by Jack Chen, Senior Technical Consultant at Taos
Speaking of the performance of GPOs, is it better to have fewer and bigger GPOs, or many and smaller GPOs in the AD domain? There is no right answer, but you may have one after reading the interaction described below.
The following are the normal steps the clients interact with GPOs.
- The client uses slow-link detection via ICMP to a DC on its own site to determine link speed, or use Network Location Awareness (NLA) service.
- The client reads CSE status information from its local registry to determine which GPOs were processed last.
- The client uses LDAP to search the gpLink attribute in AD on each container object, first at the OU level, then at the domain, and finally at the Active Directory site level. From the results of this search, it builds a list of GPOs that must be evaluated for processing.
- Each GPO is then searched in AD to determine whether the client has the necessary permissions to process it.
- The client then uses the SMB to read the contents of the GPT and get the version number from the gpt.ini file. Note, the version numbers in the Group Policy Container (GPC) and GPT are one factor that is used to determine whether a GPO has changed since the last processing cycle.
- Each CSE runs in the order that is registered under HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions, and processes the GPOs that implement that CSE if the GPO has changed since last processing cycle.Note, each CSE also logs RSOP data to Windows Management Instrumentation (WMI) during each refresh, if available.