[gptalk] Re: GPMC
- From: "Gary Noyes" <gwnoyes@xxxxxxxxxxx>
- To: <gptalk@xxxxxxxxxxxxx>
- Date: Fri, 22 Feb 2008 08:11:14 -0500
Our seriously customized IDM does all the creations based on departments. It's
very convoluted and I have discussed the OU structure to no avail. I'm sure you
all are fully aware of the politics involved with large organizations so I just
update my boss and try to keep it running as smooth as possible. I have read
that there is really no limit on OU's and how deep the OU structure can go, but
can someone provide some possible thresholds that could cause a melt down?
Thanks
Gary
----- Original Message -----
From: Nelson, Jamie R
To: gptalk@xxxxxxxxxxxxx
Sent: Thursday, February 21, 2008 6:18 PM
Subject: [gptalk] Re: GPMC
Are you using MIIS/ILM? What triggers the creation of an OU? You probably
need to look into this and seriously consider flattening your AD structure to a
more logical number of OUs. How is your AD currently organized?
Jamie Nelson | Systems Engineer | Systems Support, Information Technology | I
N T E G R I S Health | Phone 405.552.0903 | Fax 405.553.5687 |
http://www.integrisok.com
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Gary Noyes
Sent: Thursday, February 21, 2008 3:22 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPMC
Actually we only have 22 GPO's, but they are linked all over the place. I
have no answers for you as to why there are so many OUs other than it was all
in place before I got here. We use an Identity Management system that has been
customized and talks directly to AD for provisioning user accounts and new OUs
so the number just keeps growing. Thats about all the detail I will get into
because I am new here and was not involved with any of the architecture so I
don't have the answers. I'm still in the discovery stage of all this. To manage
it we use the built in tools, but also we have the suite of Quest tools to
help. Some are pretty powerfull and very nice and some are not.
Gary
----- Original Message -----
From: Alan & Margaret
To: gptalk@xxxxxxxxxxxxx
Sent: Thursday, February 21, 2008 4:10 PM
Subject: [gptalk] Re: GPMC
Hi Gary,
Wow. I'm impressed (I think). You seem to have an average of 1.5 objects
per OU!
It raises the question of why you would have so many OU's. and how on earth
do you manage them all?
Darren's assessment seems to suggest that not only do you have thousands of
OU's, you have many OU to GPO links (millions?). So how many GPO's would you
have and how many OU to GPO links?
Alan Cuthbertson
Policy Management Software:-
http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml
ADM Template Editor:-
http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml
Policy Log Reporter(Free)
http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml
----------------------------------------------------------------------------
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Gary Noyes
Sent: Friday, 22 February 2008 7:41 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPMC
Ok, just got an OU total, 53171 so that would stand to reason my delay when
using that wonderful GPMC tool :-)
----- Original Message -----
From: Darren Mar-Elia
To: gptalk@xxxxxxxxxxxxx
Sent: Thursday, February 21, 2008 12:58 PM
Subject: [gptalk] Re: GPMC
This is a big flaw in GP design, as far as I'm concerned. The fact that
gp links are stored as a single concatenated string instead of a multi-valued
attribute was a big mistake for larger environments. There's effectively no
way to speed this up, because even if you were to index this attribute in AD,
you still end up having to parse the string for each GPO GUID. Really lame.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx] On
Behalf Of Gary Noyes
Sent: Thursday, February 21, 2008 9:53 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPMC
I'm pretty sure it's the amount of OU's as this tool hangs no matter
where I use it from. I will try your tool and let you know.
Thanks
Gary
----- Original Message -----
From: Darren Mar-Elia
To: gptalk@xxxxxxxxxxxxx
Sent: Thursday, February 21, 2008 11:53 AM
Subject: [gptalk] Re: GPMC
You'd probably have to script it. In any case, for the enumeration to
take minutes means you have a lot of OUs and potentially lots of GPOs linked
to each of those. Either that or something is broken. You might try a network
trace from the machine running GPMC and see if anything stands out. Outside of
that, you could downloading the trial version of my Backup Manager for GP
product and see if it takes the same lengthy time to show links. If so, then
you know its not a GPMC thing.
From: gptalk-bounce@xxxxxxxxxxxxx [mailto:gptalk-bounce@xxxxxxxxxxxxx]
On Behalf Of Gary Noyes
Sent: Thursday, February 21, 2008 8:43 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPMC
Don't really have a number how can I get that?
----- Original Message -----
From: tools@xxxxxxxxxx
To: gptalk@xxxxxxxxxxxxx
Sent: Thursday, February 21, 2008 10:53 AM
Subject: [gptalk] Re: GPMC
How many OUs are we talking about here Gary? When you try to get
information on where a given GPO is linked, GPMC is having to search the entire
domain, looking at every container object, and searching its gpLink attribute
for the GUID of the GPO. Those attributes are not multi-valued, which means its
doing a string compare across each of the GUIDs in the link list. So, yes, this
will be an expensive process. I do this in fact in one of my products and it
usually doesn't take very long, but your environment may be very different.
Darren
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of Gary Noyes
Sent: Thursday, February 21, 2008 7:48 AM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] Re: GPMC
Ok, even in AD Users and Computers when you click on the links tab it
hangs so it looks like the GPMC is probably automatically searching for all
links when you click on a GPO. Now the question is how do I change this
behavior with the GPMC tool?
Thanks
Gary
----- Original Message -----
From: Darren Mar-Elia
To: gptalk@xxxxxxxxxxxxx
Sent: Wednesday, February 20, 2008 10:48 PM
Subject: [gptalk] Re: GPMC
Gary-
I can't think of any reason this would be the case under normal
circumstances. What might be interesting is to see if you get the same delay
when accessing GPO information via the GPMC scripts?
Darren
From: gptalk-bounce@xxxxxxxxxxxxx
[mailto:gptalk-bounce@xxxxxxxxxxxxx] On Behalf Of gwnoyes@xxxxxxxxxxx
Sent: Wednesday, February 20, 2008 7:02 PM
To: gptalk@xxxxxxxxxxxxx
Subject: [gptalk] GPMC
We have a large AD 2003 domain, about 75 thousand objects and lots
& lots of OUs. When I open the GPMC and click on one the GPO's it takes about
10 minutes for it to display the information about that GPO, it hangs at an
hour glass. I made sure the tool is pointing to the right DC and it still sits
at an hour glass for about 10 minutes. All servers are talking on Gig links so
bandwidth isn't a problem.
If anyone has seen this an has a fix I would greatly appreciate
your assistance with this as it drives me crazy.
Thanks in advance
Gary
------------------------------------------------------------------------------
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be for
the use of the individual named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the contents of
this information is prohibited and may be punishable by law. If you have
received this electronic transmission in error, please notify us immediately by
electronic mail (reply).
------------------------------------------------------------------------------
This e-mail may contain identifiable health information that is subject to
protection under state and federal law. This information is intended to be for
the use of the individual named above. If you are not the intended recipient,
be aware that any disclosure, copying, distribution or use of the contents of
this information is prohibited and may be punishable by law. If you have
received this electronic transmission in error, please notify us immediately by
electronic mail (reply).
Other related posts:
