Improved Group Policy Preference Targeting by Computer Group Membership
Hello AskDS readers, it's Mike again talking about Group Policy Preference targeting items. I posted an article in June entitled Targeting Group Policy Preferences by Container, not by Group. This post highlighted the common problems many people encounter when targeting preferences items based on a computer's group membership, why the problem occurs, and some workarounds.
Today, I'd like to introduce a hotfix released by Microsoft that improves targeting preference items by computer group membership. The behavior before the hotfix potentially resulted in slow computer group policy application. The slowness was caused by the way Security Group targeting applies against a computer account. The targeting item makes multiple round trips to a domain controller to determine group memberships (including nested groups). The slowness is more significant when the computer applying the targeting item does not have a local domain controller and must use a domain controller across a WAN link.
You can download the hotfix for Windows 7 and Windows Server 2008 R2 through Microsoft Knowledgebase article 2561285. This hotfix changes how the Security Group Targeting item calculates computer group membership. During policy application, the targeting item requests a copy of the computer's authentication token. This token is mostly identical to the token created during logon, which means it contains a list security identifiers (SIDs) for every group of which the computer is a member, including nested groups. The targeting item performs the configured comparison against this list of SIDs in the token, rather than multiple LDAP calls to a domain controller. This behavior aligns the behavior of computer security group targeting with that of user security group targeting. This should improve the performance of security group targeting.
Mike "Try, Try, Try Again" Stephens
Comments
Anonymous
August 18, 2011
This is excellent news moving forward. Not to be a downer but any chance (through software assurance perhaps?) this becomes available for XP as well?Anonymous
August 19, 2011
Good news. I've seen a few complaints about this issue in the forums. Now I have a link to send them to!Anonymous
August 22, 2011
Hi Gallwapa, I would not expect an XP instance of this hotfix. First, XP's GPP client-side extensions are not part of the operating system. This increases the "behind-the-scenes" difficulty with releasing an update (it's not a hotfix in this case). Secondly, XP Service Pack 3 reached the end of mainstream support on April 14, 2009. It's now in extended support until 2014. So, it is unlikely to expect this update for XP. So the quick answer-- not impossibe, but highly improbable. More about mainstream and extended support can be found at support.microsoft.com/.../lifepolicy Mike Stephens [MSFT]