An important new addition in Windows Vista and Windows
Server 2008 is the updated Event Viewer features and logs. One of the
most significant additions is a log dedicated to Group Policy. In
addition to this log, you will find features such as a centralized
event-logging system, cross-log querying capabilities, scheduled task
integration, and filtered views that make using Event Viewer easier and
more efficient than ever before.
Note
The Userenv logs are no longer available with Windows Vista and
Windows Server 2008. These logs, and all other granular logs for CSEs,
are captured in Event Viewer and use a source name of Group Policy.
Compared with the myriad logs and triggers needed in earlier
versions of the Windows operating system to get advanced log
information related to Group Policy, the new Event Viewer features make
troubleshooting Group Policy much easier. All Group Policy–related
events are now stored in Event Viewer logs with the source name of
GroupPolicy, so it is easy to quickly see these events and even make
custom views with just Group Policy events in them. Group Policy events
will appear
under both System event logs and the Group Policy operational event
logs. In addition to these benefits, you will also notice improvements
made to descriptions of the events and their possible causes, as well
as the follow-up actions suggested.
1. Group Policy Operational Log
The primary location for storage of Group Policy events is in the
Group Policy operational log. As stated earlier, this is where the past
Userenv text file event logging is stored. To access the Group Policy
operational log, follow these steps:
-
Start Event Viewer. -
Expand Applications And Services Logs. -
Expand Microsoft, then Windows, and finally Group Policy. -
Click Operational.
All of the Event Viewer views have been updated with new interfaces,
options, and information. It is important that you understand how these
new views and information correspond to information being displayed
within the Event Viewer. Figure 1 shows the General tab, and Figure 2 shows the Details tab.
Each section on the General tab provides important information to help you resolve the issue:
-
Description box
. Contains text that describes the logged event. Group
Policy events usually contain information describing the events,
possible reasons why the event occurred, and suggested follow-up
actions. -
Source
. The name of the software that logs the event. Group Policy events always use the source name Group Policy. -
Event ID
. A
numerical ID representing the type of event logged. Administrative
events in the System event log and the Group Policy operation event log
use event IDs.
-
Level
. Classifies the severity of an event. Group Policy events use Error, Informational, and Warning event levels. -
User
. The name of the user account that triggered the
logged event. The Group Policy service uses the name SYSTEM for
recording events related to computer policy processing. User policy
processing events use the name of the user who is processing policy. -
Logged
. The date and local time when the event logging system
logged the event. Group Policy in Windows Vista has the opportunity to
refresh more often. When troubleshooting Group Policy, make sure that
the events you are viewing match the time of the reported problem. -
Computer
. The name of the computer on which the event occurred. -
More Information
. A hyperlink to the Microsoft TechNet Web site.
Clicking this link provides you with information about the event,
possible causes for the event, and suggestions that may resolve the
issue, if the event is a warning or an error.
Like
the General tab, the Details tab provides important information that
can help you troubleshoot Group Policy problems, including the
following: -
System\Correlation:ActivityID
. The ActivityID represents one instance of Group
Policy processing. The Group Policy service creates a unique ActivityID
each time Group Policy refreshes. For example, consider a computer that
processes Group Policy during start-up. At that time, the Group Policy
service assigns that instance of processing an ActivityID. Further
events logged during that instance use the same ActivityID until that
instance of Group Policy processing completes (Group Policy processing
completes when the process ends either successfully or with errors).
Users process Group Policy during the log-on process. Again, the Group
Policy service assigns a unique ActivityID to that instance of Group
Policy processing and uses it until processing completes. This behavior
repeats for each new instance of Group Policy processing, which
includes automatic and forced Group Policy refreshes. You can view this
value on all Group Policy events. -
EventData\PolicyActivityID
. This is the same value as the
System\Correlation:ActivityID. The Group Policy service uses this value
to identify an instance of Group Policy processing. You can view this
value in policy start events (4000–4007). -
EventData\PrincipalSamName
. This value contains the name of the security
principal to which the Group Policy service applies, the name of the
computer during computer policy processing, and the name of the user
during user policy processing. The event displays the format as
domainname\computer or domainname\user. This information appears in
policy start events (4000–4007), next policy application events (5315),
policy end events (8000–8007), and scripts processing start and end
events (4018, 5018). -
EventData\IsDomainJoined
. This value is True when the computer is a member of a
domain and False when it is not. You can view this value on policy
start events (4000–4007). -
EventData\IsBackgoundProcessing
. This value is True when the Group Policy service
applies policy settings in the background. Otherwise, this value is
False. When this value and the IsAsyncProcessing value are False, the
Group Policy service applies policy settings synchronously in the
foreground. You can view this value on policy start events (4000–4007). -
EventData\IsAsyncProcessing
. This value is True when the Group Policy service
applies policy setting asynchronously in the foreground. Otherwise,
this value is False. When this value and the IsBackgroundProcessing
value are False, the Group Policy service applies policy settings
synchronously in the foreground. You can view this value on policy
start events (4000–4007). -
EventData\PolicyApplicationMode
. The Group Policy service records the type of Group
Policy processing in the PolicyApplicationMode field. The
PolicyApplicationMode field is one of three values. Those values are
described in Table 1. Table 1. PolicyApplicationMode Values
|
Value |
Explanation |
|
0 |
Background processing: The instance of Group Policy processing
occurring after the initial instance of Group Policy processing.
Background processing occurs when the Group Policy service refreshes.
For example, the Group Policy service periodically refreshes Group
Policy every 90 minutes. |
|
1 |
Synchronous foreground processing: Foreground processing is the
instance of policy processing that occurs at computer start-up and user
logon. Synchronous foreground processing is when the processing of
computer Group Policy must complete before Windows displays the log-on
dialog box, and user Group Policy processing, which happens during user
logon, must complete before Windows displays the user’s desktop. |
|
2 |
Asynchronous foreground processing: Asynchronous foreground
processing is the instance of Group Policy processing that occurs at
computer start-up and user logon. However, Windows does not wait for
computer Group Policy processing to complete before displaying the
log-on dialog box. Additionally, Windows does not wait for user Group
Policy processing to complete before displaying the user’s desktop. |
-
EventData\PolicyProcessingMode
. You use the PolicyProcessingMode field to determine
the presence of loopback processing and whether loopback processing is
in Merge or Replace mode. The three possible values are described in Table 2. Table 2. PolicyProcessingMode Values
|
Value |
Explanation |
|
0 |
Normal Processing mode: Loopback is not enabled. |
|
1 |
Loopback Merge mode: Loopback processing is enabled. The Group
Policy service merges user settings within the scope of the computer
with user settings within the scope of the user. |
|
2 |
Loopback Replace mode: Loopback processing is enabled. The Group
Policy service replaces user settings within the scope of the user with
user settings within the scope of the computer. |
-
EventData\ProcessingTimeInMilliseconds
. You use the ProcessingTimeInMilliseconds field to
determine the amount of time, in milliseconds, that the described event
used to complete the operation.
Note
Remember that one millisecond is 0.1 seconds. To determine the
number of elapsed seconds, divide the value in
ProcessingTimeInMilliseconds by 1,000.
-
EventData\DCName
. The Group Policy service records the name of a domain
controller in the DCName field. The name found in this field is the
domain controller that the Group Policy service uses when communicating
with Active Directory. -
EventData\ErrorCode and EventData\ErrorDescription
. These
two fields appear only on error events. The ErrorCode field provides a
value, represented as a decimal, that the described event encountered.
The ErrorDescription field provides a short description of the
ErrorCode value.
|
