Group Policy and WMI Filters–Round 2

Sexy Coffee at North Denver and Rosa Parks Way in Portland, Oregon - Wikipedia user Visitor7This is more of a link dump than anything else.  I was asked what I thought of a WMI-related Group Policy change.

I don’t much care for them.

So I know that WMI Filter queries are a bad idea, but didn’t know how to measure that badness until I saw this blog post (WMI filter queries and thoughts on performance) by Martin Binder.

You can enclose your WMI Filter in a PowerShell “Measure-Command” command, and measure it that way.

Measure-Command { for ( $i=1; $i -le 1000; $i++ ) { Get-WmiObject –Query "SELECT Model FROM Win32_ComputerSystem WHERE Model LIKE 'Compaq Presario A%BB%'" } } | Select-Object TotalMilliseconds | Format-List

TotalMilliseconds : 23308.6037

As the command is looping 1000 times, you’d divide by 1000 and get the answer 23 milliseconds.

Group Policy and WMI filtering slowness
Optimizing Group Policy WMI Filters
Introduction to WMI Basics with PowerShell Part 1 (What it is and exploring it with a GUI)

So what does the Group Policy Preferences Drive Mapping log file contain?

Once you enable the logging via Group Policy, you’ll end up with a log file which contains:

  • Environment variable dump
  • Group Policy settings
  • Drive mapping lists (but not the actual path)

If you are like me, and misspell a file path, you’ll see an error like this:

2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Passed filter [FilterGroup].
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Filters passed.
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Set user security context.
2016-03-31 10:44:47.981 [pid=0x45c,tid=0x53c] Adding child elements to RSOP.
2016-03-31 10:48:21.652 [pid=0x45c,tid=0x53c] Properties handled. [ hr = 0x80070035 "The network path was not found." ]
2016-03-31 10:48:21.652 [pid=0x45c,tid=0x53c] Set system security context.
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] EVENT : The user 'G:' preference item in the 'Map-Network-Drives {E089D01A-C249-48F5-8049-9C8FC96AA38F}' Group Policy object did not apply because it failed with error code '0x80070035 The network path was not found.'%100790273
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] Error suppressed. [ hr = 0x80070035 "The network path was not found." ]
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] Completed class <Drive> - G:.
2016-03-31 10:48:21.668 [pid=0x45c,tid=0x53c] {67803C61-824B-4ABA-ABFF-65E8687B0E59}

Three things to note:

  1. Windows Explorer will accept a “\” in a network path, Group Policy Preferences won’t.
  2. GPP will wait 3+ seconds before timing out with an error.
    Multiple wrong/missing paths will slow down your user’s logon experience.
  3. The error will also write into the Event Log.

Saturday Link Roundup–Group Policy, Kerberos, BranchCache

grouppolicy_thumb.jpgGroup Policy



Configuring DNS Suffix Search List via Group Policy

DNS Suffix Search List It seemed like a good idea at the time, configure the DNS Suffix Search List centrally so everyone gets the same thing.

The wheels fell off when I went to configure the 15th domain suffix.  The DNS Suffix Search List Group Policy accepted the value, but the desktop client wasn’t reading it.

The reason I needed to add another prefix, was that an off-site internal website, http://Noddyhome, was not resolving.  It was working if the customer typed in the fully qualified domain name,

After much head scratching, it looks as if there is a 200 character limit to that policy.  ““ just wouldn’t fit.

The fix?  We used the GlobalNames Zone feature of Windows 2008.

Setting DNS Suffix Search List via GPO (Ryan Adams Blog)

Group Policy and WMI filtering slowness.

Group Policy and WMIHaving spent time investigating slow network logons, I dislike using WMI for Group Policy filtering.  It just adds a layer of slowness to logons.

WMI filtering does has it’s place, and I do still use, and occasionally recommend it for very specific reasons.  Such as when we’re piloting a new version of Microsoft Office (2010), and we need to only apply the specific Office 2010 group policies to Office 2010 pilot users.

But what I’ve done, and I suspect most people do though, is grab the first applicable WMI class and use that.  The first applicable WMI class I’ve grabbed is Win32_Product.

Which would be a silly thing to do.  In the words of Microsoft:

Win32_product Class is not query optimized. Queries such as “select * from Win32_Product where (name like ‘Sniffer%’)” require WMI to use the MSI provider to enumerate all of the installed products and then parse the full list sequentially to handle the “where” clause. This process also initiates a consistency check of packages installed, verifying and repairing the install. With an account with only user privileges, as the user account may not have access to quite a few locations, may cause delay in application launch and an event 11708 stating an installation failure.

Microsoft KB 974524 Event log message indicates that the Windows Installer reconfigured all installed applications

Far better in this case to follow Microsoft advice and use Win32reg_AddRemovePrograms.  For the sharper eyed readers, you can see that very thing in the picture above.

With thanks to SDM Software, where I first saw this issue written about.

The "Always ask before opening this type of address" issue

We’re rolling out a new version of Internet Explorer for a customer.  They were on IE6…

During the pilot, they reported this issue.

The error about is actually generated by a Windows feature called the "Attachment Manager".

"The Attachment Manager in Windows can help protect your computer from unsafe attachments that you might receive with an e-mail message and from unsafe files that you might save from the Internet."

It seems I had gotten two things wrong.

  1. failed to configure the corporate internet address as being in the "Intranet" zone.
  2. failed to configure the Attachment Manager at all.

So about that Attachment Manager.
The group policy to configure Attachment Manager can be found in System.Adm.
I created a Attachment Manager only ADM file, which you can download here.

Some reference articles:
Description of how the Attachment Manager works in Microsoft Windows
How To Configure Trusted Sites In Internet Explorer For A Group Policy
Why don’t the file timestamps on an extracted file match the ones stored in the ZIP file?

One way to compare Group Policy settings

Use GPO Compare, which works, but I wouldn’t buy it in a pink fit.

GPO Compare

GPO Compare allows you to quickly compare settings between two Group Policies.  And it works.  I like it.  You can export the differences to Excel or PDF file.  In the two policies above, I thought there were no differences.

I was wrong.  These seemingly similar policies had 150+ differences,  There goes the idea of just turning off GPO A.  I’ll now have to look though those 150 differences and see what really matters.  The price is ok, at $199 US, for what is does.  It would cost me more than $199 to write my own utility.

But the reason I wouldn’t buy it?  The need to “Request a Trial”.  It should be labelled “Request a Sales Call before we let you evaluate it.”

Bookmark and Share

Semi-regular web-link clearance (2) – November 2009

File Server Capacity Tool (FSCT) 1.0

New builds of Microsoft Windows are produced almost every day for internal development and testing. In order to detect performance regressions as soon as possible, those builds have to be evaluated and compared to their predecessors as well as previous public releases. A range of performance tests are used for these comparisons, including one called “FSCT” (which stands for File Server Capacity Tool). FSCT was developed by the Windows Server Performance team as a tool capable of simulating multiple concurrent users accessing a file server using CIFS/SMB/SMB2.

Enable HAL detection on a Windows Server 2008 R2 VHD virtual image
… And I (wrongly) thought we were over the whole HAL detection problem.

SCCM: Forcing a Task Sequence to Rerun

There are well known methods to force an advertisement to rerun – including several add-on tools available for the SMS or SCCM console.  To date, however, there are not equivalent methods to force a task sequence to rerun.  Part of this may be because task sequences are typically thought of as focused on Operating System Deployment (OSD) and rerunning these types of distributions are not as common as rerunning advertisements.

Group Policy Settings References for Windows and Windows Server

These spreadsheets list the policy settings for computer and user configurations included in the Administrative template files delivered with the Windows operating systems specified. You can configure these policy settings when you edit Group Policy objects (GPOs).

The Case of the Mysterious Black Box (SAN analysis for beginners)

I haven’t had any performance analysis challenges lately, but there is a lot of confusion as to how to measure SAN performance. To many, a SAN is a proverbial “mysterious black box” that seems to perplex all who try to measure it’s performance with any measure of certainty. This blog entry covers how I measure the performance of SANs and tries to unlock the mysteries of the black box.

William Stanek: Windows 7: Inside Track, Part 6 “Automating Migrations with USMT 4.0”

William here, continuing with my inside track discussions on Windows 7. Last time, I provided step by step options for using Windows Easy Transfer. Now let’s kick it up a notch and look at automating migrations using User State Migration Tool (USMT) Version 4.0.

How do CMW files in Office 2000-2003 work? How to maintenance MSP files work in Office 2007-2010?

Here is a quick walk through showing the keys that are used to control the CMW and custom MSP files to determine what settings will take effect and if they had been run for the current user or not. … For the purpose of this walkthrough I have created this maintenance MSP. To keep it simple I am going to apply the following two changes in this custom .msp.

Bookmark and Share