You experience a memory leak or a long domain logon time in Windows Vista, Windows 7, Windows Server 2008 or Windows Server 2008 R2 after you deploy Group Policy preferences to the computer

Symptoms

This hotfix resolves the following issues.

Issue 1

Assume that you have a client computer in a domain environment. The computer is running one of the following operating systems:
  • Windows Vista
  • Windows 7
  • Windows Server 2008 R2
You deploy Group Policy preferences (GPP) to the client computer by using item-level targeting using security groups. In this situation, a user of the client computer experiences a long domain logon time. This issue becomes more noticeable if the domain controller is only reachable over a slow link.

Note If you use network monitoring tools to troubleshoot this issue, you can see many Lightweight Directory Access Protocol (LDAP) queries that are checking the object type of group members in the domain. These LDAP queries originate from the computers that received GPP through item-level targeting.

Issue 2

When you apply GPP by using item level targeting for security groups, local ports are leaked in an OPEN_WAIT state. After some time, the nonpaged pool is depleted and the computer stops responding.

Note To determine whether you are experiencing this issue, run the netstat -ano command at a command prompt to look for connections to port 389.

The netstat -ano command returns output that resembles the following:

TCP 172.22.244.52:49186 172.22.244.50:389 CLOSE_WAIT 968  TCP 172.22.244.52:49227 172.22.244.50:389 CLOSE_WAIT 968  TCP 172.22.244.52:49258 172.22.244.50:389 CLOSE_WAIT 968  TCP 172.22.244.52:49284 172.22.244.50:389 CLOSE_WAIT 968  TCP 172.22.244.52:49300 172.22.244.50:389 CLOSE_WAIT 968  TCP 172.22.244.52:49315 172.22.244.50:389 CLOSE_WAIT 968  TCP 172.22.244.52:49331 172.22.244.50:389 CLOSE_WAIT 968 

If you run this command again after some time (or if you run the gpupdate /force command) you will notice that the number of open ports grows.

To temporarily work around this issue, restart the computer. This action resolves the problem temporarily as it will close the open ports.

Issue 2

When you apply GPP by using item level targeting for security groups, you notice the SVCHOST instance running the Group Policy Service is leaking virtual memory.

Cause

Issue 1

This issue occurs because item-level targeting uses recursive group membership queries to determine which groups the computer is a member of. The expected behavior of item-level targeting is to query the groups that the computer is a member of.

Issue 2

This issue occurs because the ports are not closed as expected.

Issue 3

Along with the leaked ports, the component also leaks memory in the LDAP library.

Resolution

Hotfix information

A supported hotfix is available from Microsoft. However, this hotfix is intended to correct only the problem that described in this article. Apply this hotfix only to systems that are experiencing the problem described in this article. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next software update that contains this hotfix.

If the hotfix is available for download, there is a "Hotfix download available" section at the top of this Knowledge Base article. If this section does not appear, contact Microsoft Customer Service and Support to obtain the hotfix.

Note If additional issues occur or if any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. For a complete list of Microsoft Customer Service and Support telephone numbers or to create a separate service request, visit the following Microsoft website: Note The "Hotfix download available" form displays the languages for which the hotfix is available. If you do not see your language, it is because a hotfix is not available for that language.

Prerequisites

To apply this hotfix, you must be running one of the following operating systems:
  • Windows Vista Service Pack 1 (SP1)
  • Windows Server 2008
  • Windows 7
  • Windows 7 Service Pack 1 (SP1)
  • Windows Server 2008 R2
  • Windows Server 2008 R2 Service Pack 1 (SP1)
For more information about how to obtain a Windows Vista service pack, click the following article number to view the article in the Microsoft Knowledge Base:

935791 How to obtain the latest Windows Vista service pack

For more information about how to obtain a Windows 7 or Windows Server 2008 R2 service pack, click the following article number to view the article in the Microsoft Knowledge Base:

976932 Information about Service Pack 1 for Windows 7 and for Windows Server 2008 R2

Registry information

To use the hotfix in this package, you do not have to make any changes to the registry.

Restart requirement

You do not have to restart the computer after you apply this hotfix.

Hotfix replacement information

This hotfix does not replace a previously released hotfix.
File information

Status

Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

More Information

For more information about software update terminology, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

For more information about item-level targeting, visit the following Microsoft TechNet website:
Additional file information
Properties

Article ID: 2561285 - Last Review: Jan 30, 2013 - Revision: 1

Windows 7 Professional, Windows 7 Enterprise, Windows 7 Ultimate, Windows Server 2008 R2 Standard, Windows Server 2008 R2 Foundation, Windows Server 2008 R2 Enterprise, Windows Server 2008 R2 Datacenter, Windows Server 2008 R2 for Itanium-Based Systems, Windows Vista Business, Windows Vista Business 64-bit Edition, Windows Vista Enterprise, Windows Vista Enterprise 64-bit Edition, Windows Vista Ultimate, Windows Vista Ultimate 64-bit Edition

Feedback