GPO Bloat

[garethedmondson]

As we are suffering from very slow logon times the technician and I are working through out GPOs to see which one(s) are causing the issues.

 

We have created a new Test OU with no user or computer based GPOs in place (except from the ones forced on us by the LEA). This got our logon time from over a minute to 7 seconds. We are now adding GPOs back in one by one to see what happens.

 

So I have a few questions....

 

1. How much time does each GPO add to the logon process? 1 GPO = 1 Second?

 

2. What is quicker to process? 15 GPOs each with 1 setting, or 1 GPO with 15 settings?

 

3. How do you guys organise your GPOs? One large one per user type (e.g. staff/pupils etc) or several smaller ones?

 

There maybe more but not at the moment.

 

Cheers everyone,

 

Gareth

[AngryTechnician]

I've heard anecdotal evidence that spreading the settings across many OUs increases the time slightly, but I don't think it's the significant factor. More important will be the number of settings, and most importantly, what they are. Some will simply take longer than others.

 

 

Have a look at Fixing Group Policy problems by using log files IIRC the logs are timestamped so you can see which things are taking longer than others.

 

I split my GPOs into User and Computer settings whenever possible and tend to only have one per user/computer type. Any settings that are shared across multiple types will go into a general GPO. This is more because I find it easier to manage that way than because of any worries about performance.

Edited April 21, 2011 by AngryTechnician

[garethedmondson]

CHeers AT, I am running a program called Group Policy Reporter. I'll read the tech doc and see how it all goes.

 

Gareth

[FN-GM]

I have been told that internet explorer settings can cause logon times to slow right down for some reason. Might be worth trying any GPO's with IE settings in first.

[garethedmondson]

Now that is interesting - we removed one of our IE GPOs and it sped up how quickly IE started on a machine. The only other one we have sets the home page.

 

Gareth

[FN-GM]

Do you have any branding setup in IE? Custom information like "provided my x school"

 

If you enable verbose mode you might be able to see whats taking all the time logging on. It should show exactly what is being processed and it may help narrow it down.

[garethedmondson]

I read about the custom information and that it may slow down logons when doing my research for the issues. Luckily we have none.

 

WHen I get back in next week (or the LEA fix my VPN connection) then I shall enable the verbose stuff. I do have a log file from Policy Reporter if anyone fancies a look. It is in Excel format.

 

Gareth

[sukh]

@gareth - PM me the file.

 

Have you nailed the GPO to one policy, i.e IE GPO?

 

Sukh

[IanT]

if you run gpresult how many GPO's are loading?

 

Its amazing how many GPO's people create for 1 site (school), I think the most I've ever seen is 95 GPO's! when really they needed about 15!

[irsprint84]

I dont have 95 but I have quite few grouped i.e. configPowerOptions or installMovieMaker I find its easier to manage and get to the bottom of GPO problems i.e. if I want to give just science staff and no other staff moviemaker I dont need to mess around editing policies I just add that GPO to the science AD tree (I know this is a simple explanation but you get my drift!)

[FN-GM]

if you run gpresult how many GPO's are loading?

 

Its amazing how many GPO's people create for 1 site (school), I think the most I've ever seen is 95 GPO's! when really they needed about 15!

 

We have one for every printer. We deploy them by group policy. So we have a large number.

[sted]

isnt it supposed to be "best practice" to create a new gpo for ever msi you have so one for paint.net another for flash another for java . . . ? (now granted i dont do this its messy)

 

it can help to remove parts of the gpo that arnt in use so if there are no user setting disable them in gpmc. If you dont need media player/ie/wsus settings in a policy remove the adms from it and so on

[garethedmondson]

Hi Sukh,

 

 

Thanks for offering to take a look at the file. In this first file is the information from the day we run the program for the first time. I have taken earlier days out. For some reason I cannot send a file through a PM so have put it here - open for all to see. I don't think there is anything private in there.

 

 

It is in XL format.

 

 

I look forward to hearing from you.

 

 

Gareth

all logs output.xlsx

[garethedmondson]

This is what we have tended to do over the years. Maybe it's time to look at joining some together.

 

Gareth

[garethedmondson]

isnt it supposed to be "best practice" to create a new gpo for ever msi you have so one for paint.net another for flash another for java . . . ? (now granted i dont do this its messy)

 

it can help to remove parts of the gpo that arnt in use so if there are no user setting disable them in gpmc. If you dont need media player/ie/wsus settings in a policy remove the adms from it and so on

 

We have individual GPOs for earch MSI and whilst some are allocated at top level, others are allocated to department OUs (specialist software, printers etc. We have also turned off user/computer settings depending on what section is being used.

 

Gareth

[featured_spectre]

Domain name is NT Authority. No DNS domain name available. < doesnt look good

[garethedmondson]

Hmmm - I've asked the LEA and they assure me it is fine. I'll go back to them next week.

 

Although our network has now been changed. The LEA want to use central domain controllers which are stored several miles away in County Hall. We authenticate over the broadband link. We then had our own domain controller put in. It has been taken out now as we look to lower our logon times (it is called yggwyr-dc in the log file).

 

I'll run the tests again with the machines now pointing at the LEA dns servers.

 

Gareth

Edited April 22, 2011 by garethedmondson

[sukh]

@gareth - Have we nailed the slow GPO processing to one GPO, i.e the IE GPO? Or is GPO processing still slow with other GPO's?

 

Sukh

[garethedmondson]

@gareth - Have we nailed the slow GPO processing to one GPO, i.e the IE GPO? Or is GPO processing still slow with other GPO's?

 

Sukh

 

No sorry Sikh, I've not been in work since last Wednesday and will not be there until next Wednesday. However we have removed them all and the logon time is down to 7 seconds LOL. I've added a few back in and it's up to 10 seconds. I'm adding them back in slowly, but cannot do anything until I get back into work.

 

Gareth

[maniac]

We have some things like LAN school where you can set the channel number using a GPO, so we have one GPO for each channel we use - 28 in total just for that, obviously each OU only has one of these applied. We have a seperate GPO for each MSI we deploy, and settings like Wireless and offline files have their own specific policies. All the rest of the settings are defined by a further 6 GPOs - machine policies for staff, students and net admins, and user policies for the same groups.

 

Unfortunitely out main staff and students group policiy has some errors in it now and I can't run resultant set of policy on it in group policy manager, or get a report of all the settings which is a pain, it still seems to apply to the workstations in good time thou - our login time on a cabled workstation is less than 1 minute which is think is acceptable. Wireless can be a lot longer, but this is down to the wireless speed and not the policies.

 

Mike.

[garethedmondson]

Here is the latest file taken from a machine today that is not my test machine.

 

Here is what stands out to me - even though I do not understand everything..

• 22 second gap between rows 614 and 621
  
• Row 1877 - 59 seconds to reach logon box
  
• Between 1878 - 1918 - no DNS
  
• When the user logs on it takes 21 seconds between 3016 and 3020 - to do what?
  
• No idea what is going on between 3385 - 3400
  

Feel free to disect :-)

 

Thanks everyone,

 

Gareth

GPO Startup LOG 26042011 TG4 Machine.xlsx

[MaXiM]

I've entertained this GPO login times for many years and to be honest It never came down to how many GPOs you had... As long as you know what the GPOs do and what scripts they are running and double check that the scripts are valid then it shouldn't be an issue.

More often it was down to DNS settings and Nic drivers. In my experiments I found that Realteks and Intel cards had a much better login performance than Marvells and broadcoms.

Other factors I found with login times were folder redirection and profiles and how you managed the redirection of profile app data.

[MaXiM]

Also this is something that made a difference if it was down to profiles. In our case we had roaming profiles, and if you google roaming profiles you always get told its a bad thing and if you use them always delete them on log off... well In our case roaming profiles was really the only logical way in our organistion...But deleting the profiles on logoff made things a lot slower overall. I found that keeping cached copies and removing them every few months or so vastly sped up login times.

[sukh]

@gareth - Just had a qucik look at your logs, need to How long does it take now?

 

Sukh

[garethedmondson]

@gareth - Just had a qucik look at your logs, need to How long does it take now?

 

Sukh

 

Well at the moment we have two OUs - the whole school OU - which is where the latest (above) log file comes from. You can see how long that takes to log on.

 

The second OU is my test OU. Here we have been adding GPOs one at a time. I've recreated my IE GPO based on a new .adm file. Seems I was using an old one (IE7 .adm file) - so that's been updated. The logon time was around 9 seconds. However, I've just added a GPO that contains a script to map a drive - whoosh - logon time suddenly increases. Yet this script has to be there. We will be looking at it again on Monday.

 

Did you see anything of interest in the log file?

 

Gareth