[gptalk] Re: GPMC

Our seriously customized IDM does all the creations based on departments. It's 
very convoluted and I have discussed the OU structure to no avail. I'm sure you 
all are fully aware of the politics involved with large organizations so I just 
update my boss and try to keep it running as smooth as possible. I have read 
that there is really no limit on OU's and how deep the OU structure can go, but 
can someone provide some possible thresholds that could cause a melt down?

Thanks

Gary

  ----- Original Message ----- 
  From: Nelson, Jamie R 
  To: gptalk@xxxxxxxxxxxxx 
  Sent: Thursday, February 21, 2008 6:18 PM
  Subject: [gptalk] Re: GPMC


  Are you using MIIS/ILM? What triggers the creation of an OU? You probably 
need to look into this and seriously consider flattening your AD structure to a 
more logical number of OUs. How is your AD currently organized?

   

   

  Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I 
N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 | 
http://www.integrisok.com

   

  From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Gary Noyes
  Sent: Thursday, February 21, 2008 3:22 PM
  To: gptalk@xxxxxxxxxxxxx
  Subject: [gptalk] Re: GPMC

   

  Actually we only have 22 GPO's, but they are linked all over the place. I 
have no answers for you as to why there are so many OUs other than it was all 
in place before I got here. We use an Identity Management system that has been 
customized and talks directly to AD for provisioning user accounts and new OUs 
so the number just keeps growing. Thats about all the detail I will get into 
because I am new here and was not involved with any of the architecture so I 
don't have the answers. I'm still in the discovery stage of all this. To manage 
it we use the built in tools, but also we have the suite of Quest tools to 
help. Some are pretty powerfull and very nice and some are not.

   

  Gary

    ----- Original Message ----- 

    From: Alan & Margaret 

    To: gptalk@xxxxxxxxxxxxx 

    Sent: Thursday, February 21, 2008 4:10 PM

    Subject: [gptalk] Re: GPMC

     

    Hi Gary,

     

    Wow. I'm impressed (I think). You seem to have an average of 1.5 objects 
per OU!

     

    It raises the question of why you would have so many OU's. and how on earth 
do you manage them all? 

     

    Darren's assessment seems to suggest that not only do you have thousands of 
OU's, you have many OU to GPO links (millions?). So how many GPO's would you 
have and how many OU to GPO links? 

     

    Alan Cuthbertson

     

     

     Policy Management Software:-

    http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml

     

    ADM Template Editor:-

    http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml

     

    Policy Log Reporter(Free)

    http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml

     

     

     

     


----------------------------------------------------------------------------

    From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Gary Noyes
    Sent: Friday, 22 February 2008 7:41 AM
    To: gptalk@xxxxxxxxxxxxx
    Subject: [gptalk] Re: GPMC

     

    Ok, just got an OU total, 53171 so that would stand to reason my delay when 
using that wonderful GPMC tool :-) 

      ----- Original Message ----- 

      From: Darren Mar-Elia 

      To: gptalk@xxxxxxxxxxxxx 

      Sent: Thursday, February 21, 2008 12:58 PM

      Subject: [gptalk] Re: GPMC

       

      This is a big flaw in GP design, as far as I'm concerned. The fact that 
gp links are stored as a single concatenated string instead of a multi-valued 
attribute was a big mistake for larger environments.  There's effectively no 
way to speed this up, because even if you were to index this attribute in AD, 
you still end up having to parse the string for each GPO GUID. Really lame.

       

      Darren

       

      From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On 
Behalf Of Gary Noyes
      Sent: Thursday, February 21, 2008 9:53 AM
      To: gptalk@xxxxxxxxxxxxx
      Subject: [gptalk] Re: GPMC

       

      I'm pretty sure it's the amount of OU's as this tool hangs no matter 
where I use it from. I will try your tool and let you know.

       

      Thanks

      Gary

        ----- Original Message ----- 

        From: Darren Mar-Elia 

        To: gptalk@xxxxxxxxxxxxx 

        Sent: Thursday, February 21, 2008 11:53 AM

        Subject: [gptalk] Re: GPMC

         

        You'd probably have to script it. In any case, for the enumeration to 
take minutes means you have a lot of  OUs and potentially lots of GPOs linked 
to each of those. Either that or something is broken. You might try a network 
trace from the machine running GPMC and see if anything stands out. Outside of 
that, you could downloading the trial version of my Backup Manager for GP 
product and see if it takes the same lengthy time to show links. If so, then 
you know its not a GPMC thing. 

         

        From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] 
On Behalf Of Gary Noyes
        Sent: Thursday, February 21, 2008 8:43 AM
        To: gptalk@xxxxxxxxxxxxx
        Subject: [gptalk] Re: GPMC

         

        Don't really have a number how can I get that?

          ----- Original Message ----- 

          From: tools@xxxxxxxxxx 

          To: gptalk@xxxxxxxxxxxxx 

          Sent: Thursday, February 21, 2008 10:53 AM

          Subject: [gptalk] Re: GPMC

           

          How many OUs are we talking about here Gary? When you try to get 
information on where a given GPO is linked, GPMC is having to search the entire 
domain, looking at every container object, and searching its gpLink attribute 
for the GUID of the GPO. Those attributes are not multi-valued, which means its 
doing a string compare across each of the GUIDs in the link list. So, yes, this 
will be an expensive process. I do this in fact in one of my products and it 
usually doesn't take very long, but your environment may be very different. 

           

          Darren

           

          From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gary Noyes
          Sent: Thursday, February 21, 2008 7:48 AM
          To: gptalk@xxxxxxxxxxxxx
          Subject: [gptalk] Re: GPMC

           

          Ok, even in AD Users and Computers when you click on the links tab it 
hangs so it looks like the GPMC is probably automatically searching for all 
links when you click on a GPO. Now the question is how do I change this 
behavior with the GPMC tool?

           

          Thanks

          Gary

            ----- Original Message ----- 

            From: Darren Mar-Elia 

            To: gptalk@xxxxxxxxxxxxx 

            Sent: Wednesday, February 20, 2008 10:48 PM

            Subject: [gptalk] Re: GPMC

             

            Gary-

            I can't think of any reason this would be the case under normal 
circumstances. What might be interesting is to see if you get the same delay 
when accessing GPO information via the GPMC scripts?

             

            Darren

             

            From: gptalk-bounce@xxxxxxxxxxxxx 
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of gwnoyes@xxxxxxxxxxx
            Sent: Wednesday, February 20, 2008 7:02 PM
            To: gptalk@xxxxxxxxxxxxx
            Subject: [gptalk] GPMC

             

            We have a large AD 2003 domain, about 75 thousand objects and lots 
& lots of OUs. When I open the GPMC and click on one the GPO's it takes about 
10 minutes for it to display the information about that GPO, it hangs at an 
hour glass. I made sure the tool is pointing to the right DC and it still sits 
at an hour glass for about 10 minutes. All servers are talking on Gig links so 
bandwidth isn't a problem.

             

            If anyone has seen this an has a fix I would greatly appreciate 
your assistance with this as it drives me crazy.

             

            Thanks in advance

            Gary


------------------------------------------------------------------------------
  This e-mail may contain identifiable health information that is subject to 
protection under state and federal law. This information is intended to be for 
the use of the individual named above. If you are not the intended recipient, 
be aware that any disclosure, copying, distribution or use of the contents of 
this information is prohibited and may be punishable by law. If you have 
received this electronic transmission in error, please notify us immediately by 
electronic mail (reply).



------------------------------------------------------------------------------
  This e-mail may contain identifiable health information that is subject to 
protection under state and federal law. This information is intended to be for 
the use of the individual named above. If you are not the intended recipient, 
be aware that any disclosure, copying, distribution or use of the contents of 
this information is prohibited and may be punishable by law. If you have 
received this electronic transmission in error, please notify us immediately by 
electronic mail (reply).

Other related posts: