Monday, February 21, 2011

Group Policy Horrors

I'm reviewing a client's environment to assess the root causes for reported "slow logins".  I do my usual quick-pass analysis of the AD environment, the connectivity, DNS, blah blah.  Then I do a second pass with DCDIAG, NETDIAG, REPADMIN, event logs, nslookup, and gpresult, etc.  Three words: Oh My God.  They don't have a log of GPO's in their environment, but after 30 minutes of intense scrutiny of what each GPO has "enabled" or "disabled" and I had to look around to find where my jaw bone had fallen off.



If you tinker with GPO's…

TEST THEM in an ISOLATED environment BEFORE you ever put them into PRODUCTION.

I beg you.  Please.

Apparently, the sysadmin dudes (I haven't yet met them so I will withhold judgement until I do) had found quite a few (translation: hundreds) of settings they thought interesting enough to modify their setting.  Aside from the DNS errors, the replication errors, the DHCP errors, the roaming profiles (oh holy geez, I haven't yet begun to digest that part, ugh), and the WINS/NetBIOS master browser bullshit flying around like gnats at carcas party in the Sahara, I would say that at least a good portion of the "slowness" is from having to process a (excuse my technical term here…) shitload of Group Policy settings at every login, every 90 minutes thereafter, as well as at every startup, login, logoff and shutdown.  Yes.  I'm not kidding.  They enabled or disabled things for all of those events. Wonderful.

How can I compare this to something tangible in life?…. hmm…. finger's tapping…. stares into space pondering a suitable analogy or metaphor…. hmm….


It's like this:  Group Policy is powerful and insanely useful.  It is fire.  Fire can cook food.  It can provide warmth in a harshly cold environment.  It can dry things.  It can also burn the absolute living shit out of you if you don't treat it with respect.  Yes.  I mean that absolutely.  GPO's are not something to tinker with unless you've studied them, tested them and tested them again.  Jeremy Moskowitz has some great info out there to read up on, as do many other sites, blogs, etc.

One word to keep in mind at all times with GPO's is "tattooing".  Undoing a GPO change in a large environment can often be a daunting and difficult task.  It's not always a matter of changing a setting from "Enabled" to "Not Configured".  Many times you have to "double-smack" it by setting it to the opposite, and then back to "Not Configured".  It's messy.  In some instances things can get broken so bad that the only pragmatic "fix" is a new environment.  Yep.  I've seen that.

My wife is cooking something that smells so f-ing good I'm ready to eat my own shirt sleeve in response to uncontrollable hunger.  Gotta go - cheers!

Post a Comment