Bart's Weblog

Just a blog…

Archive for the ‘Windows Server 2012’ Category

Quick post: GPO WMI filtering and performance

Posted by bartvdw on 2222/0909/2017

Got triggered recently about WMI filtering on GPO’s and performance impact. It is clear that the filter(s) needs to be processed, and that you shouldn’t use it by default, but killing the logon on a machine? That would mean “DO NOT USE” scenario… So here a summary about WMI filtering, but also a quick overview about the different controls you have to filter GPO’s. Extensive reading material is included at the bottom (references).

 

Quick recap which controls are available:

  • Organizational units (OUs)
    • Group user/computer objects in OUs
    • Link GPOs to OUs
  • Security
    • Change GPO security so that the GPO applies to specific groups
    • Required permissions: read + apply group policy
    • Works not only for users, but also for computer accounts
  • WMI filters
    • Specify a WMI query
    • The GPO is applied only if the query returns true
    • Applies to entire GPOs
  • Item-level targeting (ILT)
    • Specify targeting criteria
    • A setting is applied only if the criteria match
    • Applies to individual settings (in case of registry settings: can also apply to a collection of settings)
    • Available for Group Policy Preferences (GPPs) only, not for Policies

 

For WMI filtering there are some good tips:

  • Use when required (obviously)
  • Do NOT use Select *, but target your filter
  • Test performance with Measure-Command, and loop 1000x for more accurate results
  • Use SDM / GPOGuy WMIFTest utility to validate your filters against systems

 

Test method performance (my preferred option):

$q = ‘Select Version From Win32_OperatingSystem Where Version LIKE “10.0.%”‘

$a = for ($i = 1; $i -le 100; $i++) {

Measure-Command -Expression {

Get-WmiObject -Query $q

}

};

$a | Measure-Object TotalMilliseconds -Sum -Average -Maximum –Minimum

 

(Replace the query with your actual filter and test with targeted and Select *)

 

I ran the test on some machines using the Version attribute specific for the OS (so 10.%, and 6.3%).

 

Windows 10 on Surface Pro 4 results:

 

Test results on 2012 R2 server physical

 

Test results on 2012 R2 virtual

 

So results vary, but the difference between targeted filter versus * is clear. This also allows you to show the actual performance hit.

 

So WMI filtering isn’t all that bad, just use it wisely and when required; see if Item Level Targeting (ILT) is possible for example, or security filtering.

 

Comments welcome, as always!

References

How Group Policy Impacts Logon Performance #3: WMI Filters & ILT – https://helgeklein.com/blog/2016/01/how-group-policy-impacts-logon-performance-3-wmi-filters-ilt/

WMI filter queries and thoughts on performance – http://evilgpo.blogspot.be/2014/11/wmi-filter-queries-and-thoughts-on.html

Showdown – WMI Filter vs Item Level Targeting – http://evilgpo.blogspot.be/2014/11/showdown-wmi-filter-vs-item-level.html

Security Filtering, WMI Filtering, and Item-level Targeting in Group Policy Preferences – https://blogs.technet.microsoft.com/grouppolicy/2009/07/30/security-filtering-wmi-filtering-and-item-level-targeting-in-group-policy-preferences/

Group Policy and Logon Impact – https://blogs.technet.microsoft.com/grouppolicy/2013/05/23/group-policy-and-logon-impact/

WMI Filter Friday – https://blogs.technet.microsoft.com/grouppolicy/2010/03/19/wmi-filter-friday/

Digging Into Group Policy WMI Filters and Managing them through PowerShell – https://sdmsoftware.com/group-policy-blog/gpmc/digging-into-group-policy-wmi-filters-and-managing-them-through-powershell/

Group Policy WMI filters for Windows 7/8/8.1/10 – https://deploywindows.info/2016/11/03/group-policy-wmi-filters-for-windows-788-110/

Using Group Policy WMI filters? Computers booting slow? – https://deploywindows.info/2016/02/15/using-group-policy-wmi-filters-computers-booting-slow/

Creating WMI Filters and GPOs with PowerShell – https://www.darkoperator.com/blog/2012/3/23/creating-wmi-filters-and-gpos-with-powershell.html

Fun with WMI Filters in Group Policy – https://blogs.technet.microsoft.com/askds/2008/09/11/fun-with-wmi-filters-in-group-policy/

GPO Migration with PowerShell – Now including WMI filters – https://blogs.technet.microsoft.com/ashleymcglone/2014/08/11/gpo-migration-with-powershell-now-including-wmi-filters/

WMI Filter Validation Utility

https://sdmsoftware.com/gpoguy/free-tools/library/wmi-filter-validation-utility/

Advertisements

Posted in Active Directory, Group Policy, Windows, Windows Server 2012 | Leave a Comment »

Windows Server 2012: New cool DHCP feature !

Posted by bartvdw on 1919/1111/2012

With the release of WS2012 there are many new features included and discussed. One I find personally great is DHCP Failover !

If you’re planning WS2012 DHCP servers, you should most certainly look into this feature and use it…

Ensuring High Availability of DHCP using Windows Server 2012 DHCP Failover
http://blogs.technet.com/b/teamdhcp/archive/2012/06/28/ensuring-high-availability-of-dhcp-using-windows-server-2012-dhcp-failover.aspx

Step-by-Step: Scoping out the NEW DHCP Failover in Windows Server 2012 – 31 Days of Favorite Features ( Part 28 of 31 )
http://blogs.technet.com/b/keithmayer/archive/2012/10/28/step-by-step-scoping-out-the-new-dhcp-failover-in-windows-server-2012-31-days-of-favorite-features-part-28-of-31.aspx#.UKofh4a4joG

Posted in DHCP, Microsoft, Windows, Windows Server 2012 | 1 Comment »

Windows Server 2012: DFSR information

Posted by bartvdw on 1919/1111/2012

Great article describing a lot of DFSR improvements in WS2012.

Beware in the ‘Dynamic Access Control Support’ part, it states: ‘Microsoft strongly discourages mixed Windows Server 2012 and legacy operating systems DFSR.’

In the comments the author Ned Pyle notes regarding migration: ‘Remember the point above that you should not deploy claims-based access/central access policy to these machines until you have all Win2012 though.’

I think that’s quiet important detail to remember! Now start reading these great articles, both by Ned Pyle…! 🙂

 

DFS Replication Improvements in Windows Server 2012
http://blogs.technet.com/b/filecab/archive/2012/11/12/dfs-replication-improvements-in-windows-server-2012.aspx

Series Wrap-up and Downloads – Replacing DFSR Member Hardware or OS
http://blogs.technet.com/b/askds/archive/2010/09/10/series-wrap-up-and-downloads-replacing-dfsr-member-hardware-or-os.aspx

Posted in Microsoft, Windows, Windows Server 2012 | Leave a Comment »

Performance Tuning Guidelines for Windows Server 2012

Posted by bartvdw on 0808/0808/2012

Paper: Performance Tuning Guidelines for Windows Server 2012
http://virtualization.info/en/news/2012/08/paper-performance-tuning-guidelines-for-windows-server-2012.html

http://download.microsoft.com/download/0/0/B/00BE76AF-D340-4759-8ECD-C80BC53B6231/performance-tuning-guidelines-windows-server-2012.docx

Posted in Microsoft, Windows Server 2012 | Leave a Comment »

Active Directory and the Resilient File System (ReFS)

Posted by bartvdw on 0202/0808/2012

http://blogs.dirteam.com/blogs/sanderberkouwer/archive/2012/08/02/active-directory-and-the-resilient-file-system-refs.aspx

Posted in Active Directory, Microsoft, Windows Server 2012 | Leave a Comment »

Windows Server 2012: Goodbye dcpromo !

Posted by bartvdw on 1313/0606/2012

With the new release Windows Server 2012 the command dcpromo is no more… If you type in the command you will receive a pop-up informing you it has moved to Server Manager.

The link below describes how to promote a Windows Server 2012 to domain controller step-by-step.

As always this also has a new schema version, for the RC version it’s currently 56. My earlier post with the AD schema numbers has also been updated with this information.

Promote Windows Server 2012 to Domain Controller, step-by-step
http://www.infotechguyz.com/WindowsServer2012/windowsserver2012dcpromo.html

Active Directory schema version numbers
https://bartvdw.wordpress.com/2011/01/25/active-directory-schema-version-numbers/

Posted in Active Directory, Windows, Windows Server 2012 | 1 Comment »