Jeremy Moskowitz Group Policy MVP and Founder of PolicyPak Software WINB328 Agenda Under Documented Items Tips for Speed Freaks Group Policy Troubleshooting Base Hits Bonus 1 ID: 646523
Download Presentation The PPT/PDF document "Group Policy: Tips Tricks and Notes from..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Group Policy: Tips Tricks and Notes from the field
Jeremy MoskowitzGroup Policy MVP and Founder of PolicyPak Software
WIN-B328Slide3
Agenda
Un(der) Documented Items
Tips for
Speed
Freaks
Group Policy Troubleshooting Base Hits
Bonus #1
(For Geeks)
… ADM(x) and Group Policy Preferences “Gotchas”
Bonus #2: Special Group Policy Announcements !Slide4
Un(der) Documented ItemsSlide5
Un(der)
Documented
Always
use the latest
GPMC
available
“Most popular” would be the Windows 7 machine / GPMC from RSAT
Suggest: Always use “Latest Greatest” GPMC available
This is different than using “Latest Greatest”
ADMX / ADML files / Central Store
Many GPMC versions out thereSlide6
Un(der)
Documented
Always use the latest
GPMC
available
GPPrefs
item for IE10<FilterFile hidden="1" not="0"
bool="AND" path="%ProgramFilesDir%\Internet Explorer\iexplore.exe" type="VERSION" gte="1" min="10.0.0.0" max="99.0.0.0"
lte="0"/>
Latest GPMC GoodiesSlide7
Un(der)
Documented
Always use the latest
GPMC
available
Better Reporting
Old Style
GPMC broke it up to “Summary” (GPOs you got)
and
“Settings” (settings in those GPOs.)New Style GPMC “Details” in one-stop shop view
Conflicts easier to detect with “Winning GPO”Latest GPMC GoodiesSlide8
Un(der)
Documented
Always use the latest
GPMC
available
IPv6 options in
some GPPrefs items
Latest
GPMC
GoodiesSlide9
Un(der)
Documented
Always use the latest
GPMC
available
Check Group Policy “Status”
Latest
GPMC GoodiesSlide10
Un(der)
Documented
Always use the latest
GPMC
available
Remote
GpupdateTargets must be Windows 7 and later
Latest
GPMC
GoodiesSlide11
Demo
IE 10 “Internal Filters”Remote GPupdate Slide12
Tips for Speed FreaksSlide13
Tips for Speed Freaks
Lots of
GPOs
in the Group Policy Objects
folder
Not Disabling “Unused portion” of
GPO
Lots of “stuff” inside a GPOBlock Inheritance and/or Enforced usedLots and lots of
GPOs
linked to a user or computer* (see next slide & two slides from now)
Top myths which really don’t cause Group Policy slowdowns…Or any slowdowns at all
(Roughly in the order that I hear
…)Slide14
Tips for Speed Freaks
Login Scripts doing “dumb” things
.
Login Scripts doing “really dumb” things
.
Login Scripts doing “ridiculously
dumb
” things.Startup Scripts doing “dumb” things
Having a home drive “far away
”Lots and lots of GPOs linked to a user
or computer* (see next slide)Top Real Causes
for Slowdown at login / startup
(but… Group Policy is incorrectly blamed)
(Roughly placed in order that I see them…)Profile being built / Downloaded / First TimeOther various disk contention during startup
& loginDNS issuesServices hung on clientMapping drives or printers that don’t existBad driversSlide15
Tips for Speed Freaks
Lots and lots of
GPOs
linked to a user or computer…
but over a slow link
.
Deploying
huuuuge Printer Drivers using Group Policy Preferences PrintersReplication issues causing a GPO is malformed and/or broken version number
“Overuse” of Group Policy filtering by AD Group
MembershipUsing WMI Filters inappropriately / excessivelyActual Group Policy client-side bugs (which typically have actual hotfixes
and/or known workarounds)
Top
ACTUAL Causes for Group Policy Slowdowns
(Roughly in order that I see them…)Slide16
Tips for Speed Freaks
“Improves the processing of Group Policies and Group Policy preferences. The performance
of
computers is improved after you install this rollup update on Windows 7-based computers that have several Group Policy preferences ”
“Improves the Windows Management Instrumentation (
WMI
) components to reduce
the CPU usage and to improve the repository verification performance.”
Fixes: “Logon scripts take a long time to run in Windows Vista, in Windows Server 2008,
in Windows 7 or in Windows Server 2008 R2”Fixes: “You experience a long logon time when you try to log on to a Windows 7-based
or a Windows Server 2008 R2-based client computer that uses roaming profiles”Bug Inspection – KB 2775511 for Windows 7 SP 1Slide17
Tips for Speed Freaks
By default, on Windows clients … Group Policy processing is “deferred” until sometime
after
computer is started (and sometime after the user is logged in.)
Good news: Everything
feels
faster (for startups and logins).
Bad news (For Windows 7 clients): If any “part” (CSE) of Group Policy required Sync, the
whole login (computer side or user side) must process in Sync mode
.Additional bad news: Login scripts only slow you down at login time …when the profile is being built / downloaded, Start Menu getting warmed up, and so on.
Another Big Topic: Sync vs. AsyncSlide18
Tips for Speed Freaks
Windows 8.1 takes a leap forward in reducing what REQUIRES Sync to be necessarily forced
The Big Problem: Sync vs.
Async
Before Windows 8.1
Windows 8.1
Folder Redirection
Software
Installation
Group Policy Preferences Drive Maps
Disk QuotaFolder RedirectionSoftware
InstallationSlide19
Tips for Speed Freaks
Windows 8.1 “caches”
GPOs
locally. When Sync is required, read locally, not from
AD.
Windows
8.1 flips back to
async mode when final CSE requiring sync is done processing.Windows
8.1 reduces
LDAP requests to Active Directory during all logons.What this does: Speeds up login when sync is required
Speeds up login when you have LOTS of GPOs AND you have slow links.What the caching doesn’t do: Doesn’t keep “ADM(x)-based non-Policies” keys or Group Policy Preferences compliant when working offline.
Windows 8.1 There to HelpSlide20
Tips for Speed Freaks
Remember login scripts causing disk contention & LOTS of slowdowns at
login
time
?
Windows 8.1 defers login script processing until “later
”
Windows 8.1 default: 5 minutes after
triggered
Can turn off if desired.
(IMHO, when you’ve got SSD’s it’s A-OK)
Windows 8.1 There to HelpSlide21
Tips for Speed Freaks
Best Case:
Windows
8.1
All
CSEs
(including 3rd party ones) run
Async
Worst Case (But Useful
!):Test using
Use Always wait for the network at computer startup or login policy setting as enabledAnd/or
First
time ever logging on.
Understand your best and worst case scenariosSlide22
Demo
Speed Tests.. Live !Slide23
Base Hits for Group Policy TroubleshootingSlide24
“Base Hit” skills for Group
Policy
Troubleshooting
Worst way to troubleshoot: Use Group Policy
as
a scapegoat for all slowness problems
.
Best way to troubleshoot: Actual
facts
Ways to get facts:Reporting
EventingTracingWindows Performance AnalyzerReportingSlide25
“Base Hit” skills for Group
Policy
Troubleshooting
“Major news”: Windows
Logs
|
System
“Incremental News”: Applications and Services Logs | Microsoft | Windows | Group Policy | Operational
EventingSlide26
“Base Hit” skills for Group
Policy
Troubleshooting
“Major news”: Windows
Logs
|
System
“Incremental News”: Applications and Services Logs | Microsoft | Windows | Group Policy | Operational
EventingSlide27
“Base Hit” skills for Group
Policy
Troubleshooting
New Events when clients are Windows 8.1
Eventing
Event
Id
Get Applicable
GPOs
Start
4126
Get Applicable
GPOs
End Success5126
Get Applicable GPOs End Fail7126GPO process sync mode slowlink detected6344GPO Process sync mode NO DC6345
GPO Process switch sync mode to
async
6346
Gpsvc
start
4115
Gpsvc
stop
5115Slide28
“Base Hit” skills for Group
Policy
Troubleshooting
And even more…New
Events
when clients
are
Windows 8.1
Eventing
Event
IdGpsvc stop
5115
Gp
session start4117
Gp session return winLogon call5351Gp session end5117
Gp session end with error
7117
Gp
save to cache start
4216
Gp
save to cache end
5216
Gp
save to cache end with error
7216
Gp
load from cache start
4217
Gp
load from cache end
5217
Gp
load from cache end with error
7217
Gp
cache first
WMI
query start
4218
Gp
cache first
WMI
query end
5218
Gp
service
init
start
4116
Gp
service
init
end
5116
Gp
policy download start
4257
Gp
policy download end
5257
Gp
policy download end with error
7257Slide29
“Base Hit” skills for Group
Policy
Troubleshooting
Get Facts about a particular Group Policy Preferences
item
CSE
TracingSlide30
“Base Hit” skills for Group
Policy
Troubleshooting
Get Facts about a particular Group Policy Preferences
item
CSE
TracingSlide31
“Base Hit” skills for Group
Policy
Troubleshooting
Get Facts about the whole boot and login
process
Definitely attend session WIN-B359 2014 Edition: How Many Coffees Can You Drink While Your PC Starts
?
(
Thurs 2:45 PM
)(And review 2013 and 2012 sessions on Channel9)
Windows Performance AnalyzerSlide32
Demo
Group Policy EventingSlide33
Final Thoughts
then….
Announcements !Slide34
Final thoughts (Before Announcements )
Other tips, tricks and thoughts
to
consider
Always use the latest
GPMC
(
and latest ADMX templates.) …
(
That’s two separate things.)Jeremy’s Law: “The First Logon doesn’t matter. Heck,
the second login doesn’t matter either.”Don’t wait until your systems have “cruft” to start troubleshooting.
Just for fun, bring up a Windows 8.1 machine next to a
Windows
7 machine.Troubleshooting is part “Art” and part “Science”.But don’t blame something that doesn’t have data around it.Slide35
Announcing
…
Announcement 1: Microsoft announces (right here, right now)
a fix
for “
cPassword
” fields in Group Policy Preferences
Problem:
cPassword
Fields are reversibleSlide36
Announcing
…
What do you get?
http://support.microsoft.com/kb/2962486
GPMC
hotfix to prevent going
forward
PowerShell “detection”
script
Guidance for
remediationSlide37
Announcing
…
Announcement
:
Use ANY
Group Policy Preferences item
…
Shortcuts, Power Settings, VPN Settings, Services, Schedule Tasks, Stop Devices,
Start
Menu… etc etc..
… Deploy using SCCM or Windows Intune … even to non-Domain Joined MachinesBonus: Keep GPPrefs compliant when machines go offline.
Problem: How can you marry the
flexibility
of Group Policy Preferences with the power and delivery of SCCM and/or Windows Intune? Slide38
Announcing
…
Problem: How do you deliver
GPPrefs
and app settings (
without
Active Directory, SCCM, or Intune?)
Use ANY Group Policy Preferences item…
Shortcuts
, Power Settings, VPN Settings, Services, Schedule Tasks, Stop Devices, Start Menu…
etc etc.
Use ANY PolicyPak Application Manager item…
Firefox, Internet Explorer, Java, Flash, etc., etc.
Deploy over the Internet .. Even to non-Domain Joined Machines … and keep configs
compliant.Announcement:Built on Azure !Slide39
PolicyPak Cloud and/or SCCM / Intune first steps
Step 1: Export items as XMLSlide40
PolicyPak and
GPPrefs with SCCM
Step 2 (SCCM): Use familiar SCCM Application WizardSlide41
PolicyPak and
GPPrefs with Windows Intune
Step 2 (Intune): Use familiar Managed Software WizardSlide42
PolicyPak and
GPPrefs with PolicyPak Cloud
Step 2 (PolicyPak Cloud): Upload XML items to PolicyPak CloudSlide43
Results with PolicyPak
GPPrefs
and your app’s settings get deployed using YOUR choice:
Group Policy
SCCM
Windows Intune
PolicyPak Cloud
Results:
Downloaded, applied and
enforced at Windows clientSlide44
Additional Resources and Tools
GPanswers.com
Live and Online Training
(Public and On-Site classes)
The big green Group Policy book
(Cover with Leaf on it is latest)
Group Policy Health Check Consulting
(Troubleshooting and advice)
PolicyPak Software
Coming Soon:
PolicyPak Compliance Reporter - New Tool !
(
Group Policy troubleshooting & reporting for entire OUs)Slide45
100
% Free Bonus Stuff for attending !
ADM(x) Myths, Facts and workarounds Video
Demos
Go here,
then
get them via email
:TinyURL.com/jmteched1
Doesn’t work for you? Email me directly.
jeremym@policypak.com
Video 1 Group Policy: ADM/X Files - why they cannot prevent user shenanigans
Video
2
Group Policy: Understanding ADM-
ADMX files Tattooing (and what to do about it)Video 3 GPPrefs Registry: “Nuke mode” and why users can avoid your
GPprefs settings
PowerShell Script
I
demo’d
(and how-to video
)
and “Activity ID Filter” I
demo’d
.
PolicyPak
Cloud Trial
POSSIBLY win one of my Group Policy Books
(No guarantees!... They make me say that.)Slide46
Breakout Sessions
WIN-B359 2014 Edition: How Many Coffees Can You Drink While Your PC Starts?
(Thurs 2:45 PM)
Related content
Find Me Later At. .
.
Microsoft’s MANAGEMENT Booth at 10.45 – 1.00 on Wednesday Slide47
Windows Enterprise
windows.com/enterprise
windowsphone.com/business
Windows Track Resources
Windows Springboard
microsoft.com/springboard
Microsoft Desktop Optimization Package (MDOP)
microsoft.com/
mdop
Windows To Go microsoft.com/windows/wtg
Windows Phone Developer developer.windowsphone.com Slide48
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEdSlide49
Complete an evaluation
and
enter to win!Slide50
Evaluate this session
Scan this
QR
code
to evaluate
this
session.Slide51
©
2014
Microsoft Corporation. All rights reserved. Microsoft, Windows,
and
other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.