[gptalk] Re: Complete list of all available CSEs and their functionality

  • From: "Sunshine Baines" <sunshine.baines@xxxxxxxxx>
  • To: gptalk@xxxxxxxxxxxxx
  • Date: Wed, 16 Apr 2008 19:14:36 -0400

Ok here is a dumb one.  I thought CSE was a plugin for the newly
upcoming preferences.  What exactly do you mean by separating GPO by
CSE?

On Wed, Apr 16, 2008 at 4:31 PM, Darren Mar-Elia <darren@xxxxxxxxxx> wrote:
>
>
>
> Great insight into REALLY large environments Jerry. Thanks for that!
>
>
>
> Darren
>
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Cruz, Jerome L
> Sent: Wednesday, April 16, 2008 11:46 AM
>
>
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Complete list of all available CSEs and their
> functionality
>
>
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Complete list of all available CSEs and their
> functionality
>
>
>
>
>
>
> Hendrikus,
>
>
>
> I see that you are also interested in designing GPOs in light of
> performance. In small companies or for those companies whose work-force is
> not geographically dispersed, spending a lot of effort to design GPO for
> super efficient deployment is typically not necessary because all the
> updates can take place quickly and with low load on the infrastructure
> devices (DCs and networks). There is no clear delineation of what company
> size or what level of workforce dispersion starts to cause impacts to your
> systems. I can also highly recommend Darren's article on 'how to isolate
> GPOs by client extension'.
>
>
>
> Since I recently responded to a similar question on a different GPO forum,
> I'll duplicate some of that information here with some estimated numbers to
> give everyone a chance to understand the impacts of GPOs on our DCs and
> networks.
>
>
>
> ========================================================================
>
> VERY LONG WINDEDNESS WARNING
>
> ========================================================================
>
>
>
> Group Policies process in order by 'client extension'. That means they
> essentially process all registry entries from the ordered list of all GPOs
> applicable to the Computer and then process all security entries from the
> ordered list of all GPOs applicable to the Computer and so on.... It's
> typically milliseconds between the registry updates. Then the user logs on
> and the GPO processing engine performs the exact same "client extension" by
> "client extension" processing for each of the GPOs applicable to the user
> account.
>
> The 'use' of separate GPOs to implement registry entries (as an example)
> from different Administrative template sections and then placing one or the
> other of the GPOs above/below just isn't going to get you much--other than
> "generic content of GPO visibility" by naming your GPO for what it does
> (Wireless Settings GPO, User Profile Settings GPO, Printer Configuration
> settings GPO, etc.).  But, you can design GPOs to operate more efficiently
> by separating them by 'client extension'.
>
> Note: This next bit is admittedly long (yeah long-winded). Some of the other
> GPO Admins have written articles on this (Hi Darren), but my spin on it will
> have some numbers to look at...or better yet to 'look aghast' at.
>
> Core Idea: Separate GPO Settings by Client Extension for better Performance
> (create your GPOs with only one kind of setting type in each...registry,
> security, etc.)
> ----------------
> Let's say you've been editing GPOs for some time in a domain (in a large
> Enterprise). "Real world" experience leads me to guess that a good many GPO
> admins simply add additional settings to 'existing' GPOs over time because
> it's more convenient that creating new ones. Sometimes they add Security
> settings, sometimes Registry settings, etc. The point is that over time, a
> limited number of Group Policy Objects contain multiple client extensions
> linked to them. Okay, so what is the impact to your DCs of doing that kind
> of thing at the domain root level?
>
> When it comes time for a device to perform its background group policy
> refresh, the device uses several criteria to determine whether the GPOs that
> are applicable to it need to be re-processed. Examples of changes are 'new
> GPOs being targeted', 'GPT.INI version changes', and 'security group
> changes' (and please note that the same goes for the user account background
> policy refreshes).
>
> Let's focus upon "just" a Gpt.Ini file change. "One" change to a GPO updates
> the GPO's GPT.Ini "version history" file in AD and in Sysvol. Each client
> device knows what the version numbers of the GPOs that were last applied are
> (stores them in its registry). Therefore, when the background GPO refresh
> "wakes up" and checks its local versions against those in Active Directory,
> the GPO sub-systems "wake up" to re-process the GPOs on-the-fly.
>
> Here's the kicker, all that the GPO sub-system knows is that a GPO
> 'changed', it doesn't know what "part" or which "client extension" changed.
> So if the GPO had both security settings and registry settings, then both of
> those client extensions have to wake up and process the GPOs. Stated another
> way, you've just told all of your client devices to process 'both' registry
> AND security client extensions for all GPOs with those kinds of settings in
> them. BUT, you only "needed" the "registry" client extension processed. In
> short, you have asked the client, the network, and the DC to perform more
> work than is necessary. Let me give you a more realistic idea how this
> impacts your systems.
>
> As an example, say that you have a large domain with 54,253+ devices (okay,
> I'll be nice and say that only 50,000 are online…nice round number). Guess
> what? The GPOs at the root of your domain get 'hammered' all day long (or
> rather, the Gpt.Ini version history files at the root of each GPO get
> 'hammered').  Let's say you have 5 DCs in your local domain (ignore backup
> DCs in remote locations). Also assume a standard 9 hour day. How many hits
> will you have for "each" GPT.Ini file per DC per day (ignoring the device
> boot up/user logon situation...we'll just estimate the background refresh
> hits)? [And remember that GPOs perform a standard background refresh every
> 90-120 minutes, so we'll estimate right in the middle and say that each
> device initiates a background refresh every 105 minutes (both computer and
> user because these are launched separately).]
>
> The Math
> ========
> Nine hours = 60 * 9             = 540     Minutes
> 540 minutes / 105 minutes       = 5.14    Refreshes per day for each side
> 5.14 refreshes * 2              = 10.28   AD GPO hits for both Computer and
> User
>
>                                           settings for each device per day
> 10.28 hits/day * 50,000 devices = 514,000 Total hits/day
> 514,000 Hits per day / 5 DCs    = 102,800 GPT.INI read hits per DC per day
>
> That's a lot of hits already, but now lets add the 'multiple' GPOs into
> this.
>
> Let's say you have targeted 8 Computer GPOs towards clients on average and 8
> User GPOs on average. Okay, okay, let's just focus on domain root level
> impacts, let's say that you only have 4 of each type of GPO (Computer
> settings and User settings) linked to the root with the rest of your GPOs
> split up into various user and computer OUs.
>
> So... that would be a "Read my Gpt.Ini file version" load on SYSVOL for each
> DC of (102,800 hits per GPO * 8 root level GPOs) = 822,400 reads per DC per
> day.
> And remember, so far you've made no changes. "Just" reading the version
> history files in the GPOs places a load of 800,000 hits on each DC in this
> simplified scenario.
>
> Now let's say that you change a Computer registry setting in 1 GPO. Each DC
> now has to respond to additional file access requests for each GPO for the
> next two hours until all devices are up to date. Let's also say that each of
> the "domain root level" GPOs has both registry and security settings... that
> means that there is a Gpt.Ini file, a Registry.Pol file, and a GptTmpl.Inf
> file within the sysvol folder structure in 'each' GPO.
>
> Therefore, in addition to having to read 200,000 Gpt.Ini files (4 GPOs *
> 50,000 devices) you've added a load of 400,000 reads (4 GPOs * two
> additional file reads * 50,000 devices) for the next two hours for a total
> of 600,000 reads (again, that's 50,000 devices reading 3 files per GPO at
> the root of the domain * 4 Computer GPOs). [BTW: That's ~95 reads/sec in
> SYSVOL for the next two hours straight. And that is only for the root level
> GPOs, there are also the read requests for the remaining GPOs in lower level
> OUs.]
>
>
>
> Oh, did I forget to mention that there may be "On Access" AV scans going on
> as well for all three files for each read request? Not a separate read, but
> certainly a 'processor' on the DC is involved as well as possibly the AV
> scanner on the local client device. Okay, okay, assume I didn't mention
> those…  J
>
> If you had separated the GPOs at the root by client extension then the
> "load" on the DC's root level GPOs would have been only a total of 400,000
> reads. That is certainly significant enough for you to seriously consider
> redesigning the way you use GPOs. It's a scale thing to be certain. Smaller
> companies do not have to worry too much about performance issue of this kind
> (assumes these companies staffs are geographically centered near their DCs).
>
>
>
> However, if a company is smaller, but has a large number of the
> employees/devices that are dispersed (far distances away from their DCs) and
> if they log on for significant periods of time, then the background
> refreshes under this scenario can take much longer due to latency in the
> network. Again, separating the GPOs by client extension means that changing
> one type of setting can improve experience those remote systems and reduce
> total network traffic at the same time.
>
> Note: Since I work for a larger Enterprise than noted above and my access
> numbers are easily into the millions of SYSVOL read accesses per day. We
> have to be very cognizant about when/where/how we allow GPO changes to be
> made or we can run into replication issues and/or place undue processing
> requirements upon our customers, their devices, the network, and/or the DCs.
>
>
>
> TIP: GPO Admins may want to take a look at eliminating 'On Access'
> anti-virus scanning of the GPT.Ini files to reduce the 'load' on the DCs.
> Make sure that you have good GPO backup processes in place, make sure your
> security folks agree, and also make sure that other scheduled AV scans are
> left intact (both on the DC as well as on the clients accessing them), and
> test, test, test.
>
>
>
> Aren't GPOs fun! J
>
>
>
> Jerry C
>
>
>
> This posting is provided "AS IS" with no warranties and confers no rights.
>
> ------------------------------------------------------------------------------------------------
>
>
>
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Thorbjörn Sjövold
> Sent: Wednesday, April 16, 2008 8:49 AM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Complete list of all available CSEs and
> theirfunctionality
>
>
>
> Hendrikus,
>
>
>
> the Registry CSE is pretty much the descendant of the old NT 4 policies, it
> has GUID {35378EAC-683F-11D2-A89A-00C04FBBCFA2} (and is listed but no
> settings), it is very special and not a "true" CSE to 100%, for example when
> you register your own CSE, you can say that it should only process if the
> Registry CSE successfully executed etc. But to sum up it is the CSE that is
> responsible for anything under Administrative Templates, i.e. ADM/ADMX. Also
> a number of other extensions rely on the Registry CSE, for example the
> Software Restriction Policy as far as I recall, that in reality adds
> settings that the Registry CSE will manage but from its own GPOE snap-in.
>
>
>
>
>
> HTH,
>
> Thorbjörn Sjövold
>
> Special Operations Software
>
> www.specopssoft.com
>
> thorbjorn.sjovold a t specopssoft.com
>
>
>
> Download our free tool for remote Gpupdate with graphical reporting,
> http://www.specopssoft.com/products/specopsgpupdate/
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Hendrikus Terwint (SEDIRSI-Prestataire)
> Sent: den 16 april 2008 17:31
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Re: Complete list of all available CSEs and their
> functionality
>
>
>
> Thanks a lot for your quick reply, Darren, as well as Thorbjörn.
>
>
>
> I'm not quite sure though if I understand what you both mean by "Registry
> CSE". I guess you mean it's not one of the CSEs listed in my GPExtensions
> registry key? (I'm not sure whether there is one main "registry" CSE with
> some additional CSE extensions, or if the "registry CSE" is just one of
> those/ any of those extensions we can find under
> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions).
>
>
>
> I'd like to optimize our GPOs, i.e. per GPO only add settings that are
> processed by a single CSE. (Goal: if the GPO version is incremented, have
> only CSE x update its list, and not CSE y)
>
>
>
> You are right Darren: the GPExtensions list is pretty straightforward, but
> they only cover a small percentage of the overall settings. If the "Registry
> CSE" does most everything, I'm wondering if my "optimization" would make
> sense….
>
>
>
> Hendrikus
>
>
>
>
>
>
> De : gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] De la
> part de Darren Mar-Elia
> Envoyé : mercredi 16 avril 2008 16:03
> À : gptalk@xxxxxxxxxxxxx
> Objet : [gptalk] Re: Complete list of all available CSEs and their
> functionality
>
>
>
> Hendrikus-
>
> Frankly the most definitive list of CSEs will be on the machine of the most
> recent version of Windows you are running, in the registry under
> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions.
>
>
>
> In terms of which settings are processed by which CSEs, this is not
> completely straightforward but, for example, most everything under
> Administrative Templates is processed by the Registry CSE and then the rest
> of the CSEs are pretty self-explanatory. But I don't think you will find a
> definitive list of which CSE processes every setting.
>
>
>
> Darren
>
>
>
>
>
>
>
>
> From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
> Behalf Of Hendrikus Terwint (SEDIRSI-Prestataire)
> Sent: Wednesday, April 16, 2008 6:39 AM
> To: gptalk@xxxxxxxxxxxxx
> Subject: [gptalk] Complete list of all available CSEs and their
> functionality
>
>
>
> Hello everybody,
>
>
>
> Is there a way to determine which GP setting is processed by which CSE ?
>
>
>
> I have found a list of default Client-Side Extensions on Technet:
>
> http://technet2.microsoft.com/windowsserver/en/library/824b4758-9430-4633-8d8f-3dad0f2bf8391033.mspx?mfr=true
>
>
>
> However, I'd like to see a complete list, just like the "Group Policy
> Settings Reference" on windows.com/downloads, with a column that says which
> CSE is responsible for processing which setting.
>
>
>
> For example: if we use the DFS.admx to change the DFS network policy. Is
> there a DFS CSE that processes this policy, or is it processed by one of the
> default CSEs? Does it require an extension at all? Maybe the CSE list on the
> link above is quite complete, and all other settings are processed by the
> Group Policy Engine itself?
>
>
>
> Is there such list around somewhere? (that links every possible GP setting
> to the GP Engine or CSE component that processes this setting)
>
>
>
> Many thanks in advance,
>
>
>
> Hendrikus TERWINT
>
> Consultant Avanade France
>
> hendrikus.terwint@xxxxxxxxxxx
>
>
>
> Prestataire pour le compte de SEDI-RSI, site de Bagnolet
>
> Tél. : 01 55 82 39 70
>
>
***********************
You can unsubscribe from gptalk by sending email to 
gptalk-request@xxxxxxxxxxxxx with 'unsubscribe' in the Subject field OR by 
logging into the freelists.org Web interface. Archives for the list are 
available at http://www.freelists.org/archives/gptalk/
************************

Other related posts: