Bart's Weblog

Just a blog…

Archive for the ‘Group Policy’ Category

Quick post: GPO WMI filtering and performance

Posted by bartvdw on 2222/0909/2017

Got triggered recently about WMI filtering on GPO’s and performance impact. It is clear that the filter(s) needs to be processed, and that you shouldn’t use it by default, but killing the logon on a machine? That would mean “DO NOT USE” scenario… So here a summary about WMI filtering, but also a quick overview about the different controls you have to filter GPO’s. Extensive reading material is included at the bottom (references).

 

Quick recap which controls are available:

  • Organizational units (OUs)
    • Group user/computer objects in OUs
    • Link GPOs to OUs
  • Security
    • Change GPO security so that the GPO applies to specific groups
    • Required permissions: read + apply group policy
    • Works not only for users, but also for computer accounts
  • WMI filters
    • Specify a WMI query
    • The GPO is applied only if the query returns true
    • Applies to entire GPOs
  • Item-level targeting (ILT)
    • Specify targeting criteria
    • A setting is applied only if the criteria match
    • Applies to individual settings (in case of registry settings: can also apply to a collection of settings)
    • Available for Group Policy Preferences (GPPs) only, not for Policies

 

For WMI filtering there are some good tips:

  • Use when required (obviously)
  • Do NOT use Select *, but target your filter
  • Test performance with Measure-Command, and loop 1000x for more accurate results
  • Use SDM / GPOGuy WMIFTest utility to validate your filters against systems

 

Test method performance (my preferred option):

$q = ‘Select Version From Win32_OperatingSystem Where Version LIKE “10.0.%”‘

$a = for ($i = 1; $i -le 100; $i++) {

Measure-Command -Expression {

Get-WmiObject -Query $q

}

};

$a | Measure-Object TotalMilliseconds -Sum -Average -Maximum –Minimum

 

(Replace the query with your actual filter and test with targeted and Select *)

 

I ran the test on some machines using the Version attribute specific for the OS (so 10.%, and 6.3%).

 

Windows 10 on Surface Pro 4 results:

 

Test results on 2012 R2 server physical

 

Test results on 2012 R2 virtual

 

So results vary, but the difference between targeted filter versus * is clear. This also allows you to show the actual performance hit.

 

So WMI filtering isn’t all that bad, just use it wisely and when required; see if Item Level Targeting (ILT) is possible for example, or security filtering.

 

Comments welcome, as always!

References

How Group Policy Impacts Logon Performance #3: WMI Filters & ILT – https://helgeklein.com/blog/2016/01/how-group-policy-impacts-logon-performance-3-wmi-filters-ilt/

WMI filter queries and thoughts on performance – http://evilgpo.blogspot.be/2014/11/wmi-filter-queries-and-thoughts-on.html

Showdown – WMI Filter vs Item Level Targeting – http://evilgpo.blogspot.be/2014/11/showdown-wmi-filter-vs-item-level.html

Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences – https://blogs.technet.microsoft.com/grouppolicy/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences/

Group Policy and Logon Impact – https://blogs.technet.microsoft.com/grouppolicy/2013/05/23/group-policy-and-logon-impact/

WMI Filter Friday – https://blogs.technet.microsoft.com/grouppolicy/2010/03/19/wmi-filter-friday/

Digging Into Group Policy WMI Filters and Managing them through PowerShell – https://sdmsoftware.com/group-policy-blog/gpmc/digging-into-group-policy-wmi-filters-and-managing-them-through-powershell/

Group Policy WMI filters for Windows 7/8/8.1/10 – https://deploywindows.info/2016/11/03/group-policy-wmi-filters-for-windows-788-110/

Using Group Policy WMI filters? Computers booting slow? – https://deploywindows.info/2016/02/15/using-group-policy-wmi-filters-computers-booting-slow/

Creating WMI Filters and GPOs with PowerShell – https://www.darkoperator.com/blog/2012/3/23/creating-wmi-filters-and-gpos-with-powershell.html

Fun with WMI Filters in Group Policy – https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/

GPO Migration with PowerShell – Now including WMI filters – https://blogs.technet.microsoft.com/ashleymcglone/2014/08/11/gpo-migration-with-powershell-now-including-wmi-filters/

WMI Filter Validation Utility

https://sdmsoftware.com/gpoguy/free-tools/library/wmi-filter-validation-utility/

Advertisements

Posted in Active Directory, Group Policy, Windows, Windows Server 2012 | Leave a Comment »

Microsoft BPA’s on Windows Server 2008 R2

Posted by bartvdw on 1313/0808/2011

They are now installed when you add a role to a Windows Server 2008 R2 installation, updates are released through MU. Use them to have a check on your configuration settings!!

Best Practices Analyzer
http://technet.microsoft.com/en-us/library/dd759260.aspx

Running and Filtering Scans in Best Practices Analyzer
http://technet.microsoft.com/en-us/library/dd759206.aspx

Posted in Active Directory, Exchange, Group Policy, Windows | Leave a Comment »

NetWrix Freeware Tools

Posted by bartvdw on 2525/0707/2011

Note: I do not provide any support for these tools, nor do I guarantee anything. Test them yourself before usage, this is for your information post only.

NetWrix Freeware Products
http://www.netwrix.com/freeware_products.html

Posted in Active Directory, Exchange, Group Policy, VMware, Windows | Leave a Comment »

Deploying printers using GPP

Posted by bartvdw on 1111/0606/2011

When you deploy printers using GPP, you can receive following error:

‘0x80070bcb The specified printer driver was not found on the system and needs to be downloaded.’

To prevent this, add following options in your policy:
– Computer Configuration\Administrative Templates\Printers\Point and Print Restrictions – set to "Disabled"
– User Configuration\Administrative Templates\Control Panel\Printers\point and Print Restrictions – set to "Disabled"

Posted in Active Directory, Group Policy | 1 Comment »

IPv6: How to configure with GPO

Posted by bartvdw on 1313/0303/2011

By default as from Vista/2008 on, IPv6 is enabled. You can configure this through the registry:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\DisabledComponents (32-bit DWORD value)

  1. Type 0 to enable all IPv6 components.
    Note The value "0" is the default setting.
  2. Type 0xffffffff to disable all IPv6 components, except the IPv6 loopback interface. This value also configures Windows Vista to use Internet Protocol version 4 (IPv4) instead of IPv6 in prefix policies.
  3. Type 0x20 to use IPv4 instead of IPv6 in prefix policies.
  4. Type 0x10 to disable native IPv6 interfaces.
  5. Type 0x01 to disable all tunnel IPv6 interfaces.
  6. Type 0x11 to disable all IPv6 interfaces except for the IPv6 loopback interface.

Download the IPv6Configuration.zip file, extracted and copy the files like listed below:

  • IPv6Configuration.admx – Copy this file to %SYSTEMROOT%\PolicyDefinitions
  • IPv6Configuration.adml – Copy this file to %SYSTEMROOT%\PolicyDefinitions\en-US (Replace en-US with your country’s language, as necessary)

Now you can add these in your GPO editor to configure the values described in the MS KB (see link below). Possible values:

  • Enable all IPv6 components (Windows default)
  • Disable all IPv6 components (the setting you probably want)
  • Disable 6to4
  • Disable ISATAP
  • Disable Teredo
  • Disable Teredo and 6to4
  • Disable all tunnel interfaces
  • Disable all LAN and PPP interfaces
  • Disable all LAN, PPP and tunnel interfaces
  • Prefer IPv4 over IPv6

 

How to Configure IPv6 Using Group Policy
http://www.expta.com/2009/02/how-to-configure-ipv6-using-group.html

How to disable certain Internet Protocol version 6 (IPv6) components in Windows Vista, Windows 7 and Windows Server 2008
http://support.microsoft.com/kb/929852/en-us

Posted in Group Policy, Windows | Leave a Comment »