+ Post New Thread
Results 1 to 10 of 10
Windows Thread, Individual Group Policy Items or Shotgun Approach in Technical; Hi Everybody, Just a quick question on the topic of Group Policy. Is it better, when creating Group Policies, to ...
  1. #1
    rosswilson's Avatar
    Join Date
    Feb 2008
    Location
    Cheshire
    Posts
    47
    Thank Post
    15
    Thanked 10 Times in 10 Posts
    Rep Power
    15

    Individual Group Policy Items or Shotgun Approach

    Hi Everybody,

    Just a quick question on the topic of Group Policy. Is it better, when creating Group Policies, to simply prevent access to the Control Panel OR to individually lockdown each group policy item?

    For example, referring to the screenshot below, would it be better to set "Prohibit selection of visual style font size" and "Prevent changing window colour and appearance" and "Prevent changing colour scheme" ect... OR to simply bar access to the Control Panel?



    My thoughts are that users could find ways to change computer settings without using the Control Panel. On the other hand, does setting many Group Policy items slow down logons? Maybe just the first time after a change is made then the GP is cached locally?

    Does anybody have any documentation or resources that explain what Group Policy items are recommended to have set?

    I would most appreciate your thoughts,

    Many thanks,

    Ross Wilson

  2. #2

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    It really depends on what options you want to give users. Access to Control Panel for pupils should be a no, no, but for staff/admin, possibly certain functions.

    It's easy enough to do, you just specify the CPL files you want to give users access to, or alternatively remove Control Panel altogether. Search the Windows directory for *.cpl for a list.

    Group policies do not slow down logons. Remember, they're essentially text files. Profiles are the most common reason for slow logons. I once came across a network where a user had a 400MB roaming profile. I laughed to say the least when users were complaining of slow down

  3. Thanks to Michael from:

    rosswilson (18th May 2009)

  4. #3

    Join Date
    Aug 2005
    Location
    London
    Posts
    3,156
    Thank Post
    116
    Thanked 529 Times in 452 Posts
    Blog Entries
    2
    Rep Power
    124
    Quote Originally Posted by Michael View Post

    Group policies do not slow down logons. Remember, they're essentially text files.
    Err; no!!!

    Might be true to say that group policies don't slow down logons much but they certainly can slow them down!

    You might create the GP using a text file (the .adm or .admx file) but that's not what gets processed by the workstation - most of the settings end up as values in the registry which is most definitely not a set of text files!

    You can find out exactly how long it takes to process the group policies by turning on "userenv debug logging"

    If you have mandatory profiles and a lot of separate settings then you will slow down the logon compared to not having lots of GPO settings (every setting will be processed at every logon because Windows knows that this profile has not processed these policy settings)

    You're right to say that large profiles can dramatically slow down logons but if you've set up mandatory profiles (and many schools do for pupils) then you're probably able to get them small and keep them small.

    A quick search of the MS web site finds quite a few articles on ways in which GPO settings can slow down logon.

  5. Thanks to srochford from:

    rosswilson (18th May 2009)

  6. #4

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Well I suppose because I know AD pretty well I know what works and what doesn't, but it's only through experimentation that you become accustomed to GPOs. The more common problem I find is items at logon being processed synchronously instead of asynchronously. Asynchronously can make a big difference in many situations. Best advice I can give to new administrators, is create a temporary OU and GPO and tweak as much as you like, preferably in a test environment.

    There aren’t really any policies I can think of which will bring logon to a halt, whereas profiles have a much higher probability of slowing down logon times. Mandatory profiles are one solution, but of course are not for everyone.

  7. #5
    rosswilson's Avatar
    Join Date
    Feb 2008
    Location
    Cheshire
    Posts
    47
    Thank Post
    15
    Thanked 10 Times in 10 Posts
    Rep Power
    15

    Thanks For The Replies

    Quote Originally Posted by Michael View Post
    It really depends on what options you want to give users. Access to Control Panel for pupils should be a no, no, but for staff/admin, possibly certain functions.
    Thanks for that. I suppose another answer would be "it depends" - certainly on who the user is, how much power you entrust in them, and what they actually need the computer for. For example, a student may only need access to generic software (Word, Excel, and Publisher) and applications specific to their studies (Photoshop for Art/Graphics, AutoCAD for Design Technology) - they certainly do not need the ability to change the desktop background or cursor symbol.

    A teacher or member of the school's support staff will have differing needs and wants. A teacher may need access to electronic registration software as well as email and calendar software (think Outlook, while a bursar may want financial planning tools.

    Quote Originally Posted by Michael View Post
    Group policies do not slow down logons. Remember, they're essentially text files. Profiles are the most common reason for slow logons...
    I understand there is a little differing opinions on the whole "does excessive use of Group policy slow down logons" but I think the consensus would be to configure Group Policy settings in line with what the end users actually need to achieve when using the computers - restrict them to the bare minimum to do their job.

    Thanks, and if anybody else has any comments it would be most appreciated,

    Ross

  8. #6

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Active Directory is a very flexible tool and with policy inheritance (which is switched on by default) can save you a lot of time. For example, you could create an OU called "Curriculum" and then two sub OUs "KS1" and "KS2". Configure the majority of policies at Curriculum level, but then (for example), KS1 and KS2 OUs could have different re-directed Start Menus, Desktops or indeed a different home page. It's always the last set of GPOs which take priority.

    configure Group Policy settings in line with what the end users actually need
    Absolutely, but remember to thoroughly test new GPO configurations and keep security near the top when designing/configuring GPOs.

  9. #7
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    To drag this a little off topic, for a bit.

    Quote Originally Posted by Michael View Post
    ... The more common problem I find is items at logon being processed synchronously instead of asynchronously. Asynchronously can make a big difference in many situations. ....
    Wait, let me get this straight... Synchronous is slower than Asynchronous ?
    Are you sure that's right, I would have expected Synchronous to be faster, as this means it can run different things at the same time.

    [ I had to go and check these terms in a dictionary, and I still don't get them... Although I do understand that SDSL is better than ADSL...for uploads ]

  10. #8

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    Asynchronous in ADSL terms means download is faster than upload. Synchronous means they're the same both ways.

    Asynchronous in logon terms means explorer can continue to load whilst drives are still being mapped. In practice with slower machines, you may see drives suddenly appear if you're able to open My Computer quick enough. If you set logon to operate synchronously, Windows will wait for the script to stop running, then load explorer and other components.

    From memory Windows 2000 operates synchronously and Windows XP operates asynchronously by default, unless you specify otherwise

    Asynchronous is definitely faster, as logon scripts and explorer can load at the same time. Not one after the other. Scripts then explorer.

  11. #9
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    Damint, They should have used "parallel" and "serial", that would have made more sense, and I wouldn't have set my GPOs wrongly. I know what I'm going to do first thing tomorrow though, [ or maybe wait until half-term and tell people we have done a network "upgrade" and it will be faster logons ].

  12. #10

    Michael's Avatar
    Join Date
    Dec 2005
    Location
    Birmingham
    Posts
    9,262
    Thank Post
    242
    Thanked 1,568 Times in 1,250 Posts
    Rep Power
    340
    It can be confusing, so don't beat yourself up about it If you use 2003 R2 Print Management, deploying printers will also act the same. Again, on slower machines you may notice they suddenly appear during the logon/initial loading process.

SHARE:
+ Post New Thread

Similar Threads

  1. prevent startup items in group policy
    By browolf in forum Windows
    Replies: 13
    Last Post: 6th September 2013, 10:41 AM
  2. [Video] Benelli Shotgun Amazing Shots
    By mattx in forum Jokes/Interweb Things
    Replies: 0
    Last Post: 23rd April 2009, 11:14 AM
  3. TS Group Policy
    By adamf in forum Windows
    Replies: 6
    Last Post: 4th May 2008, 12:35 PM
  4. group policy
    By kevin_lane in forum How do you do....it?
    Replies: 2
    Last Post: 27th July 2007, 12:17 PM
  5. Group Policy
    By faza in forum Wireless Networks
    Replies: 27
    Last Post: 5th July 2006, 06:34 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •