMC Goodies
Un(der) DocumentedAlways use the latest GPMC available
Remote Gpupdate
Targets must be
Windows 7 and later
Latest GPMC Goodies
Demo
IE 10 “Internal Filters”Remote GPupdate
Tips for Speed Freaks
Tips for Speed Freaks
Lots of GPOs in the Group Policy Objects folder
Not Disabling “Unused portion” of GPO
Lots of “stuff” inside a GPO
Block Inheritance and/or Enforced used
Lots and lots of GPOs linked to a user or computer* (see next slide & two slides from now)
Top myths which really don’t cause Group Policy slowdowns…Or any slowdowns at all (Roughly in the order that I hear…)
Tips for Speed Freaks
Login Scripts doing “dumb” things.
Login Scripts doing “really dumb” things.
Login Scripts doing “ridiculously dumb” things.
Startup Scripts doing “dumb” things
Having a home drive “far away”
Lots and lots of GPOs linked to a user or computer* (see next slide)
Top Real Causes for Slowdown at login / startup (but… Group Policy is incorrectly blamed) (Roughly placed in order that I see them…)
Profile being built / Downloaded / First Time
Other various disk contention during startup & login
DNS issues
Services hung on client
Mapping drives or printers that don’t exist
Bad drivers
Tips for Speed Freaks
Lots and lots of GPOs linked to a user or computer… but over a slow link.
Deploying huuuuge Printer Drivers using Group Policy Preferences Printers
Replication issues causing a GPO is malformed and/or broken version number
“Overuse” of Group Policy filtering by AD Group Membership
Using WMI Filters inappropriately / excessively
Actual Group Policy client-side bugs (which typically have actual hotfixes and/or known workarounds)
Top ACTUAL Causes for Group Policy Slowdowns (Roughly in order that I see them…)
Tips for Speed Freaks
“Improves the processing of Group Policies and Group Policy preferences. The performance of computers is improved after you install this rollup update on Windows 7-based computers that have several Group Policy preferences ”
“Improves the Windows Management Instrumentation (WMI) components to reduce the CPU usage and to improve the repository verification performance.”
Fixes: “Logon scripts take a long time to run in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2”
Fixes: “You experience a long logon time when you try to log on to a Windows 7-based or a Windows Server 2008 R2-based client computer that uses roaming profiles”
Bug Inspection – KB 2775511 for Windows 7 SP 1
Tips for Speed Freaks
By default, on Windows clients … Group Policy processing is “deferred” until sometime after computer is started (and sometime after the user is logged in.)
Good news: Everything feels faster (for startups and logins).
Bad news (For Windows 7 clients): If any “part” (CSE) of Group Policy required Sync, the whole login (computer side or user side) must process in Sync mode.
Additional bad news: Login scripts only slow you down at login time …when the profile is being built / downloaded, Start Menu getting warmed up, and so on.
Another Big Topic: Sync vs. Async
Tips for Speed Freaks
Windows 8.1 takes a leap forward in reducing what REQUIRES Sync to be necessarily forced
The Big Problem: Sync vs. Async
Before Windows 8.1 Windows 8.1
Folder RedirectionSoftware InstallationGroup Policy Preferences Drive MapsDisk Quota
Folder RedirectionSoftware Installation
Tips for Speed Freaks
Windows 8.1 “caches” GPOs locally. When Sync is required, read locally, not from AD.Windows 8.1 flips back to async mode when final CSE requiring sync is done processing.Windows 8.1 reduces LDAP requests to Active Directory during all logons.
What this does: • Speeds up login when sync is required• Speeds up login when you have LOTS of GPOs AND you have slow links.
What the caching doesn’t do: Doesn’t keep “ADM(x)-based non-Policies” keys or Group Policy Preferences compliant when working offline.
Windows 8.1 There to Help
Tips for Speed Freaks
Remember login scripts causing disk contention & LOTS of slowdowns at login time?
Windows 8.1 defers login script processing until “later”
Windows 8.1 default: 5 minutes after triggered
Can turn off if desired. (IMHO, when you’ve got SSD’s it’s A-OK)
Windows 8.1 There to Help
Tips for Speed Freaks
Best Case:• Windows 8.1
• All CSEs (including 3rd party ones) run Async
Worst Case (But Useful !):• Test using Use Always wait for the
network at computer startup or login policy setting
as enabled
And/or
• First time ever logging on.
Understand your best and worst case scenarios
Demo
Speed Tests.. Live !
Base Hits for Group Policy Troubleshooting
“Base Hit” skills for Group Policy Troubleshooting
Worst way to troubleshoot: Use Group Policy as a scapegoat for all slowness problems.
Best way to troubleshoot: Actual facts
Ways to get facts:• Reporting
• Eventing
• Tracing
• Windows Performance Analyzer
Reporting
“Base Hit” skills for Group Policy Troubleshooting
“Major news”: Windows Logs | System
“Incremental News”: Applications and Services Logs | Microsoft | Windows | Group Policy | Operational
Eventing
“Base Hit” skills for Group Policy Troubleshooting
“Major news”: Windows Logs | System
“Incremental News”: Applications and Services Logs | Microsoft | Windows | Group Policy | Operational
Eventing
“Base Hit” skills for Group Policy Troubleshooting
New Events when clients are Windows 8.1
EventingEvent Id
Get Applicable GPOs Start 4126
Get Applicable GPOs End Success 5126
Get Applicable GPOs End Fail 7126
GPO process sync mode slowlink detected 6344
GPO Process sync mode NO DC 6345
GPO Process switch sync mode to async 6346
Gpsvc start 4115
Gpsvc stop 5115
“Base Hit” skills for Group Policy Troubleshooting
And even more…New Events when clients are Windows 8.1
EventingEvent IdGpsvc stop 5115
Gp session start 4117
Gp session return winLogon call 5351
Gp session end 5117
Gp session end with error 7117
Gp save to cache start 4216
Gp save to cache end 5216
Gp save to cache end with error 7216
Gp load from cache start 4217
Gp load from cache end 5217
Gp load from cache end with error 7217
Gp cache first WMI query start 4218
Gp cache first WMI query end 5218
Gp service init start 4116
Gp service init end 5116
Gp policy download start 4257
Gp policy download end 5257
Gp policy download end with error 7257
“Base Hit” skills for Group Policy Troubleshooting
Get Facts about a particular Group Policy Preferences item CSE
Tracing
“Base Hit” skills for Group Policy Troubleshooting
Get Facts about a particular Group Policy Preferences item CSE
Tracing
“Base Hit” skills for Group Policy Troubleshooting
Get Facts about the whole boot and login process
Definitely attend session WIN-B359 2014 Edition: How Many Coffees Can You Drink While Your PC Starts?(Thurs 2:45 PM)
(And review 2013 and 2012 sessions on Channel9)
Windows Performance Analyzer
Demo
Group Policy Eventing
Final Thoughtsthen….Announcements !
Final thoughts (Before Announcements )Other tips, tricks and thoughts to consider
Always use the latest GPMC (and latest ADMX templates.) …
(That’s two separate things.)
Jeremy’s Law: “The First Logon doesn’t matter. Heck, the second login doesn’t matter either.”
Don’t wait until your systems have “cruft” to start troubleshooting.
Just for fun, bring up a Windows 8.1 machine next to a Windows 7 machine.
Troubleshooting is part “Art” and part “Science”.
But don’t blame something that doesn’t have data around it.
Announcing… Announcement 1: Microsoft
announces (right here, right now) a fix for “cPassword” fields in Group Policy Preferences
Problem: cPassword Fields are reversible
Announcing…
What do you get?
http://support.microsoft.com/kb/2962486
• GPMC hotfix to prevent going forward
• PowerShell “detection” script
• Guidance for remediation
Announcing…
Announcement:
Use ANY Group Policy Preferences item…
Shortcuts, Power Settings, VPN Settings, Services, Schedule Tasks, Stop Devices, Start Menu… etc etc..
… Deploy using SCCM or Windows Intune
… even to non-Domain Joined Machines
Bonus: Keep GPPrefs compliant when machines go offline.
Problem: How can you marry the flexibility of Group Policy Preferences with the power and delivery of SCCM and/or Windows Intune?
Announcing…Problem: How do you deliver
GPPrefs and app settings (without Active Directory, SCCM, or Intune?)
Use ANY Group Policy Preferences item…
• Shortcuts, Power Settings, VPN Settings, Services, Schedule Tasks, Stop Devices, Start Menu… etc etc.
Use ANY PolicyPak Application Manager item…
• Firefox, Internet Explorer, Java, Flash, etc., etc.
Deploy over the Internet .. Even to non-Domain Joined Machines … and keep configs compliant.
Announcement:
Built on Azure !
PolicyPak Cloud and/or SCCM / Intune first steps
Step 1: Export items as XML
PolicyPak and GPPrefs with SCCMStep 2 (SCCM): Use familiar SCCM Application Wizard
PolicyPak and GPPrefs with Windows Intune
Step 2 (Intune): Use familiar Managed Software Wizard
PolicyPak and GPPrefs with PolicyPak CloudStep 2 (PolicyPak Cloud): Upload XML items to PolicyPak Cloud
Results with PolicyPak
GPPrefs and your app’s settings get deployed using YOUR choice:
• Group Policy• SCCM• Windows Intune• PolicyPak Cloud
Results:
Downloaded, applied and enforced at Windows client
Additional Resources and Tools
GPanswers.com
Live and Online Training (Public and On-Site classes)
The big green Group Policy book(Cover with Leaf on it is latest)
Group Policy Health Check Consulting(Troubleshooting and advice)
PolicyPak Software
Coming Soon:PolicyPak Compliance Reporter - New Tool !
(Group Policy troubleshooting & reporting for entire OUs)
100% Free Bonus Stuff for attending !
• ADM(x) Myths, Facts and workarounds Video Demos
Go here, then get them via email:TinyURL.com/jmteched1
Doesn’t work for you? Email me directly. [email protected]
Video 1 Group Policy: ADM/X Files - why they cannot prevent user shenanigans
Video 2 Group Policy: Understanding ADM-ADMX files Tattooing (and what to do about it)
Video 3 GPPrefs Registry: “Nuke mode” and why users can avoid your GPprefs settings
• PowerShell Script I demo’d (and how-to video) and “Activity ID Filter” I demo’d.
• PolicyPak Cloud Trial
• POSSIBLY win one of my Group Policy Books(No guarantees!... They make me say that.)
Breakout Sessions WIN-B359 2014 Edition: How Many Coffees Can You Drink While Your PC
Starts?(Thurs 2:45 PM)
Related content
Find Me Later At. . .
Microsoft’s MANAGEMENT Booth at 10.45 – 1.00 on Wednesday
Windows Enterprise windows.com/enterprise windowsphone.com/business
Windows Track Resources
Windows Springboard microsoft.com/springboardMicrosoft Desktop Optimization Package (MDOP)
microsoft.com/mdop Windows To Go microsoft.com/windows/wtg
Windows Phone Developer developer.windowsphone.com
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.