Tuesday, March 05, 2013

Slow Group Policy Client Side Extensions login with Windows 7

We experienced an issue when we modified a GPO to include item-level filtering on an AD group.  The issue was that Windows 7 machines with this GPO applied to where suddenly taking minutes to login.  Windows XP machines, however, logged in almost instantly.

When going through the event logs for group policy on Windows 7 we were able to identify the CSE causing this issue.  For us it was the "File processing extension".





When we looked at the group policy we saw that the item-level filtering was filtering on a group with 11,000+ objects in it.  We had two tasks in the GPO that were filtering on that group.  When I attempted to open the group utilizing ActiveRoles Server (ARS) it was taking 40-50 seconds to populate each object in the group.  I theorized that it appeared Windows 7 was iterating through each object like ARS was.  To test this I installed Wireshark on the Windows 7 and XP machines and ran "GPUPDATE /FORCE".  This triggered the CSE to execute.  The following are the traces:

XP Capture.  It queries (highlighted) the group then continues on.



Windows 7 Capture.  It queries the group then all objects within the group.



Obviously, with 11,000+ objects in the AD group Windows 7 will have a significantly slower logon if it's querying every object within the group.  Fortunately, Microsoft has put out a fix for this:

You experience a long domain logon time in Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2 after you deploy Group Policy preferences to the computer

So if you are experiencing slow login times with Windows 7 it maybe worth it to try this fix.


No comments: