In this instance, we need to confirm the permissions for the users for the GPOs in the dropdown before displaying them for the user. This is due to the fact that we do not want to display GPOs for the user which they cannot link.
Things we are checking for: is the GPO registered, what are the user's role permissions for that GPO and do they have the link right.
Also, as permissions can be assigned separately for groups and users we need to check those role rights for each group the user is a member of. This is why when you remove the user from direct membership the enumeration happens faster, we are only checking permissions for one group, not one group and one user. From what I am seeing here due to the number of GPOs in the domain each permission check takes about 26-27 seconds on the SQL server due to the joins involved. This is why it takes about 27 seconds when the user is not explicitly added to the users delegation, and why the enumeration takes approximately 54 seconds when the user and group are being checked.
We have created a research story to see if we can improve the enumeration of GPOs in the OU linking dialogue without compromising security in GPOADmin.
Note at this point this is an investigation only and we are not committing to a timeline for any improvements as we must determine what is feasible. Any changes highlighted in the investigation will be considered for inclusion in a future version of GPOADmin.
The enhancement ID for the investigation and potential future improvements is VSTS000432547