Issue 1Assume that you have a client computer in a domain environment. The computer is running one of the following operating systems:
- Windows Vista
- Windows 7
- Windows Server 2008 R2
Note If you use network monitoring tools to troubleshoot this issue, you can see many Lightweight Directory Access Protocol (LDAP) queries that are checking the object type of group members in the domain. These LDAP queries originate from the computers that received GPP through item-level targeting.
Issue 2When you apply GPP by using item level targeting for security groups, local ports are leaked in an OPEN_WAIT state. After some time, the nonpaged pool is depleted and the computer stops responding.
Note To determine whether you are experiencing this issue, run the netstat -ano command at a command prompt to look for connections to port 389.
The netstat -ano command returns output that resembles the following:
TCP 172.22.244.52:49186 172.22.244.50:389 CLOSE_WAIT 968 TCP 172.22.244.52:49227 172.22.244.50:389 CLOSE_WAIT 968 TCP 172.22.244.52:49258 172.22.244.50:389 CLOSE_WAIT 968 TCP 172.22.244.52:49284 172.22.244.50:389 CLOSE_WAIT 968 TCP 172.22.244.52:49300 172.22.244.50:389 CLOSE_WAIT 968 TCP 172.22.244.52:49315 172.22.244.50:389 CLOSE_WAIT 968 TCP 172.22.244.52:49331 172.22.244.50:389 CLOSE_WAIT 968
If you run this command again after some time (or if you run the gpupdate /force command) you will notice that the number of open ports grows.
To temporarily work around this issue, restart the computer. This action resolves the problem temporarily as it will close the open ports.
When you apply GPP by using item level targeting for security groups, you notice the SVCHOST instance running the Group Policy Service is leaking virtual memory.
Issue 1This issue occurs because item-level targeting uses recursive group membership queries to determine which groups the computer is a member of. The expected behavior of item-level targeting is to query the groups that the computer is a member of.
Issue 2This issue occurs because the ports are not closed as expected.
Along with the leaked ports, the component also leaks memory in the LDAP library.
Hotfix informationA supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.
If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.
Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.
PrerequisitesTo apply this hotfix, you must be running one of the following operating systems:
- Windows Vista Service Pack 1 (SP1)
- Windows Server 2008
- Windows 7
- Windows 7 Service Pack 1 (SP1)
- Windows Server 2008 R2
- Windows Server 2008 R2 Service Pack 1 (SP1)