Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP...
Transcript of Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP...
![Page 1: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/1.jpg)
Darren Mar-Elia CTO and Founder SDM Software
Derek Melber President
BrainCore.Net
![Page 2: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/2.jpg)
Derek Melber Author of Group Policy Resource Kit by MSPress
Author, speaker, consultant for BrainCore.Net
Group Policy/AD MVP for the past 10 years
Darren Mar-Elia CTO & Founder, SDM Software, Inc.
Group Policy MVP for the last 10 years
30+ years in Software and IT
Founder of popular GPOGUY.COM site
![Page 3: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/3.jpg)
Founded in 2006
Experts in Group Policy and Group Policy Management Products
Products include: GPO Reporting Pak
GPO Compare & GPO Exporter
Group Policy Automation Engine PowerShell automation to read/write GP settings
GPAA (Group Policy Auditing and Attestation) Group Policy Change Auditing and Attestation
To be released in Q1
![Page 4: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/4.jpg)
Number of GPOs
Deciding if GPO/settings apply Security filtering
WMI filters
Group Policy Preference Item-level Targeting
Conflicts/Duplicate settings in different GPOs
Changes to settings per CSE
Synchronous settings
Changes to entire GPO… version number changes
![Page 5: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/5.jpg)
1 GPO vs 5000 GPOs Organize settings within GPOs that make sense
Helps with troubleshooting
Helps with finding a setting
Common to organize based on contents Internet Explorer
Security
Desktop/Start menu
Software
![Page 6: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/6.jpg)
Security filtering
![Page 7: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/7.jpg)
WMI filters
![Page 8: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/8.jpg)
Group Policy Preference Item-level Targeting
![Page 9: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/9.jpg)
Use security filtering, WMI filters, and GPP ILT on limited basis
Link GPOs as close to object(s) being controlled as possible
Typically at OU level… even sub-OU level
Use security filtering and WMI filtering as secondary to linking to OU
![Page 10: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/10.jpg)
Default GPOs have existing settings
Better to reduce number of conflicts between GPOs
Conflicts cause processing time
Conflicts can be difficult to troubleshoot
Duplicate settings Are not a problem with results
Do cause additional processing time
![Page 11: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/11.jpg)
Don’t alter the Default Domain Policy or the Default Domain Controllers Policy
Create new GPOs and configure with higher precedence No confidence a patch, SP, or upgrade won’t alter/reset default GPOs
![Page 12: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/12.jpg)
Each CSE controls an area/settings within GPO
When one setting within CSE changes, all configured settings across all GPOs included under the CSE must process
![Page 13: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/13.jpg)
Group computer settings into their own GPOs Disable User settings Organize computer objects into their own OUs
Group User settings into their own GPOs Disable Computer settings Organize user objects into their own OUs
![Page 14: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/14.jpg)
Synchronous – settings apply in series and all settings in all GPOs must apply before computer is accessible
Asynchronous – desktop is accessible before all GPO settings apply
![Page 15: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/15.jpg)
XP+ default is to apply Asynchronous
Can force Synchronous all the time by enabling policy at Computer Configuration\Admin Templates\System\Logon\Always Wait for Network at Computer Startup and User Logon
But you pay a performance penalty at every boot or logon
![Page 16: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/16.jpg)
Synchronous settings Folder Redirection
Software installation
Microsoft Disk Quota
Group Policy Preference Drive Mappings
Changes to synchronous settings force next startup/logon to be synchronous
![Page 17: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/17.jpg)
Each process interval calculates the GPOs that need to be applied If the process interval determines that the GPO list has changed, it will cause a complete refresh of all GPOs and all settings
Security group filter changes Security group membership changes WMI filter add or remove Linking or unlinking of a GPO
Goal is to try to minimize the number of GPOs that must be processed when something changes
![Page 18: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/18.jpg)
0
5
10
15
20
25
30
35
40
Background Refresh, No changes Background Refresh, Forced
CSE
Core
![Page 19: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/19.jpg)
Each GPO has a version number Version number is incremented each time user/computer setting within GPO changes
Computer changes = increments by 1’s User changes = increments by 65536’s
When GPO version number changes… All CSE related settings in the GPO must process If a synchronous setting is contained within GPO, next startup/logon will be synchronous (regardless of Asynchronous setting)
![Page 20: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/20.jpg)
Difficult to analyze existing environment with native tools
Difficult to design GPOs based on these design criteria, easier to group based on topic, role, location, etc.
Inefficient GP designs can cause substantial delays at startup and logon
Up to 30% or more depending upon what’s going on in the GPOs
![Page 21: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/21.jpg)
Conflicting or duplicate settings
GPO changes to synchronous CSEs that force synchronous processing
Enabling synchronous processing all the time
WMI Filters and esp. ‘expensive’ queries
Expensive GPP Item-Level Targeting
Loopback Merge Mode
![Page 22: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/22.jpg)
![Page 23: Darren Mar-Elia Derek Melber CTO and Founder President SDM ...sdmsoftware.com/dl/Optimizing GP webinar_SDM_final.pdf · CTO & Founder, SDM Software, Inc. Group Policy MVP for the](https://reader036.fdocuments.in/reader036/viewer/2022071002/5fbef9db4e12811689018888/html5/thumbnails/23.jpg)
Visit http://sdmsoftware.com/group-policy-management-products/ to view and register for our products
Visit www.sdmsoftware.com/blog to read SDM Software Founder Darren Mar-Elia’s thoughts on Group Policy
Contact us at [email protected] for questions on products