1
00:00:03,060 --> 00:00:08,550
Now I want to finish up this module by talking about performance and group policy performance in particular.

2
00:00:09,410 --> 00:00:14,000
Remember that I showed in the Group Policy Results Troubleshooting section that you can see how long

3
00:00:14,000 --> 00:00:17,480
group policy processing was taking for a given computer or user.

4
00:00:18,350 --> 00:00:21,740
Or actually you could see the time elapsed for each client side extension.

5
00:00:21,740 --> 00:00:26,390
So you could see very specifically what time group policy was spending doing its thing for computers

6
00:00:26,390 --> 00:00:26,990
and users.

7
00:00:27,890 --> 00:00:32,180
And I think it's important to note that sometimes group policy gets blamed for a lot of performance

8
00:00:32,180 --> 00:00:33,980
issues when it's maybe not the cause of them.

9
00:00:33,980 --> 00:00:38,030
But there are some things that group policy legitimately can impact, and those are the things that

10
00:00:38,030 --> 00:00:38,990
I want to talk about.

11
00:00:39,830 --> 00:00:45,320
And there are some things you can control and some things you can't control, some things that the OS

12
00:00:45,320 --> 00:00:47,600
does and some things that you do with your design.

13
00:00:48,470 --> 00:00:51,230
So I want to talk about those design based things first.

14
00:00:52,130 --> 00:00:54,470
The very first thing is the use of scripts.

15
00:00:55,340 --> 00:00:58,850
And again, I've, I talked about this in the scripts module, but.

16
00:00:59,750 --> 00:01:02,330
Group policy based scripts can be problematic.

17
00:01:03,230 --> 00:01:04,890
They can take a long time to run.

18
00:01:04,910 --> 00:01:10,790
If you don't have good testing and logic in them, they can potentially hang and cause up to 10 minutes

19
00:01:10,790 --> 00:01:14,780
of delay if they're hanging, which is not obviously great for the user experience.

20
00:01:15,650 --> 00:01:20,570
And they're just sort of problematic because most folks don't implement them with sufficient instrumentation

21
00:01:20,570 --> 00:01:24,470
and logic to prevent them from spending a lot of time doing work they don't need to do.

22
00:01:25,280 --> 00:01:31,670
So if you can avoid using scripts in favor of things like GP preferences, I always recommend that the

23
00:01:31,670 --> 00:01:35,810
second thing are using expensive what I call expensive client side extensions.

24
00:01:36,680 --> 00:01:40,520
And the two examples that I like to use are file and registry security.

25
00:01:41,390 --> 00:01:47,120
These are under the computer configuration, windows settings, security settings, and this is where

26
00:01:47,120 --> 00:01:49,820
you can set file system and registry security.

27
00:01:50,650 --> 00:01:55,990
And again, this can run every 16 hours by default because it's part of the security extension.

28
00:01:56,830 --> 00:01:58,510
It can really churn through disk.

29
00:01:58,600 --> 00:01:59,860
I mentioned this earlier.

30
00:02:00,780 --> 00:02:04,890
I tend to do avoid doing file and registry security setting and group policy.

31
00:02:05,760 --> 00:02:10,050
Use a script that runs once and gets done with it or runs once every once in a while.

32
00:02:10,920 --> 00:02:13,050
Perfectly reasonable to take that approach.

33
00:02:13,960 --> 00:02:16,420
I don't think it's worth doing it in group policy.

34
00:02:17,300 --> 00:02:22,310
Another one is you end up having too many GPOs being processed for a given user or computer.

35
00:02:23,210 --> 00:02:27,920
This can happen when you have way too many functional GPOs with just a couple settings in them and the

36
00:02:27,920 --> 00:02:33,140
overhead of having to evaluate all those GPOs figuring out which apply and then processing them can

37
00:02:33,140 --> 00:02:35,910
become a significant burden on group policy processing.

38
00:02:36,770 --> 00:02:42,170
So always think about, you know, as you're creating new GPOs or as you're linking GPOs to existing

39
00:02:42,170 --> 00:02:44,330
add hierarchies, how many is too many?

40
00:02:45,140 --> 00:02:50,660
And I would say that if you a given user or computer is processing more than ten or 20 GPOs, you have

41
00:02:50,660 --> 00:02:56,240
to start in think, well, maybe I can combine and consolidate some of these the grouping of client

42
00:02:56,240 --> 00:02:57,260
side extensions.

43
00:02:58,130 --> 00:03:02,720
This kind of hearkens back to what I just talked about with synchronous and asynchronous extensions.

44
00:03:03,590 --> 00:03:08,540
If you can keep the synchronous extensions folder redirection software installation and group policy

45
00:03:08,540 --> 00:03:12,320
preferences drive mappings out of the GPOs that have other settings in them.

46
00:03:12,320 --> 00:03:18,080
So on their own, then you can minimize the impact when you make changes to those GPOs of having those

47
00:03:18,080 --> 00:03:20,480
synchronous extension for of foreground refresh.

48
00:03:21,320 --> 00:03:24,320
And then finally expensive WMI filters.

49
00:03:25,190 --> 00:03:26,780
What do I mean by expensive?

50
00:03:27,620 --> 00:03:31,910
Well, essentially, some WMI filters can take a long time to evaluate.

51
00:03:32,800 --> 00:03:38,620
I wrote a blog post a couple of years ago about a WMI class called Win32 Underscore Product, which

52
00:03:38,620 --> 00:03:43,210
was ostensibly designed to basically query all of the installed applications on a system.

53
00:03:44,020 --> 00:03:49,120
But it had some really nasty side effects that caused it to really turn through lots of CPU and memory

54
00:03:49,120 --> 00:03:51,790
when it was running, and it would take literally minutes to run.

55
00:03:52,660 --> 00:03:57,460
So this is not a WMI query that you're going to want to use, and there are others that can take a while

56
00:03:57,460 --> 00:03:58,180
based on that.

57
00:03:59,020 --> 00:04:03,970
There are WMI queries you can do to determine if a particular file is on the file system.

58
00:04:04,810 --> 00:04:08,890
And you know, that may not be the smartest thing to use WMI for.

59
00:04:09,800 --> 00:04:13,670
I have a little tool if you go to Google.com, which is my website.

60
00:04:14,530 --> 00:04:17,470
There's a free tool called the WMI filter validator.

61
00:04:17,470 --> 00:04:22,210
And one of the things that it does is it validates to see if a filter will evaluate to true or false

62
00:04:22,210 --> 00:04:23,230
on a given system.

63
00:04:24,070 --> 00:04:26,740
But it will also times the query to see how long it takes.

64
00:04:26,740 --> 00:04:31,600
And you can use that to sort of as a thumbnail to sort of guide you on whether a query is too expensive.

65
00:04:32,480 --> 00:04:36,800
Let's then talk about those features that have an impact on group policy performance.

66
00:04:37,700 --> 00:04:42,170
Microsoft introduced this concept of group policy caching in Windows 8.1.

67
00:04:43,030 --> 00:04:45,970
It sounds really good, but it actually doesn't do much.

68
00:04:46,880 --> 00:04:50,960
It only runs when one of the synchronous seasons requires a synchronous foreground.

69
00:04:51,110 --> 00:04:56,780
Flash like folder redirection or software installation are the only two left on Windows 8.1 that require

70
00:04:56,780 --> 00:04:58,340
a synchronous foreground refresh.

71
00:04:59,270 --> 00:05:02,270
They fixed drive mapping so it no longer requires that.

72
00:05:03,140 --> 00:05:08,060
So the group policy caching only kicks in when one of those two extensions is required a synchronous

73
00:05:08,060 --> 00:05:09,140
foreground refresh.

74
00:05:10,040 --> 00:05:14,990
So if you're using a lot of folder redirection in software installation, this may benefit you.

75
00:05:15,830 --> 00:05:19,160
But otherwise you probably will never see the effect of this.

76
00:05:20,030 --> 00:05:24,110
Another thing that they added in Windows 8.0 is called Fast Startup.

77
00:05:24,920 --> 00:05:29,180
And this is a pretty much unrelated to feature that has a impact.

78
00:05:30,050 --> 00:05:33,260
So it allows Windows to start from a shutdown more quickly.

79
00:05:34,120 --> 00:05:36,330
It's essentially hibernating the OS.

80
00:05:36,340 --> 00:05:41,860
When you turn off a machine normally and it's enabled by default, it's in effect whenever the user

81
00:05:41,860 --> 00:05:43,000
selects shut down.

82
00:05:43,840 --> 00:05:47,080
But group policy gets bypassed when the machine comes back up.

83
00:05:47,950 --> 00:05:52,090
Because Fast Startup essentially bypasses the computer boot up processing.

84
00:05:52,960 --> 00:05:55,390
So if you have startup scripts, they don't run.

85
00:05:56,260 --> 00:05:58,750
If you have security settings, they don't run.

86
00:05:59,590 --> 00:06:02,320
Whatever poor computer settings you have, don't run.

87
00:06:03,190 --> 00:06:08,050
So while it's a great benefit for the user group, policy gets a little confused and it does require

88
00:06:08,050 --> 00:06:12,100
the user to do an actual restart in order for that per computer policy to run.

89
00:06:12,130 --> 00:06:14,620
So they have to do a restart rather than a shutdown.

90
00:06:15,490 --> 00:06:20,710
Now you can turn this off using this admin template setting that I list here, and I recommend that

91
00:06:20,710 --> 00:06:25,360
if you're in a critical environment where you need that computer settings, those computer settings

92
00:06:25,360 --> 00:06:29,620
to be refreshing in the foreground, then this is the policy that you're going to want to enable.

93
00:06:30,460 --> 00:06:35,860
And then finally, Microsoft added this so-called log on script delay and Windows 8.1 to help reduce

94
00:06:35,860 --> 00:06:40,360
the contention that happens that user log on time when there's a bunch of stuff going on, including

95
00:06:40,360 --> 00:06:41,200
log on scripts.

96
00:06:42,100 --> 00:06:46,800
So what happens is they actually delay the execution of log on scripts by up to 5 minutes.

97
00:06:46,840 --> 00:06:47,740
That's the default.

98
00:06:48,640 --> 00:06:52,570
So the user logs on and then 5 minutes later they're log on, scripts run.

99
00:06:53,410 --> 00:06:57,460
Well, this can really mess you up if you're relying on log on scripts for drive mapping.

100
00:06:57,640 --> 00:07:00,070
But it does reduce that contention at log on time.

101
00:07:00,910 --> 00:07:02,350
You can actually turn this off.

102
00:07:02,500 --> 00:07:07,480
There's a policy under computer configuration policies, admin template system, group policy that lets

103
00:07:07,480 --> 00:07:11,440
you turn off this delay in Windows 8.1 and Server 2016.

104
00:07:12,280 --> 00:07:14,770
But essentially it's there and on by default.

105
00:07:14,860 --> 00:07:16,330
So it's good to know about that.