Group Policy and WMI Filters–Round 2

Sexy Coffee at North Denver and Rosa Parks Way in Portland, Oregon - Wikipedia user Visitor7This is more of a link dump than anything else.  I was asked what I thought of a WMI-related Group Policy change.

I don’t much care for them.

So I know that WMI Filter queries are a bad idea, but didn’t know how to measure that badness until I saw this blog post (WMI filter queries and thoughts on performance) by Martin Binder.

You can enclose your WMI Filter in a PowerShell “Measure-Command” command, and measure it that way.

Measure-Command { for ( $i=1; $i -le 1000; $i++ ) { Get-WmiObject –Query "SELECT Model FROM Win32_ComputerSystem WHERE Model LIKE 'Compaq Presario A%BB%'" } } | Select-Object TotalMilliseconds | Format-List

TotalMilliseconds : 23308.6037

As the command is looping 1000 times, you’d divide by 1000 and get the answer 23 milliseconds.

Group Policy and WMI filtering slowness
Optimizing Group Policy WMI Filters
Introduction to WMI Basics with PowerShell Part 1 (What it is and exploring it with a GUI)

So what does the Group Policy Preferences Drive Mapping log file contain?

Once you enable the logging via Group Policy, you’ll end up with a log file which contains:

  • Environment variable dump
  • Group Policy settings
  • Drive mapping lists (but not the actual path)

If you are like me, and misspell a file path, you’ll see an error like this:

2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Passed filter [FilterGroup].
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Filters passed.
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Set user security context.
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Adding child elements to RSOP.
2016-03-31 10:48:21.652 [pid=0x45c,tid=0x53c] Properties handled. [ hr = 0x80070035 "The network path was not found." ]
2016-03-31 10:48:21.652 [pid=0x45c,tid=0x53c] Set system security context.
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] EVENT : The user 'G:' preference item in the 'Map-Network-Drives {E089D01A-C249-48F5-8049-9C8FC96AA38F}' Group Policy object did not apply because it failed with error code '0x80070035 The network path was not found.'%100790273
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] Error suppressed. [ hr = 0x80070035 "The network path was not found." ]
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] Completed class <Drive> - G:.
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] {67803C61-824B-4ABA-ABFF-65E8687B0E59}

Three things to note:

  1. Windows Explorer will accept a “\” in a network path, Group Policy Preferences won’t.
  2. GPP will wait 3+ seconds before timing out with an error.
    Multiple wrong/missing paths will slow down your user’s logon experience.
  3. The error will also write into the Event Log.

Saturday Link Roundup–Group Policy, Kerberos, BranchCache

grouppolicy_thumb.jpgGroup Policy



Consolidated list of AGPM resources

Advanced Group Policy Management logoThe bulk of these links are from the Microsoft Canberra Premier Field Engineering Team Blog November 2015 post.


Advanced Use, Auditing and Troubleshooting

Powershell and Scripting

Other Reading


“Index was outside the bounds of the array” error with AGPM

AGPM Out of bounds error… when trying to edit a Group Policy Preference which uses Item Level Targetting.

Using AGPM.

The underlying cause it that only AGPM 4.0 SP3 and later clients that support Windows 10.  So if you are using an older AGPM client, you need to upgrade in order to safely edit Windows 10 Group Policies.

But to upgrade your AGPM client, you may need to upgrade your AGPM Server; both the AGPM install on the server and the Server Operating System.

The Microsoft advice is ambiguous.

So where, oh where is “AGPM.ADM”?

Advanced Group Policy Management logoDespite several Microsoft Advanced Group Policy Management pages saying

You can centrally configure optional logging and tracing for Advanced Group Policy Management (AGPM) using Administrative templates.

they don’t tell you where to find the Group Policy AGPM.ADM or AGPM.ADMX files.

After much searching, and time wasted; I can tell you that if you install the AGPM client, you will have a copy of AGPM.ADMX dropped into your local %windir%\PolicyDefinitions directory.

Configure Logging and Tracing
Ask the Directory Services Team – AGPM Production GPOs (under the hood)
Active Directory Infrastructure Self-Study Training Kit: Stanek & Associates Training Solutions

400 Bad Request and Internet Explorer.

Bad RequestThe customer reported that they were unable to access our company intranet site.  They were getting an "400 Bad Request" error from Internet Explorer.

So what did I do?  I picked up the phone and asked our "Web Admin" chap,
"What have you done to our poor customer".

‘Nothing Wisefaq, but here’s the answer to the problem:
The customer is a member of 140+ Active Directory Groups, and this is causing the Kerberos token to be far too long for our Apache Web Server to authenticate.’

Once I knew that, I was able to find lots of answers to the problem.  Here are some of them:

  1. 400 Bad Request (Header Field Too Long) when using Kerberos authentication
  2. Apache Bad Request “Size of a request header field exceeds server limit” with Kerberos SSO
  3. New resolution for problems with Kerberos authentication when users belong to many groups
    Number 3 was the crux of the problem, “when users belong to many groups”.  We took the easy way out, and reduced the number of AD Groups the customer was a member of.

Bonus information
Not only was Internet Explorer broken, but any system which used Kerberos, such as our email and document management system.
140+ Active Directory Groups, which were direct membership.  I suspect there are some additional nested group memberships in there too.

Group Policy and WMI filtering slowness.

Group Policy and WMIHaving spent time investigating slow network logons, I dislike using WMI for Group Policy filtering.  It just adds a layer of slowness to logons.

WMI filtering does has it’s place, and I do still use, and occasionally recommend it for very specific reasons.  Such as when we’re piloting a new version of Microsoft Office (2010), and we need to only apply the specific Office 2010 group policies to Office 2010 pilot users.

But what I’ve done, and I suspect most people do though, is grab the first applicable WMI class and use that.  The first applicable WMI class I’ve grabbed is Win32_Product.

Which would be a silly thing to do.  In the words of Microsoft:

Win32_product Class is not query optimized. Queries such as “select * from Win32_Product where (name like ‘Sniffer%’)” require WMI to use the MSI provider to enumerate all of the installed products and then parse the full list sequentially to handle the “where” clause. This process also initiates a consistency check of packages installed, verifying and repairing the install. With an account with only user privileges, as the user account may not have access to quite a few locations, may cause delay in application launch and an event 11708 stating an installation failure.

Microsoft KB 974524 Event log message indicates that the Windows Installer reconfigured all installed applications

Far better in this case to follow Microsoft advice and use Win32reg_AddRemovePrograms.  For the sharper eyed readers, you can see that very thing in the picture above.

With thanks to SDM Software, where I first saw this issue written about.

The "Always ask before opening this type of address" issue

We’re rolling out a new version of Internet Explorer for a customer.  They were on IE6…

During the pilot, they reported this issue.

The error about is actually generated by a Windows feature called the "Attachment Manager".

"The Attachment Manager in Windows can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet."

It seems I had gotten two things wrong.

  1. failed to configure the corporate internet address as being in the "Intranet" zone.
  2. failed to configure the Attachment Manager at all.

So about that Attachment Manager.
The group policy to configure Attachment Manager can be found in System.Adm.
I created a Attachment Manager only ADM file, which you can download here.

Some reference articles:
Description of how the Attachment Manager works in Microsoft Windows
How To Configure Trusted Sites In Internet Explorer For A Group Policy
Why don’t the file timestamps on an extracted file match the ones stored in the ZIP file?

Getting a list of users in an Active Directory group.

Like the write up I did on how to get a list of users in your domain, there are several ways to do this, but the method I prefer to use is get-QADGroupMember command from the Quest Active Server Roles PowerShell module.

  1. Start the ‘ActiveRoles Management Shell for Active Directory’ console
  2. Enter the following command string
    Get-QADGroupMember  -sizelimit 0 'MyDomain\My AD Group Name' | Select-Object sAMAccountName, DisplayName
  3. and then press Enter

SamAccountName    DisplayName
DaggF             Fred Dagg
CollinsP          Paul Collins
SprouleK          Ken Sproule
ReithP            Peter Reith
SmithC            Coach Smith
RookeM            Mike Rooke

Or if I want to dump it out to a CSV file, so I can look at it in Excel:
Get-QADGroupMember  -sizelimit 0 'MyDomain\My AD Group Name' | Select-Object sAMAccountName, DisplayName | Export-CSV 'c:\temp\My AD Group Name.csv'

To dump all the user details out, you could doing something like:
get-QADGroupMember  -sizelimit 0  -IncludeAllProperties -SerializeValues 'MyDomain\My AD Group Name' | Export-CSV 'c:\temp\My AD Group Name-ALL Details.csv'


  • This will ONLY get the direct members of a group.  It will not get members of a AD group that is in the AD group you are trying to list out.
  • If you are querying a different domain, you need to connect to it first.  ie. connect-QADService -service ‘MyDomain’