none
Performance issues when applying over 150 GPOs using GPPs

    Question

  • Hi guys,

    I'm doing some performance testing to see how long it takes for users applying over 150 GPOs (most of them creating shortcuts using the GPPs) to login on a Windows 2008 TS and the results are not that good...

    When looking at the logs, I get things like this:

    Completed Deployed Printer Connections Extension Processing in 16532 milliseconds.
    Completed Internet Explorer Branding Extension Processing in 3875 milliseconds.
    Completed Group Policy Registry Extension Processing in 2704 milliseconds.
    Completed Group Policy Shortcuts Extension Processing in 168187 milliseconds .
    Completed user logon policy processing for DOMAIN\user in 247 seconds .


    Obviously spending 4 minutes waiting at each logon is not acceptable and I'm trying to see if this can be improved without having to reduce the number of GPOs.
    I initially tested with the shortcuts configured in Replace mode (convenient as they can be automatically removed when the GPO doesn't apply anymore) then I switched to Create mode, which saved some time (about 20% faster) but still not enough...

    Since having the shortcuts added progressively after the user is logged in is not an issue I also tried to enable the "Allow Asynchronous User Group Policy Processing when logging on through Terminal Services" setting but it didn't seem to help at all.

    Can anyone think of a good way to substantially reduce this time? 
    Thursday, March 11, 2010 9:00 AM

Answers

  • Do know this nice article here?
    http://grouppolicy.editme.com/ClientSideProcessing

    With that in mind and the fact that some GPP extensions (e.g. Drive Mapping) perform actions which only run in foreground (synchronous) mode, the answer to your question is "No, GPPs cannot be set to run asynchronously in general".

    But again, on an item level you should be able to run the desired scenario
    (e.g. processing mode "Synchonous" with option "Is Not").
    See topic 3 of my previous post.
    Have you played around with that filters already?




    Patrick
    • Marked as answer by Thibault B. _ Friday, March 26, 2010 3:37 PM
    • Unmarked as answer by Thibault B. _ Monday, March 29, 2010 4:59 PM
    • Marked as answer by Thibault B. _ Tuesday, March 30, 2010 8:29 AM
    Monday, March 22, 2010 10:00 PM
  • Thanks for your help Patrick, using ILT Processing Modes I was able to get my shortcuts created asynchronously, after user logon, decreasing the logon time from about 5 minutes (when applying every single GPO) to 25 seconds.

    I actually wrote a Powershell script which retrieves the list of all my GPOs using GPP (based on their name), parse the content of their associated Drives.xml and Shortcuts.xml file in the SYSVOL, add the ILT settings in these files to turn off synchronous mode and enable Item Level group filtering and then finally consolidates all these settings in a few XML files I associated to some new GPOs destined to replace the 150+.

    For information I added the following block to each shortcut in the XML:

    <Filters>
        <FilterProcMode bool="AND" not="1" synchFore="1" asynchFore="0" backRefr="0" forceRefr="0" linkTrns="0" noChg="0" rsopTrns="0" safeBoot="0" slowLink="0" verbLog="0" rsopEnbl="0" />
        <FilterGroup bool="AND" not="0" name="DOMAIN\filteringgroup" sid="S-1-5-21-000000000-1111111111-222222222-33333" userContext="1" primaryGroup="0" localGroup="0"/>
    </Filters>

    So I basically went from using 150+ GPOs creating shortcuts in synchronous mode, containing very few settings and filtered on a per GPO basis to using a couple GPOs creating shortcuts in asynchronous mode, containing dozens to hundreds of settings that are filtered on a per Item basis.

    As far as performance it appears that processing 1 GPO with 100 GPP settings is substantially faster than processing 100 GPOs with 1 GPP setting each.

    • Marked as answer by Thibault B. _ Friday, March 26, 2010 3:37 PM
    • Edited by Thibault B. _ Sunday, March 28, 2010 9:37 PM Fixed XML code sample
    • Unmarked as answer by Thibault B. _ Monday, March 29, 2010 4:57 PM
    • Marked as answer by Thibault B. _ Tuesday, March 30, 2010 8:29 AM
    Friday, March 26, 2010 3:35 PM

All replies

  • Sadly... Group Policies are not always the answer... I sugest you read this article http://blog.stealthpuppy.com/terminal-server/building-dynamic-start-menus-with-access-based-enumeration  which shows you how to build a dynamic shortcut list for your start menu. This method is instantanious for your users and scales very well. It can also be used for desktop shortucts...
    Alan Burchill http://www.grouppolicy.biz
    Thursday, March 11, 2010 9:19 AM
  • Thanks Alan. We're actually already using ABE in our file system but we haven't tried combining the start menu redirection with ABE to replace GPOs creating shortcuts, it's definitely worth trying.
    Thursday, March 11, 2010 2:26 PM
  • Hi !

    I actually would also like to know if there are any documents available that would explain in details how the Group Policy Preferences settings are processed depending on their mode (Create/Update/Replace/Delete)? Please do not direct me to the "Group Policy Preferences Overview" document which doesn't provide any details.

    I'm having a hard time understanding how come it takes almost as long to process settings in Create mode, even though the GPOs haven't changed and the shortcuts already exist, as it takes to process these same settings in Replace mode...

    Thanks!
    • Edited by Thibault B. _ Monday, March 15, 2010 5:36 PM Temporarily unmark the answer to prevent this post from being unnoticed
    Monday, March 15, 2010 3:47 PM
  • Thibault, one question:
    Are you just testing GPP performance or is having 150 GPOs a real life scenario for you?

    I couldn't even imagine deploying 150 shortcuts to one user or machine, but if so I'd rather chose
    a differnt method (software deployment tools) than GPP.

    But if you stick to GPP, why don't you put all the shortcuts in one or very few GPOs.
    This would probably speed it up a lot.


    Patrick
    Monday, March 15, 2010 9:01 PM
  • Hi Patrick,

    This is currently a testing scenario, however I would consider implementing it if I'm able to get better performances. As to why I use as many GPOs there are two main reasons:
    • These GPOs are programmatically generated and each of them applies to a different group of users.
    • Even if consolidating into fewer GPOs was possible, this would imply that changing any of the settings in such a GPO would cause all other settings in to be reapplied
    Do you know a way of enabling asynchronous processing of GPP settings only? This would solve this problem as users won't be blocked when logging in, waiting for shortcuts to be created.

    Thank you!

    Tuesday, March 16, 2010 8:52 AM
  • Still I recommend to chose different methods than GPP for this requirement.
    But some more thoughts from my side:

    1. The power of GPP arises when using Item Level Targeting (ILT).
    You say you filter each GPO for a specific user group.
    GPP can be filtered on item level. That means, the reason you claim for needing 150 GPOs is no longer a reason. Because you can put all those items (in your case shortcuts) and filter each for a specific user group:
    http://technet.microsoft.com/en-us/library/cc733022.aspx

    2. Changing of GPOs:
    In fact, GPPs are always processed. Wether there is a change in the GPO or not.
    If you don't believe it: Just test with a simple registry key which you set via GPP.
    After first appliance, delete setting on the client and run gpupdate (no force).
    The settings will be there again though GPO was not changed at all...
    Besides that, what you are probably afraid of works different:
    Not the change within a single GPO decides if the GPO is reapplied or not.
    It is always the overall scope of a specific CSE that counts. For example, when
    you have 2 GPOs both containing IE Maintenance stuff and one of the GPOs is changed, both GPOs will be processed and reapplied. At least their IE Maintenance part ...

    3. Concerning your question on asynchronous processing:
    Again the power of GPP ILT might help you:
    There is a filter for "Processing Mode":
    http://technet.microsoft.com/en-us/library/cc753783.aspx


    Patrick
    Tuesday, March 16, 2010 8:00 PM
  • Thanks Patrick, I added my comments below.

    1. The power of GPP arises when using Item Level Targeting (ILT).
    You say you filter each GPO for a specific user group.
    GPP can be filtered on item level. That means, the reason you claim for needing 150 GPOs is no longer a reason. Because you can put all those items (in your case shortcuts) and filter each for a specific user group:
    http://technet.microsoft.com/en-us/library/cc733022.aspx

    I knew about ILT but what I didn't know was whether it would improve performance to put 150 settings in a single GPO and use ILT as compare to having them in separate GPOs. So according to you I would get better performance with this solution?

    2. Changing of GPOs:
    In fact, GPPs are always processed. Wether there is a change in the GPO or not.
    If you don't believe it: Just test with a simple registry key which you set via GPP.
    After first appliance, delete setting on the client and run gpupdate (no force).
    The settings will be there again though GPO was not changed at all...
    Besides that, what you are probably afraid of works different:
    Not the change within a single GPO decides if the GPO is reapplied or not.
    It is always the overall scope of a specific CSE that counts. For example, when
    you have 2 GPOs both containing IE Maintenance stuff and one of the GPOs is changed, both GPOs will be processed and reapplied. At least their IE Maintenance part ...

    I agree that GPPs are always processed and on a per CSE basis but my understanding was that shortcuts in Create mode wouldn't have to be recreated if they already exist (which would be what the CSE check when processing GPPs), isn't it the case?
    Also I get log entries like the one below, indicating changes were detected in all the GPOs with GPPs, is this normal and due to the fact GPPs are always processed or could it be something else?

    Starting Group Policy Shortcuts Extension Processing.

    List of applicable Group Policy objects: (Changes were detected.)

    GPO1
    GPO2
    ...
    GPO100


    3. Concerning your question on asynchronous processing:
    Again the power of GPP ILT might help you:
    There is a filter for "Processing Mode":
    http://technet.microsoft.com/en-us/library/cc753783.aspx

    What I would actually like to do is have all GPOs including GPPs processed asynchronously. These settings can be used to choose to process preferences items only if synchronous or asynchronous GPO processing mode is enabled but not actually enable it, right?
    Wednesday, March 17, 2010 8:28 AM
  • Any new thoughts on this?

    Does anyone know whether enabling the asynchronous processing of (only) Group Policy Preferences items is possible?

    Thanks!

    Monday, March 22, 2010 9:36 AM
  • Do know this nice article here?
    http://grouppolicy.editme.com/ClientSideProcessing

    With that in mind and the fact that some GPP extensions (e.g. Drive Mapping) perform actions which only run in foreground (synchronous) mode, the answer to your question is "No, GPPs cannot be set to run asynchronously in general".

    But again, on an item level you should be able to run the desired scenario
    (e.g. processing mode "Synchonous" with option "Is Not").
    See topic 3 of my previous post.
    Have you played around with that filters already?




    Patrick
    • Marked as answer by Thibault B. _ Friday, March 26, 2010 3:37 PM
    • Unmarked as answer by Thibault B. _ Monday, March 29, 2010 4:59 PM
    • Marked as answer by Thibault B. _ Tuesday, March 30, 2010 8:29 AM
    Monday, March 22, 2010 10:00 PM
  • Thanks for your help Patrick, using ILT Processing Modes I was able to get my shortcuts created asynchronously, after user logon, decreasing the logon time from about 5 minutes (when applying every single GPO) to 25 seconds.

    I actually wrote a Powershell script which retrieves the list of all my GPOs using GPP (based on their name), parse the content of their associated Drives.xml and Shortcuts.xml file in the SYSVOL, add the ILT settings in these files to turn off synchronous mode and enable Item Level group filtering and then finally consolidates all these settings in a few XML files I associated to some new GPOs destined to replace the 150+.

    For information I added the following block to each shortcut in the XML:

    <Filters>
        <FilterProcMode bool="AND" not="1" synchFore="1" asynchFore="0" backRefr="0" forceRefr="0" linkTrns="0" noChg="0" rsopTrns="0" safeBoot="0" slowLink="0" verbLog="0" rsopEnbl="0" />
        <FilterGroup bool="AND" not="0" name="DOMAIN\filteringgroup" sid="S-1-5-21-000000000-1111111111-222222222-33333" userContext="1" primaryGroup="0" localGroup="0"/>
    </Filters>

    So I basically went from using 150+ GPOs creating shortcuts in synchronous mode, containing very few settings and filtered on a per GPO basis to using a couple GPOs creating shortcuts in asynchronous mode, containing dozens to hundreds of settings that are filtered on a per Item basis.

    As far as performance it appears that processing 1 GPO with 100 GPP settings is substantially faster than processing 100 GPOs with 1 GPP setting each.

    • Marked as answer by Thibault B. _ Friday, March 26, 2010 3:37 PM
    • Edited by Thibault B. _ Sunday, March 28, 2010 9:37 PM Fixed XML code sample
    • Unmarked as answer by Thibault B. _ Monday, March 29, 2010 4:57 PM
    • Marked as answer by Thibault B. _ Tuesday, March 30, 2010 8:29 AM
    Friday, March 26, 2010 3:35 PM