none
Analyze and optimization

    General discussion

  • Hello everyone,

    I'm on this subject for now 3 weeks and i need help.

    I'm trainee in a company where i have to analyze and optimize their GPO as simple as that, I so learn in detail how does this tool work ect and other useful things about Active Directory.

    I learned their 60 gpos (Some rules up to 600 settings...) and their thousands parameters which is essential for me and during my searches i found many many many softwares to detect parameters conflicts or duplicated settings, but after all my tries i'm not satisfied today by what i found.

    I used a trial version of GPOAdmin, the GPO Reporting pack from SDM, probably all the Microsoft tools, ActiveAdministrator ect ... I mean all these tools are very powerful and allow many features but i just need something that will find and tell me where are all my conflicts on my domain and by this I will correct these settings to have a full capable domain optimized and users won't complain anymore because they'll have a faster logon ect...

    Maybe I don't use the products as i should or maybe it doesn't even exist but it seems very long to analyze all by my self and write every parameter on each object that will be applied and check if there won't be conflict or another GPO for this setting. Maybe Powershell can help me on this but I don't know how to use it to.

    So here I am and if you have any idea to help me on the best practice or someone had to do the same job as I have tell me I'll be very happy to receive your information.

    Thanks and sorry for my English.


    • Edited by hisae14.21 Tuesday, February 17, 2015 10:44 AM
    Tuesday, February 17, 2015 10:43 AM

All replies

  • I think you'd better stop looking for a great automated tool that pops out exactly the report you want and start working on the actual OU structure and GP objects you have.

    You can use rsop and gpresult to have reports on the gpo applied for a computer/user combination. Both can give you per settings information on winning, but also loosing GPO's. As a start, make such a report for the devices and users you currently support. This will make it more easy to track back if a settings was actually there before the restructure.

    Also be sure to define what you mean by clean up/optimization. Do you want to reduce the amount of policy objects, only remove redundant settings, restructure the OU's, lower the login times, simplify or loosen settings, create a new baseline, replace everything...

    For best practices you should turn to Microsoft design guidelines  for domain OU structure and GPO. In general: keep the amount of GP objects applied to an OU low, avoid security filtering, loopbackprocessing and wmi filtering whenever possible (KISS).

    Fact is that these kinds of 'cleanups' often indicate a not very well designed and/or maintained environment.
    Remember keeping clean is always easier than cleaning up.


    MCP/MCSA/MCTS/MCITP



    • Edited by SenneVL Tuesday, February 17, 2015 12:38 PM
    Tuesday, February 17, 2015 11:12 AM
  • > I learned their 60 gpos (Some rules up to 600 settings...) and their
    > thousands parameters which is essential for me and during my searches i
    > found many many many softwares to detect parameters conflicts or
    > duplicated settings, but after all my tries i'm not satisfied today by
    > what i found.
     
    I agree with SenneVL. "Conflicts" is very vague - what is a conflict in
    your terms? And optimization, too, is vague :)
     
    BTW: Duplicate settings are not unusual in GPOs - one "enabled", the
    other "disabled".
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Monday, February 23, 2015 4:50 PM
  • Hello,

    I mean that if there are 10 gpo for the domain and 10 others on children UO, some parameters will be overwritten (Conflict) or the same parameters will be set 5 times (Duplication).

    I was searching a tool because, there are for example two domains GPO which will rules like 2500 settings, registry parameters or folder redirection, add to this loopback processing (Some merge some replace) and security restriction, it took me one afternoon to compare (with AGPM tool) one domain gpo with the 60 others to realise that some are totally useless (because overwritten just after).

    Btw, i think i'm over with this point, I will now focus on the templates files, if you have any idea : https://social.technet.microsoft.com/Forums/fr-FR/89dd20f6-b69a-41c1-b4ad-38d2fa371852/adm-migration?forum=mdopagpm


    • Edited by hisae14.21 Wednesday, February 25, 2015 11:38 AM
    Wednesday, February 25, 2015 11:37 AM
  • > I mean that if there are 10 gpo for the domain and 10 others on children
    > UO, some parameters will be overwritten (Conflict) or the same
    > parameters will be set 5 times (Duplication).
     
    Yes, that's true. But setting a simple registry key takes a time windows
    cannot even log to the gpsvc.log file. This is from a VM running on a
    desktop system concurrently with 4 other VMs:
     
    GPSVC(478.d68) 11:48:19:813 SetRegistryValue: 1 =>
    Microsoft.CredentialManager  [OK]
    GPSVC(478.d68) 11:48:19:813 SetRegistryValue: 2 => Microsoft.GetPrograms
     [OK]
    GPSVC(478.d68) 11:48:19:813 SetRegistryValue: 3 => Microsoft.HomeGroup  [OK]
    GPSVC(478.d68) 11:48:19:813 SetRegistryValue: 4 =>
    Microsoft.iSCSIInitiator  [OK]
    GPSVC(478.d68) 11:48:19:813 SetRegistryValue: 5 =>
    Microsoft.ParentalControls  [OK]
    GPSVC(478.d68) 11:48:19:813 SetRegistryValue: 6 =>
    Microsoft.PeopleNearMe  [OK]
    GPSVC(478.d68) 11:48:19:813 SetRegistryValue: 7 =>
    Microsoft.UserAccounts  [OK]
    GPSVC(478.d68) 11:48:19:829 SetRegistryValue: 8 =>
    Microsoft.WindowsAnytimeUpgrade  [OK]
     
    And even here it takes only about 1 ms average - on a real system, this
    is about 50 times faster.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, February 25, 2015 1:37 PM
  • Ok, but the company called me only for this mission, optimization and by this point reducing the login time and the Sysvol size, if I translate, you're telling me regulating all these settings in nearly useless ?...
    Wednesday, February 25, 2015 3:57 PM
  • > this point reducing the login time and the Sysvol size, if I translate,
     
    For startup/login time, I'd suggest using
    overview of times consumed during GPO processing. And of course take
    care of startup/logon scripts and MSI Packages in GPOs :)
     
    > you're telling me regulating all these settings in nearly useless ?...
     
    For registry values (ADM Templates): Yes, it is nearly useless.
     
    Want some reading on GPO performance? Here we go:
     
    If questions arise, you're welcome to ask them :)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, February 25, 2015 4:16 PM
  • Thank for these information. We currently don't use WMI filters, only security groups.

    Actually, the gpo are aged of some years, and so, one gpo with administrative templates will be stored in the Sysvol, replicated on the 5 DC, and all the adm files stored in the {GUID}/Adm.

    My idea was migrating these files into local Admx (%Windows%\inf) and by this I thought it would improve my users connexions, lighten the Sysvol.

    I am on a testing environment with only two DC (The production environment image) so I'm not sure I can have the full functionality of the policy reporter I had already tried (With no success :()

    I'm only a trainee so i understand they don't want me to do mistakes on the DC of all the company.

    Friday, February 27, 2015 10:29 AM
  • > My idea was migrating these files into local Admx (%Windows%\inf) and by
    > this I thought it would improve my users connexions, lighten the Sysvol.
     
    No need to "migrate" anything - simply delete the ADM files in sysvol
     
    This will NOT improve GPO processing speed, since ADM files are only
    required for GP editing and RSoP creation.
     
    > I am on a testing environment with only two DC (The production
    > environment image) so I'm not sure I can have the full functionality of
    > the policy reporter I had already tried (With no success :()
     
    Why not? What didn't work?
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 27, 2015 11:09 AM
  • Ok, I give up about the admx format so

    I only can work on two DC, the gpo are applied to AD object like computer on which I can't work. I just have access to the gpo and the settings, but not physically on the target. If I'm right the policy reporter will analyse logfiles of the computer where the gpo settings have been applied, but I can't do this, because these target object aren't in my virtual environment, I'll see with "superior" to try this on the production environment.

    Friday, February 27, 2015 12:09 PM
  • > policy reporter will analyse logfiles of the computer where the gpo settings
    > have been applied
     
    Yes, that's true.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Friday, February 27, 2015 2:57 PM
  • Hello again Martin,

    I added a computer to my testing domain to use your analyse software, but I encounter trouble here ^^

    I use a Windows 7 client but i can't see any useful log file ... Grrr If I'm right the logs are managed by the event viewer and so I can't use the policy reporter, any trick for this ?

    I afford to ask cause my traineeship ends Friday ...

    On the other hand I cleaned up the GPOs settings, with my searches and tests, I found out that the longest parameters to apply was the Drive Mapping / Folder redirection, if anyone has any idea about how to improve these settings, it can help me

    • Edited by hisae14.21 Monday, March 16, 2015 11:06 AM
    Monday, March 16, 2015 10:53 AM
  • > I'm right the logs are managed by the event viewer and so I can't use
    > the policy reporter, any trick for this ?
     
    policy reporter offers you to enable gpsvc loggging: File - Set logging
    options - Activate userenv.log.
     
    > On the other hand I cleaned up the GPOs settings, with my searches and
    > tests, I found out that the longest parameters to apply was the Drive
    > Mapping / Folder redirection, if anyone has any idea about how to
    > improve these settings, it can help me
     
    Folder redirection deals with data files, so there's not much to
    improve. And drive maps depend on the time a mapping requires to
    establish - avoid dead servers :)
     

    Greetings/Grüße, Martin

    Mal ein gutes Buch über GPOs lesen?
    Good or bad GPOs? - my blog…
    And if IT bothers me - coke bottle design refreshment (-:
    Monday, March 16, 2015 12:01 PM