Why Group Policy ISN’T SLOW


Last week, I finished giving a Group Policy Master class. In the middle of the class one of the guys asked me "Jeremy, now that we’ve been using GP a little while, and are really embracing GPOs, things are a little bit slower sometimes when new users log on."

And my response might shock you.

I said "Awesome !"

He was a little taken back. And I know why. He thought he had a problem. But he doesn’t. He just missed a key point about how GP works.

Let’s imagine that you wanted to do something a little crazy. And, I know you wouldn’t really want to do what I’m about to describe; it’s just something for us to hang our hats on, okay? So, imagine you wanted to (yikes) re-ACL your entire hard drive. Yep. That’s the directive. Ouch. Again, it’s just theoretical, so go with me here.

So, in simple terms you have a handful of options:

  • Use a startup-script which manually does the deed
  • Manually run a script which does the deed on each machine
  • Use GP to deliver the same set of instructions via the NTFS security node

They all do the same thing, right? Right. And the action they’re taking (the actual
"thing" they’re doing) is kind of slow and painful ,right?


So is the GP engine the cause of this "slowdown?" No. It’s the "action" you’re doing. The theoretical re-ACL’ing of the hard drive.

So I was kind of excited when he said that sometimes things are slower because that means he’s actually DOING something with GP. So, I like to say that GP is a "Blame the message, not the messenger" technology.

A little later in the GP 2.0 Catch-up class I showed him how to bust apart Windows 7′s new logging mechanism and see — precisely — how long a "GP Cycle" takes. That way he can be really really sure how long GP was taking to process each step if he wanted to. Heck, it might not even be that anything he’s DOING with GP is even causing the slowdown!

In other words — Group Policy might not be likely to blame AT ALL for any slowdown. By showing him how to "bust apart" the logs, he could see that GP wasn’t taking long at all ! The culprit was, well, something else.

But in any case, the next time you think "Hey, the computer is running a little slowly" take a step back. It means it’s working. (But also consider getting smarter in GP troubleshooting it too, to be 100% sure GP isn’t the culprit !)