In my previous blog post, I wrote about some new reporting we’ll be providing in version 2.0 of our GPO Exporter product. One of the reports in that new version identifies GPOs that contain “expensive” Group Policy Preferences Item-Level Targeting (ILT). What do I mean by “expensive”? Specifically, this refers to ILTs that can result in longer than normal GPO processing times as they’re being evaluated, due to how they work. GP Preferences includes ILT as a way of filtering individual preference settings. The screenshot below shows the options available:
Of these options, there are some that can have a bigger impact on GP processing times, and thus machine startup and/or user logon times. These expensive filter types include the following:
- Security Group (for Computer objects only)
- LDAP Query
- Domain
- Site
- Organizational Unit
Each of these filter types identified above must query AD over the network to be able to evaluate the filters to true or false. This results in a signficantly larger amount of time to evaluate each of these filters than other filters that run locally on the box. How significant the difference is will of course depend upon factors such as network load and latency, load on the servers being queried, size of the query (e.g. some LDAP queries are more expensive than others), etc. And interestingly, while evaluating security group membership for computers will run over the network, if you use security group ILTs for users, that will be evaluated locally on the workstation (presumably cached there).
So what do you do with this information? Well, certainly knowing about these particular expensive ILT types will help. Use them sparingly when you have to use them and be cognizant of how many of them you include in your GPOs. And, if you start experiencing slow downs in GP processing, these might be good candidates to remove or disable, to discover where time is being spent.
Darren
Darren, thanks for sharing this.
Regarding the ILT for Computer Security Groups, the bad performance has been improved at least by a hotfix: http://support.microsoft.com/kb/2561285/en-us
In my tests where filters used to take more than 30 ms they now run within 1 ms. According to http://blogs.technet.com/b/askds/archive/2011/08/18/improved-group-policy-preference-targeting-by-computer-group-membership.aspx no LDAP calls are used any longer, instead the local token of the computer account is evaluated.
Patrick
Good information Patrick. Ironically the information I got about the computer-based security groups and ILT was from Microsoft directly, so I’m surprised they didn’t know about this. In any case, I saw that KB article a while back but didn’t notice the specific fix so I appreciate your bringing that to my attention!
Darren