programming4us
programming4us
DESKTOP

Windows Server 2008 and Windows Vista : Using Event Logging for Troubleshooting (part 1) - Group Policy Operational Log

- How To Install Windows Server 2012 On VirtualBox
- How To Bypass Torrent Connection Blocking By Your ISP
- How To Install Actual Facebook App On Kindle Fire

An important new addition in Windows Vista and Windows Server 2008 is the updated Event Viewer features and logs. One of the most significant additions is a log dedicated to Group Policy. In addition to this log, you will find features such as a centralized event-logging system, cross-log querying capabilities, scheduled task integration, and filtered views that make using Event Viewer easier and more efficient than ever before.

Note

The Userenv logs are no longer available with Windows Vista and Windows Server 2008. These logs, and all other granular logs for CSEs, are captured in Event Viewer and use a source name of Group Policy.

Compared with the myriad logs and triggers needed in earlier versions of the Windows operating system to get advanced log information related to Group Policy, the new Event Viewer features make troubleshooting Group Policy much easier. All Group Policy–related events are now stored in Event Viewer logs with the source name of GroupPolicy, so it is easy to quickly see these events and even make custom views with just Group Policy events in them. Group Policy events will appear under both System event logs and the Group Policy operational event logs. In addition to these benefits, you will also notice improvements made to descriptions of the events and their possible causes, as well as the follow-up actions suggested.

1. Group Policy Operational Log

The primary location for storage of Group Policy events is in the Group Policy operational log. As stated earlier, this is where the past Userenv text file event logging is stored. To access the Group Policy operational log, follow these steps:

  1. Start Event Viewer.

  2. Expand Applications And Services Logs.

  3. Expand Microsoft, then Windows, and finally Group Policy.

  4. Click Operational.

All of the Event Viewer views have been updated with new interfaces, options, and information. It is important that you understand how these new views and information correspond to information being displayed within the Event Viewer. Figure 1 shows the General tab, and Figure 2 shows the Details tab.

This figure shows the General tab of a standard Group Policy event in Event Viewer.
Figure 1. This figure shows the General tab of a standard Group Policy event in Event Viewer.

Each section on the General tab provides important information to help you resolve the issue:

  • Description box . Contains text that describes the logged event. Group Policy events usually contain information describing the events, possible reasons why the event occurred, and suggested follow-up actions.

  • Source . The name of the software that logs the event. Group Policy events always use the source name Group Policy.

  • Event ID . A numerical ID representing the type of event logged. Administrative events in the System event log and the Group Policy operation event log use event IDs.

  • Level . Classifies the severity of an event. Group Policy events use Error, Informational, and Warning event levels.

  • User . The name of the user account that triggered the logged event. The Group Policy service uses the name SYSTEM for recording events related to computer policy processing. User policy processing events use the name of the user who is processing policy.

  • Logged . The date and local time when the event logging system logged the event. Group Policy in Windows Vista has the opportunity to refresh more often. When troubleshooting Group Policy, make sure that the events you are viewing match the time of the reported problem.

  • Computer . The name of the computer on which the event occurred.

  • More Information . A hyperlink to the Microsoft TechNet Web site. Clicking this link provides you with information about the event, possible causes for the event, and suggestions that may resolve the issue, if the event is a warning or an error.

    This figure shows the Details tab of a standard Group Policy event in Event Viewer.
    Figure 2. This figure shows the Details tab of a standard Group Policy event in Event Viewer.

    Like the General tab, the Details tab provides important information that can help you troubleshoot Group Policy problems, including the following:

  • System\Correlation:ActivityID . The ActivityID represents one instance of Group Policy processing. The Group Policy service creates a unique ActivityID each time Group Policy refreshes. For example, consider a computer that processes Group Policy during start-up. At that time, the Group Policy service assigns that instance of processing an ActivityID. Further events logged during that instance use the same ActivityID until that instance of Group Policy processing completes (Group Policy processing completes when the process ends either successfully or with errors). Users process Group Policy during the log-on process. Again, the Group Policy service assigns a unique ActivityID to that instance of Group Policy processing and uses it until processing completes. This behavior repeats for each new instance of Group Policy processing, which includes automatic and forced Group Policy refreshes. You can view this value on all Group Policy events.

  • EventData\PolicyActivityID . This is the same value as the System\Correlation:ActivityID. The Group Policy service uses this value to identify an instance of Group Policy processing. You can view this value in policy start events (4000–4007).

  • EventData\PrincipalSamName . This value contains the name of the security principal to which the Group Policy service applies, the name of the computer during computer policy processing, and the name of the user during user policy processing. The event displays the format as domainname\computer or domainname\user. This information appears in policy start events (4000–4007), next policy application events (5315), policy end events (8000–8007), and scripts processing start and end events (4018, 5018).

  • EventData\IsDomainJoined . This value is True when the computer is a member of a domain and False when it is not. You can view this value on policy start events (4000–4007).

  • EventData\IsBackgoundProcessing . This value is True when the Group Policy service applies policy settings in the background. Otherwise, this value is False. When this value and the IsAsyncProcessing value are False, the Group Policy service applies policy settings synchronously in the foreground. You can view this value on policy start events (4000–4007).

  • EventData\IsAsyncProcessing . This value is True when the Group Policy service applies policy setting asynchronously in the foreground. Otherwise, this value is False. When this value and the IsBackgroundProcessing value are False, the Group Policy service applies policy settings synchronously in the foreground. You can view this value on policy start events (4000–4007).

  • EventData\PolicyApplicationMode . The Group Policy service records the type of Group Policy processing in the PolicyApplicationMode field. The PolicyApplicationMode field is one of three values. Those values are described in Table 1.

    Table 1. PolicyApplicationMode Values

    Value

    Explanation

    0

    Background processing: The instance of Group Policy processing occurring after the initial instance of Group Policy processing. Background processing occurs when the Group Policy service refreshes. For example, the Group Policy service periodically refreshes Group Policy every 90 minutes.

    1

    Synchronous foreground processing: Foreground processing is the instance of policy processing that occurs at computer start-up and user logon. Synchronous foreground processing is when the processing of computer Group Policy must complete before Windows displays the log-on dialog box, and user Group Policy processing, which happens during user logon, must complete before Windows displays the user’s desktop.

    2

    Asynchronous foreground processing: Asynchronous foreground processing is the instance of Group Policy processing that occurs at computer start-up and user logon. However, Windows does not wait for computer Group Policy processing to complete before displaying the log-on dialog box. Additionally, Windows does not wait for user Group Policy processing to complete before displaying the user’s desktop.

  • EventData\PolicyProcessingMode . You use the PolicyProcessingMode field to determine the presence of loopback processing and whether loopback processing is in Merge or Replace mode. The three possible values are described in Table 2.

    Table 2. PolicyProcessingMode Values

    Value

    Explanation

    0

    Normal Processing mode: Loopback is not enabled.

    1

    Loopback Merge mode: Loopback processing is enabled. The Group Policy service merges user settings within the scope of the computer with user settings within the scope of the user.

    2

    Loopback Replace mode: Loopback processing is enabled. The Group Policy service replaces user settings within the scope of the user with user settings within the scope of the computer.

  • EventData\ProcessingTimeInMilliseconds . You use the ProcessingTimeInMilliseconds field to determine the amount of time, in milliseconds, that the described event used to complete the operation.

    Note

    Remember that one millisecond is 0.1 seconds. To determine the number of elapsed seconds, divide the value in ProcessingTimeInMilliseconds by 1,000.

  • EventData\DCName . The Group Policy service records the name of a domain controller in the DCName field. The name found in this field is the domain controller that the Group Policy service uses when communicating with Active Directory.

  • EventData\ErrorCode and EventData\ErrorDescription . These two fields appear only on error events. The ErrorCode field provides a value, represented as a decimal, that the described event encountered. The ErrorDescription field provides a short description of the ErrorCode value.

Other  
  •  Windows 8 : Managing Windows Update (part 4) - Viewing update history, Rolling back updates
  •  Windows 8 : Managing Windows Update (part 3) - Managing Windows Update in Windows 8 native interface
  •  Windows 8 : Managing Windows Update (part 2) - Configuring update settings
  •  Windows 8 : Managing Windows Update (part 1) - Accessing Windows Update settings by using Control Panel
  •  Windows 8 : Working with location-based settings and connection methods
  •  Windows Server 2008 R2 : Active Directory lightweight directory services
  •  Windows Server 2008 R2 : Active Directory federation services (part 4) - Complete ADFS server configuration
  •  Windows Server 2008 R2 : Active Directory federation services (part 3) - Install Web agent for claims aware Web application, Configure ADFS certificates
  •  Windows Server 2008 R2 : Active Directory federation services (part 2) - Set up the ADFS role for the internal and external Active Directory forests
  •  Windows Server 2008 R2 : Active Directory federation services (part 1) - Planning for Active Directory Federation Services
  •  
    Youtube channel
    Top 10
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
    - Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
    - Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
    - Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
    - Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
    REVIEW
    - First look: Apple Watch

    - 3 Tips for Maintaining Your Cell Phone Battery (part 1)

    - 3 Tips for Maintaining Your Cell Phone Battery (part 2)
    programming4us programming4us
    programming4us
     
     
    programming4us