Category: Group policies

Follow-up to TechEd session WCL326: Five infrastructure changes that will boost performance for the Windows Client

So to summarize the key areas which you can look into when optimizing performance from an infrastructure point of view here is a summary of the key takeaways from TechEd session WCL326: Five infrastructure changes that will boost performance for the Windows Client.

1. Slow machine boot and login / GPOs and scripts

Use Windows Performance Toolkit (part of Windows 7 SDK) to troubleshoot what is happening during boot. Specifically narrow in one Group Policy in the section in the Generic events and look for and enable only the Group Policy provider to see what’s going on with group policies. Group policies and scripts are most often the bad guys when having performance problems with boot and login.

Also use Event Viewer > Applications and Services > Windows > Group Policy > Operational log to look for instance events with id 5326, 8000, 8001or 5016. In particular the last one is of interest as this will quickly show you which Group policy extension is taking most of the time to finish.

Cleanup, remove unnecessary settings and GPO objects. Convert scripts to Group Policy Preferences as necessary or make scripts running scheduled after startup or login to minimize the boot and login times.

2. Optimizations for RDP

Activate asynchronous login for users to speed up login for Remote Desktop Services and RemoteApp. Go to Administrative templates > Policies > System > Group Policy and set the setting for “Allow asynchronous user Group Policy processing when logging in to Remote Desktop Services”.

Three other really great tweaks found in Administrative templates > Policies > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Remote Session Environment:

Do not allow font smoothing = Enabled
Limit maximum color depth =  Enabled, set it to 32-bit
Set compression algorithm for RDP data = Enabled, set it to Optimized to use less network bandwidth

3. SMB 2.1

To get full use of performance improvements in SMB2.1 protocol you need file servers that are running Windows Server 2008 R2 or if you are running a third party storage solution to activate SMB2.x support as that is not always activated by default and sometimes a firmware upgraded is needed.

Performance increases based on my own performance measuring are varying from 10-80% performance increase.

4. BranchCache

Activate BranchCache feature from Server Manager on the content servers you want to use with BranchCache. Require windows Server 2008 R2 on the content server. For file shares make sure to enable the BranchCache feature on the share(s) you want to use with BranchCache. Also set the group policy “Hash Publication for BranchCache” on the file server(s) found in Administrative templates > Policies > Network > Lanman Server.

To activate BranchCache on the Windows 7 client look in Administrative templates > Policies > Network > BranchCache and activate the required GPO settings.

5. Upgrade key servers to Windows Server 2008 R2

To gain use of RDP improvements, SMB2.1 improvements and actually make performance better for file handling the simple thing to do is to migrate to Windows Server 2008 R2.

BONUS 1. Microsoft tool to measure performance:

WDRAP (Risk and health Assessment Program for Windows Desktop) is a tool designed for enterprise customers that verifies overall performance, including bad drivers, apps that are causing the machine to start slowly etc. Contact your Technical Account Manager at Microsoft to get more information and analyzing the results with this tool. Microsoft themselves used this tool some time ago to improve performance in their environment, more on this in the Microsoft IT Case Study.

BONUS 2. Hotfixes related to infrastructure and performance, Windows 7 Post-SP1:

You experience a long domain logon time in Windows 7 or in Windows Server 2008 R2 after you deploy Group Policy preferences to the computer
http://support.microsoft.com/kb/2561285

Unexpectedly slow startup or logon process in Windows Server 2008 R2 or in Windows 7 (WMI issue)
http://support.microsoft.com/kb/2617858

Slow performance when you browse the My Documents folder in the document library in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2690528

Improved interoperability between the BranchCache feature and the Offline Files feature in Windows 7 or in Windows Server 2008 R2
http://support.microsoft.com/kb/2675611

General Q and A

Q: Can I use this tool to measure performance and troubleshoot on Windows XP?
A: You can run the tool on Windows XP by copying xbootmgr and xperfctrl.dll to an XP machine. You can then analyse the results on a Windows 7 machine. However do not expect the same amount of detailed data as Windows 7 has introduced new features that are not available in Windows XP.

Any further questions around the session or the topics, feel free to leave a comment to the article or send me an email on andreas.stenhall@knowledgefactory.se.

SLIDES: Download the slides from the session WCL326

 

HOW TO: Handle user group policy settings in multiple OS environments

This is a very common question and one that I would say all companies migrating to Windows 7 has experienced. The scenario is how do we handle user group policy settings when we have multiple operating systems such as Windows XP and Windows 7 or in the future also introduce Windows 8?

First I strongly recommend that you do not reuse the user configuration for Windows XP for Windows 7. Group policies tend to grow over time and at most customers I have encountered a lot of rubbish in the old configuration. Starting over and migrating only what is needed minimize the risk for problem and makes the configuration slicker and more easy to manage in the long run.

But how do we make sure that users get one configuration when they log in to for instance Windows XP and another configuration when they log in to a Windows 7 or Windows 8 machine? Well, let’s have a look at the options including pros and cons followed by recommendations from the field.

1. Security group filtering

  • Pros:
    – Require no change in OU structure/move of users.
  • Cons:
    – Requires a lot of management and make it hard to administer.

2. Separate users into a new and old OU

  • Pros:
    – Easy to do if you have very few users and no dependencies to other services or applications.
  • Cons:
    – Not a manageable solution in an environment with many users.
    – There are often apps or services that rely on the users being in a certain OU which is making it hard to move users without affecting other services.

3. WMI filters

  • Pros:
    – Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
    – A longterm investment in making it easy to introduce new operating system versions.
    – Quick determination (WMI is often known to be real slow but this particular query is not performance intensive).
  • Cons:
    – Need changes for existing environment, i.e. for instance Windows XP user configuration.
    – Could make group policies not being applied due to problems with WMI repository or related services.

4. Loopback processing

  • Pros:
    – Keep the users in the OU they are today not affecting other services or apps that rely on users being in a certain OU.
    – Very reliable solution.
  • Cons:
    – If not Replace mode is used you need to handle current configuration.
    – Might become a mess to troubleshoot and maintain if naming and config is not done consistent and clear.

Recommendations from the field

In my professional opinion the only real alternatives are WMI filters or loopback processing and sometimes I recommend WMI filters for separating user settings depending on what operating system they are logging in to and sometimes I recommend loopback processing. It depends on the environment and needs for the customer. Many times moving the user accounts around is not an alternative but consider that a very good alternative if possible to accomplish.

How do I implement it in my environment?

1. WMI filters

In the Group Policy console you create multiple WMI filters for for instance Windows XP and Windows 7. You then set each WMI filter respectively on each GPO containing user settings for each operating system. NOTE: Always test it out before applying this configuration to your existing environment. Also note that this does not affect performance to any noticeable amount of time.

Windows XP:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "5.2%" AND ProductType ="1"

Windows 7:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.1%" AND ProductType ="1"

Windows 8:

SELECT * FROM Win32_OperatingSystem WHERE Version LIKE "6.2%" AND ProductType ="1"

Basically the version is the OS version as we know it and the ProductType=1 means that it is a client operating system.

So you will end with for instance one GPO named “User Configuration – Windows 7” which have the WMI filter for Windows 7 machines set and one GPO named “User Configuration – Windows XP” which have the WMI filter for Windows XP set.

2. Loopback processing

A prerequisite for using loopback processing is that you keep computers in separate OUs, for instance XP computer accounts in one OU and Windows 7 computer accounts in another OU.

You then create GPO objects in the OU for Windows 7 in our example and configure the user settings there. As I think you should always separate Computer and User configuration GPO:s I would say that you in a Computer configuration policy in that same OU set this setting for the user settings to be applied when users log into Windows 7 machines:

Policies – Computer configuration – Administrative templates – System – Group Policy and there set “User Group Policy loopback processing mode” to Replace or Merge, depending on what you want to achieve and how you want to handle your current configuration. Replace mode is recommended as you will have a hard time maintaining and troubleshooting the configuration otherwise.

Done! When users log on to your Windows 7 machines they will get the user settings you have defined in the user configuration GPOs located in the Windows 7 machines OU in our example.

Handling the Group Policy central store with care

Today I visited a customer site where the customer had setup a central store, meaning all group policy defintion files and language files are placed in the SYSVOL share for better management of group policies. One benefit of that central store is that all administrators managing and editing group policies are using the same templates.

The problem in this case was that whenever they started editing a group policy they got tens and tens of warning about various admx files along with for example resource errors. I looked into PolicyDefinitions folder in the SYSVOL share and immediately noticed that there was admx and adml files missing and that there were mismatch between the version of the admx and adml files.

I took a Windows 7 with SP1 client and added/replaced all admx files from there. After that I took the en-us folder and replaced what was in the SYSVOL folder with that one, followed by doing the same for the sv-se, i.e. the Swedish language files. While at it I installed IE9 and put in the inetres.admx and respective adml files for each language to have the capabilities of editing Internet Explorer 9 policies as that is to be included in the Windows 7 image. Voila!

So the bottom line is; keep the central store consistent and make sure that when you create the store that you populate it with admx and adml files from the latest client OS with service pack when managing Windows 7, and that you do make sure that you have the same version of all admx and adml files or else you will get errors due to mismatching files.

Case of “catastrophic failure” and error 0x8000ffff with Group Policy Preferences mapping printers

Mapping printers using Group Policy Preferences is a really nice feature and it is supposed to be working much better than using traditional scripting technologies. Let me tell you about an interesting day troubleshooting why printers didn’t want to map using Group Policy Preferences. In the logs it just stated “catastrophic failure” which does not sound good at all nor makes much sense.

Log Name: Application
Source: Group Policy Printers
Event ID: 4098
Description: The user 'X' preference item in the 'Y {3EE4E80F-17CB-4E56-9237-4FC8B9FA090A}' Group Policy object did not apply because it failed with error code '0x8000ffff Catastrophic failure' This error was suppressed.

Logging in as the user on another machine did not produce the same problem and the mapping of printers work fine, as did mapping the printers when logging in using an administrator account.

This got me thinking that I should try mapping a printer manually as the standard user so I did. It got me a “You do not have permission to use the selected printer” which made me turn to the classic tool Process Monitor and to start a trace. It didn’t take long to see that after filtering all logs for a result of “denied” resulted in the following line:

Operation: CreateFile
Result: ACCESS DENIED
Path: \\printserver\print$\w32x86\3\OPLO_UM.dll
Desired access: Generic Read

Note that CreateFile does not necessarily mean to create a file, it can mean “read file” as documented by Microsoft for the CreateFile function. 

So the conclusion was that after investigating with the printer department the printer share “print$” security permissions did not match the user and the user actually did not have read permissions to read the driver which is an absolute requirement for the printer to be mapped (as the print driver is actually installed when the printer is mapped).

Also one setting that affected the behavior was that one have to set “Run in logged-on user’s security context” in the Common tab of the printer mapping Properties. This is an essential part of the solution…

Case closed!

Group policies messing with your Windows 7 deployment

There a number of group policies that can interfere when you are deploying Windows 7 machines, one of them being the “Admin approval mode for the built-in local administrator account” which if set to enabled breaks deployment using the Lite Touch scenario using Microsoft Deployment Toolkit.

My fellow MVP and now also colleague Johan Arwidmark has a blog post on two methods for handling problems related to group policies when dpeloying machines, either by settings filters on your group policies or postponing the domain join process.

Killing the myths: Group Policy Preferences for everyone!

There is a very common misconception out there that Group Policy Preferences can only be created, managed and applied to your Windows machines if you are running your domain controllers with Windows Server 2008 or later. This is so NOT true.

What you have to do if you are stuck on domain controllers running Windows Server 2003 is to install the Remote Server Administration Tools on a Windows 7 (or Vista) client machine, add the feature Group Policy Management and then create a GPO in the domain and edit it, configuring the Group Policy Preferences of your choice. Voilà!

I do not know where this myth is coming from actually but the fact that GPO Preferences were introduced in Windows Server 2008 is the major reason I would assume.

Easier GPO management using filtering

The number of group policy settings that you can use to fine tune your client and server computers are constantly growing. The more settings there are the harder it is to find them. Therefore the option “All settings” in the Group Policy Manager in Windows Vista SP1 and later and Windows 7 is a pleasure. But the best part is that you can filter out and only show polices related to exactly what you are looking for, example only settings that contain “DNS” to see settings only related to DNS.

Start gpedit.msc or the full Group Policy manager which is a part of Remote Server Administration Tools for Windows Vista and Windows 7 and go to Computer Configuration > (Policies >) Administrative templates and click “All settings”. Right click anywhere in the right pane to filter out only settings that you are interested in.

Add users to local groups on the Windows clients easily

If you want to add domain users or groups to a local group on a Windows client machine automatically, this can be done using group policies. One reason could be to easily put groups or users to the local group Remote Desktop Users to allow them to log on via RDP. To control which users or groups you want to add create a new GPO in the domain and go to Computer configuration > (Policies) > Windows settings > Security settings > Restricted groups.

Once there choose to add a group and in my example find the “Remote Desktop Users” group and after that add the user or group you want to add to the local machines which that particular group policy object applies to. More information about restricted groups can be found at http://support.microsoft.com/?id=810076

Filtering policies in new Group Policy management tool

When you install Vista Service Pack 1 the old GPMC.MSC control panel is removed. The reason for this is that there is a new and improved Group Policy management tool released in the Remote Server Administration Tool kit that was released slightly after Service Pack 1 was released to the public.

One of the new features of the new Group Policy management tool is that you can filter policy settings. Directly under “Administrative templates” for both Computer and User Configuration there is a new “All settings” category which lists all settings in “Administrative templates”. If you select “All settings” you might then right click anywhere and choose “Filter options”. It looks like the screenshot below.

Group Policy Filtering

By entering the information you are looking for it is very easy to find the group policy settings that you are looking for. This is becoming more and more necessary as the number of policies grows by hundreds or nearly a thousand for every new Windows version released and it is hard to find the setting one is looking for.

Download Remote Server Administration Tools (x86)
Download Remote Server Administration Tools (x64)

Turn off UAC in a domain using Group Policies

Some people for whatever reason want to turn off UAC for all or certain computers in a domain using Group Policies. This is done by setting the Computers Configuration > Windows Settings > Local Policies > Security Options > User Account Control: Run all administrators in Admin Approval Mode to disabled. As usual when turning off UAC a reboot is required for the changes to take effect.