2. Event Viewer Troubleshooting Procedure
To take full advantage of the new Event Viewer features and
capabilities, it is a best practice to follow a set procedure to ensure
that you are viewing the most relevant information for the problem that
you are having. To do this, you should follow these steps:
-
Evaluate the System event log for Group Policy events.
-
Evaluate the Group Policy operational log:
-
Determine the ActivityID of Group Policy processing.
-
Create a custom view of a Group Policy instance.
-
Divide the custom view of the log into three phases:
-
Preprocessing
-
Processing
-
Postprocessing
-
Associate all Starting events with the correct Ending event.
-
Investigate all Errors, Warnings, and Failures.
-
Isolate the event that is causing the problem, and address the problem.
-
Run GPUpdate on the computer with the Group Policy problem to
determine whether the problem persists. If so, repeat these steps to
find other issues.
Evaluate the System Event Log
The Group Policy service writes events to the System event log
indicating an administrative alert, representing the latest status of
the Group Policy service. Here you can quickly determine whether the
Group Policy service is the source of the problem. You might see any of
the following three events in the System event log for Group Policy:
-
Informational event
. Indicates that the Group Policy service is functioning properly.
-
Warning event
. Indicates that the Group Policy service is functioning properly, but other dependencies may have failed.
-
Error event
. Indicates that the Group Policy service has failed.
Evaluate the Group Policy Operational Log: Determine the ActivityID of Group Policy Processing
Every
time Group Policy background or foreground processing occurs, an
ActivityID is generated that groups all of the specific actions that
occurred during that Group Policy processing. It is important that you
determine the ActivityID of the process so that you can isolate all
events related to that process. To determine the ActivityID for an
event, follow these steps:
-
Start Event Viewer.
-
Under Event Viewer, click to expand Applications And Services Logs,
and then expand Microsoft, expand Windows, expand GroupPolicy, and
click Operational.
-
In the details pane, click the GroupPolicy warning or error event that you want to troubleshoot.
-
In the details pane, click the Details tab the lower pane for the event, and then click Friendly view.
-
On the event’s Details tab, click System to expand the System node.
-
Scroll until you find the ActivityID in the System node details.
This value (without the opening and closing braces) is the ActivityID.
Evaluate the Group Policy Operational Log: Create a Custom View of a Group Policy Instance
After the ActivityID is determined, all events related to that ID
must be isolated for easier and more efficient evaluation. To isolate
all of the events that are associated with the ActivityID that you
found, follow these steps:
-
Start Event Viewer.
-
Right-click Custom Views, and then click Create Custom View. The Create Custom View dialog box appears.
-
Click the XML tab, and then select the Edit Query Manually check
box. Event Viewer displays a dialog box, which explains that editing a
query manually prevents you from modifying the query using the Filter
tab. Click Yes.
-
Copy the Event Viewer query (provided at the end of this step) to
the clipboard. Paste the query into the Query box. Your query should
look something like the following:
<QueryList><Query Id="0”
Path="Application"><Select
Path="Microsoft-Windows-GroupPolicy/Operational">*[System/Correlation/@ActivityID=‘{INSERT
ACTIVITY ID HERE}’]</Select> </Query></QueryList>
-
Enter the ActivityID that you determined in the preceding procedure
in place of the “INSERT ACTIVITY ID HERE” text from step 4. Click OK.
Note
The leading and trailing {} characters are essential for the query to work.
-
In the Save Filter to Custom View dialog box, type a name and description meaningful to the view you created, and then click OK.
-
The name of the saved view appears under Custom Views in the console
tree. Click the name of the saved view to display its events in Event
Viewer, as shown in Figure 3.
