GPMC: delay in resolving certain SID's

  • Thread starter Thread starter Vadim Rapp
  • Start date Start date
V

Vadim Rapp

Hello,

Using GPMC 1.0.2, if I select "group policy objects" and begin selecting one
GP after another, some of them show up instantly, but some are taking very
noticeable delay. First there's delay to draw the right panel; in about 6-7
seconds the panel shows up, but the entries under "security filtering" still
show up as SID's; then they change to the real names, one by one, each
taking again the same 6-7 seconds.

This happens with those objects that have some non-standard security
filtering, for example assigned to a particular group or user. Those that
have standard "authenticated users" or "domain computers", all show up
instantly.

The same security groups or users however do show up instantly in Active
Directory Users and Comptuters, no delay.

I have tried GPMC on another machine, on the same user account, and there
this problem did not show up - all group policy objects were showing without
any delay.

What to look into?

thanks,
Vadim Rapp
 
Howdie!

Vadim said:
Using GPMC 1.0.2, if I select "group policy objects" and begin selecting one
GP after another, some of them show up instantly, but some are taking very
noticeable delay. First there's delay to draw the right panel; in about 6-7
seconds the panel shows up, but the entries under "security filtering" still
show up as SID's; then they change to the real names, one by one, each
taking again the same 6-7 seconds.
Click to expand...

Is that a one-domain forest? I could imagine that GPMC has trouble
resolving foreign domain's SIDs. That could happen if the DC holding the
PDC emulator role isn't a GC and therefore needs to contact a GC for SID
translation.

I'd check on that first.

Cheers,
Florian
 
Yes, this is one-domain forest.
PDC emulator is GC. We have two DC's, each is GC.

Also, for some reason AD Users and Computers does not have any problem, and
the same SID's that in GPMC take 7 seconds to resolve, are resolved
instantly. Besides, another computer (actually, virtual machine hosted on
the same my computer that has the problem) runs the same GPMC, and there
everything also resolves instantly. So it looks like there's some problem on
the client network side of my computer.

thanks,
Vadim Rapp

PDC emu
Florian Frommherz said:
Howdie!

Vadim said:
Using GPMC 1.0.2, if I select "group policy objects" and begin selecting
one GP after another, some of them show up instantly, but some are taking
very noticeable delay. First there's delay to draw the right panel; in
about 6-7 seconds the panel shows up, but the entries under "security
filtering" still show up as SID's; then they change to the real names,
one by one, each taking again the same 6-7 seconds.
Click to expand...

Is that a one-domain forest? I could imagine that GPMC has trouble
resolving foreign domain's SIDs. That could happen if the DC holding the
PDC emulator role isn't a GC and therefore needs to contact a GC for SID
translation.

I'd check on that first.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Click to expand...
 
Howdie!

Vadim said:
Also, for some reason AD Users and Computers does not have any problem, and
the same SID's that in GPMC take 7 seconds to resolve, are resolved
instantly. Besides, another computer (actually, virtual machine hosted on
the same my computer that has the problem) runs the same GPMC, and there
everything also resolves instantly. So it looks like there's some problem on
the client network side of my computer.
Click to expand...

Are there any changes in DNS configuration between the machines?

Cheers,
Florian
 
Hello,

FFM> Vadim Rapp wrote:
??>> Also, for some reason AD Users and Computers does not have any
??>> problem, and the same SID's that in GPMC take 7 seconds to resolve,
??>> are resolved instantly. Besides, another computer (actually, virtual
??>> machine hosted on the same my computer that has the problem) runs the
??>> same GPMC, and there everything also resolves instantly. So it looks
??>> like there's some problem on the client network side of my computer.

FFM> Are there any changes in DNS configuration between the machines?

None, just verified, they are the the same.

Note that the machine with the problem has this problem not on every group
policy. Only on those where are some non-standard entries under the security
filtering. Those that have "authenticated users", "domain computers", and
several others, show up instantly.

Vadim Rapp
 
Back
Top