Group Policy: Best Practices for Troubleshooting Performance Problems

There are tradeoffs to everything. In a Windows environment, users want fast logons/startups and a consistent experience across multiple devices. An efficient logon is often related to ease of use. For example, Folder Redirection and Group Policy Printer Preferences provide more unified end user experiences at the cost of slower logons. This is a classic case of speed vs. accessibility.

As more modifications are made over time, a certain amount of Group Policy bog can develop. The key to fixing Group Policy slowness is to consistently monitor its performance. In this guide, we will explore several new tools and common issues with Group Policy performance. We’ll specifically focus on a Windows 10 environment.

Monitoring Group Policy Performance from Clients

Very few things are more frustrating than waiting for a machine to log on…and waiting…and waiting … and waiting. Machines with problems can often take 10+ minutes to start up or log on. The only indication that the end user receives is a Please Wait message or the equivalent Windows 10 Getting things ready for you screen.

To let users know that the machine isn’t just hung up and to help you troubleshoot, you will want to enable the following two GPO settings across your machines:

  • Computer Configuration\Policies\Administrative Templates\System – Display Highly Detailed Status Messages : Setting – Enabled
  •  Computer Configuration\Policies\Administrative Templates\System\Logon\ – Show first sign-in animation : Setting – Disabled

 The first setting displays the startup component that is currently running instead of the generic startup messages. For example, you may see Applying Group Policy Software Installation if your machines are installing a GP deployed MSI. This setting was previously known as Group Policy Verbose mode. To make future troubleshooting easier, I prefer to enable this setting on clients and servers.

GP1

The second setting removes the Getting things ready for you animation that appears the first time a user logs on to a machine. The user will see some detailed status messages before the animation takes overs. This policy should be set to disabled for the user to see all messages. I prefer applying this policy to all clients. Servers do not show the first logon animation.

Monitoring Group Policy Performance from the GPMC

As a rule, administrators should always use the latest RSAT installation for the clients that they are managing. If you are managing Windows 10 clients, your administration machine should be at Windows 10 with the latest RSAT installed on it.

When running a Group Policy result within the Group Policy management Console on a Windows 10 machine, you will notice a new Component Status section under the Details tab. Components of Group Policy, such as Folder Redirection and Group Policy Printer Preferences, are known as Client Side Extensions (CSEs). This component status section will display the last evaluation status of each CSE. It will also display how long each CSE took to process. These values are also stored in the Group Policy event log on client machines.

GP2

This pane can help an administrator quickly troubleshoot Group Policy performance problems. Any item with a 600-second time failed to complete. The Group Policy service only allows a CSE 10 minutes to complete by default.

Beware the Legacy CSEs

Group Policy CSEs have evolved with each iteration of Windows or the component that they service. A perfect example of this are the CSEs that manage Internet Explorer. One of the earliest management methods involved the Internet Explorer Maintenance (IEM) extension. IEM complemented many of the features available under Administrative Templates\Windows Components\Internet Explorer. Several years later, Microsoft introduced Group Policy Preferences for Internet Explorer (IE). Having three management tools for one product became confusing for everyone!

With the release of IE10, IEM was removed from the GPMC on any machine on which IE10 was installed. This change holds true for Windows 10/IE11 as well.

GP3

Before Group Policy Preferences (GPPs), everything in Group Policy was locked down. When GPPs were first released, many administrators treated them like an administrative template (also known as a policy setting). Many individual preference actions were changed to Replace, and the Remove this item when it is no longer applied option was set. This has the big downside of making the GPP reprocess every time Group Policy is refreshed and on every logon/startup.

Many Group Policy environments are not updated for changes in CSEs or to reflect GPP behavior. Administrators may still apply IEM settings by using the GPMC on older operating systems. When possible, administrators should look at the following alternatives for these time-inefficient CSES:

  • IEM: Replace with Administrative Templates or Preferences
  • Deployed Printers: Replace with Printer Preferences
  • Group Policy Software installation: Replace with a software management suite such as SCCM
  • Folder Redirection: Replace with an alternative such as Work Folders

You will notice that user side Group Policy scripts is not listed above. With the release of Windows 8.1, GP scripts can be configured to fire off after X seconds instead of running during the logon process. This allows scripts to run behind the scenes after a user is already logged in. This setting can be found at Computer Configuration\Administrative Templates\System\Group Policy

GP4

Administrators should reevaluate any of their deployed preferences. When possible, preference items should use Create or Update. I personally prefer the consistency of only using the Create preference. Item-level targeting should evaluate local resources only if time is of the essence. Finally, consider shifting certain items from the user logon to the computer startup. A perfect CSE for this is Printer Preferences.

As you monitor your Group Policy’s performance, you will likely find some configurations that can be undone or migrated. By using the GPMC, you can evaluate processing time across clients and focus on time-expensive CSEs. I stated earlier that there are tradeoffs to everything. Good luck in your struggle to balance speed and accessibility!