Group Policy Processing Benchmarks


For years there have been questions regarding the “cost” of applying Group Policy. With so many moving parts of Group Policy it has been questioned which settings cause significant overhead, which extensions cost the most to apply, and what happens when you start configuring the inheritance modifications to Group Policy with respect to performance. It seems easy enough to consider the cost associated with applying different aspects of Group Policy, as you can just make a setting, and then go see how long it took to apply policy after the new setting. However, until now it has been difficult, without verbose logging enabled, to track these details. Now with the new Group Policy Operational Log tracking how long it takes to apply policy settings is not that difficult.

Group Policy Operational Log

Starting with Windows Vista and Windows Server 2008, Microsoft provides a completely new world for administrators to leverage in tracking Group Policy (and other areas too) behavior. For these operating systems Microsoft has revamped the Event Viewer and added some new Windows logs that give an inside look into how processes are working on your Windows computers.

You can find the Group Policy Operational Log in Event Viewer at the following path: Applications and Services Logs\Microsoft\Windows\GroupPolicy\Operational, which can be seen in Figure 1.

Figure 1: Group Policy Operational Log in Event Viewer

The Group Policy Operational Log is very close in details to the legacy userenv.log file that you could generate for the dissection of the Group Policy behind the scenes behavior. The log is automatically enabled and tracks nearly every aspect of the Group Policy processing behavior. You will find interesting tidbits of information in the log such as:

  • How long it took to find a domain controller for Group Policy processing
  • Which groups were considered for user and computer GPOs
  • Which GPOs were in scope for both user and computer application
  • The link speed for GPO application
  • Which CSEs (client side extensions) will be considered during GPO application
  • Time to apply each individual CSE for both user and computer policies

Extensions with Group Policy

A Windows Vista/2008 GPO has over 40 CSEs. Consider that the inclusion of Group Policy Preferences added over 20 alone… the additions to Group Policy has been quite amazing over the years. Some CSEs cost more to apply than others. The cost can be attributed to many factors. Some CSEs cost more based on the “work” that they are performing on the target computer. Other CSEs cost more based on the inefficient methods that are used to apply the settings. Yet other CSEs cost more to apply for reasons that might not be fully understood, yet they do cost more than the others.

Some of the most expensive CSEs that are in a GPO include:

  • File permissions
  • Registry permissions
  • Logon/Logoff scripts

Configurations that Effect Processing Time

Group Policy has many moving parts. Sure, the configurations alone can be a bit overwhelming, but there is much more to Group Policy than just the settings. There are many ways to alter how Group Policy applies, as well as the inheritance of Group Policy. Nearly every setting that you make with regard to Group Policy can, and usually will, cause cycles to occur and therefore will cause the application time for Group Policy to increase. The following configurations could cause a negative effect on GPO processing time:

  • WMI filter
  • Enforce
  • Block Inheritance
  • Security Filtering
  • Item-level targeting

On the other hand, there are some configurations/techniques that can help with overall processing time. The following options could cause a positive effect on GPO processing time:

  • Disabling User/Computer portion of GPO
  • Keeping security filtering to “Authenticated Users”
  • Fewer GPOs rather than more GPOs

Benchmarking with Printers and ILT

With all of this considered, some benchmarking was done with configuring printers for documentation of how GPO settings react with numerous GPO settings, GPOs, and multiple ILT configurations. In order to set up the scenario, the following parameters were considered.

  • There needed to be over 700 printer settings for every user, depending on where the user was in the organization.
  • Group Policy Preferences were to be used to map the printers.
  • There were an equal number of shared printers and IP printers mapped.
  • Each printer needed to have a one or two ILT configurations.
  • One ILT configuration was based on group membership.
  • The other ILT configuration was based on IP address range.
  • The goal was to have few GPOs and all printer settings within these few GPOs. (This was in lieu of many GPOs and fewer printer settings per GPO.)
  • All GPOs configured were to be linked to a top level OU, which was designed to contain all user accounts that would need the printers mapped.
  • The printer mapping timing did not take into effect downloading and installing the print driver, as that is a variable depending on the size and complexity of the printer driver itself.

Initially, the benchmarks were determined with no GPO settings, beyond the default for AD, so that when the printer mappings were applied, there was an original time that the baseline GPOs took to apply/evaluate. After the original time was determined, the following matrix details the time it took to apply/evaluate printer mappings, each having one ILT configurations.

Number of GPOs

Number of printers per GPO

Time to apply/evaluate



20 ms



156 ms



320 ms



880 ms



1400 ms



2800 ms



2800 ms

Table 1


The moral to the story is that configuring your computers using Group Policy is necessary, but all configurations take cycles of time. Nearly every setting, configuration, tweak, or option that you set in a GPO will cost time. This does not mean you need not use Group Policy. Rather, you should use Group Policy more intelligently and configure each setting to make Group Policy more efficient. From our benchmark testing, using efficient ILT configurations and efficient GPO settings do have a cost, but for 2000 printers to be configured and only take 2.8 seconds to determine which settings should be applied is pretty quick. Of course, there are so many variables in GPO settings, GPO application control, ILT, etc. that any combination of GPO settings will end up with different results. However, for this scenario the outcome of the overall application of GPO settings was very efficient and made the company happy to know they could solve their printer needs using Group Policy.

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top