Re: Performance problem when domain security policies are applied

From: Cary Shultz [A.D. MVP] (cwshultz_at_mvps.org)
Date: 09/28/04 

Date: Tue, 28 Sep 2004 12:12:24 -0400

Yep!

You are correct. It is the security settings, not all of them. Strike two
on me!

Cary

"Darren Mar-Elia" <dmanonymous@discussions.microsoft.com> wrote in message
news:%23$mR2TXpEHA.800@TK2MSFTNGP14.phx.gbl...
> Actually Cary, the every 16 hour thing only applies to security
policy--not
> all policy. This is specific to the client side extension for security
> processing.
>
> --
> Darren Mar-Elia
> MS-MVP-Windows Server--Group Policy
> Check out http://www.gpoguy.com -- The Windows Group Policy Information
Hub:
> FAQs, Whitepapers and Utilities for all things Group Policy-related
>
>
>
> "Cary Shultz [A.D. MVP]" <cwshultz@mvps.org> wrote in message
> news:ekU7WRXpEHA.2636@TK2MSFTNGP09.phx.gbl...
> > Lee,
> >
> > In addition to what Darren has suggested, I might suggest that this is
> > normal behavior. Every 16 hours Workstations and Member Servers ask the
> > Domain Controllers for the latest Group Policies. All of them!
> >
> > This is where all of the GPOs are brought down to the machine. It is
the
> > same thing as doing the secedit /refreshpolicy machine_policy/enforce.
It
> > is the /enforce that gives it the 'umph!'. It is saying, "Do not bring
> > down
> > only the new changes since the last time, bring them all down!". It is
a
> > way of making sure that the settings remain in effect. And that all of
> > the
> > workstations have the latest policies.
> >
> > Do not get this confused with the background policy processing. This is
> > what happens every 90 minutes on Workstations and Member Servers ( with
an
> > +/- offset ) and every five minutes on Domain Controllers.
> >
> > Does this help?
> >
> > Cary
> >
> > "Lee Lieu" <anonymous@discussions.microsoft.com> wrote in message
> > news:39f701c4a56f$147102c0$a301280a@phx.gbl...
> >> Hi there,
> >>
> >> I'm not sure if this is the correct group to post this
> >> question. But hopefully someone can help me.
> >>
> >> I was wondering if anyone have noticed a problem with the
> >> way windows 2000 applies the security policies when
> >> updating group policy objects on machines in a domain.
> >> What I have noticed is that every time this occurs (every
> >> 16 hours by default) the machine uses 100% CPU time for
> >> about 5 to 10 seconds (maybe even longer if machine specs
> >> are low) and the machine appears to slow down - I presume
> >> this is because the security updates are being applied.
> >>
> >> This problem can also be observed when you force a
> >> security update by typing in the command line:
> >> secedit /refreshpolicy {machine_policy |
> >> user_policy} /enforce
> >>
> >> The effect of this is that one of my processes suffers a
> >> performance hit because it has been denied CPU process
> >> time during the period of this security update.
> >>
> >> So, what I would like to know is if this update
> >> characteristic is normal on domain machines and if so, is
> >> there a way to customise and minimise what security
> >> policies are being updated so to reduce this performance
> >> problem.
> >>
> >> Thanks in advance,
> >>
> >> Lee
> >>
> >>
> >>
> >
> >
>
>

Relevant Pages

  • Re: Big networking problems
    ... The Group Policy security settings that apply to this machine could not be ... find my computer on the network, hit OK, then hit Apply. ...
    (microsoft.public.windowsxp.network_web)
  • Re: Group policy - another newbie question
    ... Domain Controller Security Policy is exactly that. ... (just the security settings) ... navigate to the Group Policy tab and edit the Default Domain ...
    (microsoft.public.win2000.group_policy)
  • RE: System Restore
    ... Security setting descriptionsComputer Configuration\Windows ... Windows XP Service Pack 2 introduces some security-enhancing changes to ... Account Policies Password Policy, Account Lockout Policy, and Kerberos Policy ... You can configure the security settings that are described in this section ...
    (microsoft.public.windowsxp.general)
  • Group Policy
    ... I have set the group policies on a windows 2000 domain. ... the group policy client side extension security has ... Security Policies are propogated with warning ...
    (microsoft.public.win2000.security)
  • Importing IE security settings with Group Policy
    ... We are trying to set up two different Group Policies within AD to ... To do this we are selecting our Group Policy and clicking edit. ... Maintenance -> Security we open the Security Zones and Content Ratings ... the security settings like we want imported to the users computer. ...
    (microsoft.public.win2000.active_directory)
Loading