Divide the Custom View of the Log into Three Phases: Preprocessing
This phase begins the Group Policy processing and gathers information that is required to process Group Policy. The information gathered in this phase is used to cycle through each Group Policy extension. During this phase, the Group Policy service collects information that will be used to process each CSE. This information can be divided into small subsets, which include the following:
- Start policy processing
- Retrieve account information
- Domain controller discovery
- Computer role discovery
- Security principal discovery
- Loopback processing mode discovery
- GPO discovery
- Slow link detection
- Nonsystem GP extension discovery
For each subset in the preprocessing phase, specific event IDs are generated. The ability to track an event ID to a specific portion of the preprocessing phase can help significantly in identifying the root problem with Group Policy. Each subset is defined in the following sections.
Start Policy Processing
When the computer starts, a user logs on, a refresh occurs, or there is a change to a network interface, an instance of Group Policy is recorded in Event Viewer. This instance is tracked via the ActivityID, and one of the start events is recorded with it. The start events range from 4000 to 4007 and are described in Table 1.
| Event ID | Start Event Type |
| 4000 | Computer start-up |
| 4001 | User logon |
| 4002 | Computer network change |
| 4003 | User network change |
| 4004 | Computer manual refresh |
| 4005 | User manual refresh |
| 4006 | Computer periodic refresh |
| 4007 | User periodic refresh |
Retrieve Account Information
For processing to occur, the Group Policy service must acquire the location of the user and computer object in Active Directory. This determines the SOM for the objects. Two sets of event IDs are recorded for this portion of the preprocessing phase. They include the following:
Informational/success interaction event
- This event records information about interaction with dependent components with one of three event IDs:
- 5320 – Success interaction event: The interaction described in the event completed successfully.
- 6320 – Warning interaction event: The interaction described in the event completed with one or more errors.
- 7320 – Error interaction event: The interaction described in the event failed to complete.
Trace component event
- During the information gathering phase, the Group Policy service calls other functions in Windows, referred to as system calls. These events are recorded in Event Viewer and report one or more event IDs:
- 4017 – Start-trace event: The beginning of a system call described in the event.
- 5017 – Success end-trace event: The system call described in the event completed successfully.
- 6017 – Warning end-trace event: The system call described in the event completed with one or more errors.
- 7017 – Error end-trace event: The system call described in the event failed to complete.
Tip
All end-trace events contain the elapsed time used by the system call. A call that takes too much time could indicate that there is a problem. The Details tab (explained earlier) indicates the status of the end-trace event and the elapsed time.
Domain Controller Discovery
For Group Policy to process successfully, a domain controller must be discovered. During the discovery procedure, the system binds to Active Directory, discovers a domain controller to connect to, and makes a connection to the domain controller. The event IDs associated with each step in the process include the following:
Domain controller discovery start event
- This event occurs when the computer starts to find the domain controller.
- The following event IDs are associated with this event:
- 5017 – Success end-trace event: The system call described in the event completed successfully.
- 6017 – Warning end-trace event: The system call described in the event completed with one or more errors.
- 7017 – Error end-trace event: The system call described in the event failed to complete.
DC discovery interaction event
- This event occurs when the computer begins to communicate with the domain controller.
- The following event IDs are associated with this event:
- 5308 – Success DC interaction event: The interaction described in the paragraph before this table completed successfully.
- 6308 – Warning DC interaction event: The interaction described in the paragraph before this table completed with one or more errors.
- 7308 – Error DC interaction event: The interaction described in the paragraph before this table did not complete.
Domain controller discovery end event
- This event occurs when the computer ends communications with the domain controller.
- The following event IDs are associated with this event:
- 5326 – Success DC discovery end event: The process of discovering a domain controller completed successfully.
- 6326 – Warning DC discovery end event: The process of discovering a domain controller completed with one or more errors.
- 7326 – Error DC discovery end event: The process of discovering a domain controller did not complete.
Computer Role Discovery
Group Policy is applied based on the computer role and membership in a domain. Group Policy applies differently based on the computer role. The roles that a computer can have include those listed in Table 2.
| Value | Computer role |
| 0 | The current computer is a stand-alone workstation or server. |
| 1 | The current computer is a member of a domain that does not support directory services. |
| 2 | The current computer is a member of a domain that supports directory services. |
| 3 | The current computer is a domain controller. |
The events that will be written into the log, including these computer role values, will fall under the following category and event IDs:
Computer information event
- The following event IDs are associated with this event:
- 5309 – Success computer information event: The discovery of computer information completed successfully.
- 6309 – Warning computer information event: The discovery of computer information completed with one or more errors.
- 7309 – Error computer information event: The discovery of computer information did not complete.
Security Principal Discovery
Because Group Policy applies only to computer and user objects, this portion of the process determines whether the current object focus is a user or computer so that the appropriate settings can be applied. This is written to the log with the following category and event IDs:
Security principal information event
- The following event IDs are associated with this event:
- 5310 – Success security principal information event: Discovering information about the current security principal completed successfully.
- 6310 – Warning security principal information event: Discovering information about the current security principal completed with one or more errors.
- 7310 – Error security principal information event: Discovering information about the current security principal did not complete.
Loopback Processing Mode Discovery
Because loopback processing alters the default Group Policy processing behavior, the Group Policy service must be aware of any loopback settings. The following category and event IDs are registered after the loopback processing information is gathered:
Loopback processing mode event
- The following event IDs are associated with this event:
- 5311 – Success loopback processing mode event: Determining the loopback processing mode completed.
- 6311 – Warning loopback processing mode event: Determining the loopback processing mode completed with one or more errors.
- 7311 – Error loopback processing mode event: Determining the loopback processing mode did not complete.
The event description will include one of three types of loopback processing that will occur:
- No loopback mode: Loopback processing is not enabled.
- Merge: Loopback processing is enabled. The Group Policy service merges user settings within the scope of the computer with user settings within the scope of the user.
- Replace: Loopback processing is enabled. The Group Policy service replaces user settings within the scope of the user with user setting from the scope of the computer.
GPO Discovery
After all of the initial information is gathered to create a list of applicable GPOs, the Group Policy service discovers the final list of GPOs that will apply to the computer or user object. After obtaining the list, the Group Policy service checks the accessibility of each GPO by reading the gpt.ini file. It uses the gpt.ini file location on the domain controller discovered in the domain discovery step. The events that could be recorded include the following:
- 5017 – Success end-trace event: The system call described in the event completed successfully.
- 6017 – Warning end-trace event: The system call described in the event completed with one or more errors.
- 7017 – Error end-trace event: The system call described in the event failed to complete.
After the gpt.ini files are checked, the system performs an additional check and records the following Applied GPO list event and event IDs:
Applied GPO list event
- This is where the Group Policy CSEs are listed based on the applicable settings in the GPO. The recorded events will include one of the following:
- 5312 – Success applied GPO list event: The discovery of applicable Group Policy objects completed successfully.
- 6312 – Warning applied GPO list event: The discovery of applicable Group Policy objects completed with one or more errors.
- 7312 – Error applied GPO list event: The discovery of applicable Group Policy objects did not complete.
Finally, the system ends this portion of the phase by listing the filtered GPOs. The system processes the following Filtered GPO list event and event IDs:
Filtered GPO list event
- The GPOs listed in these events will not be applied to the computer or user. The following event IDs are associated with this event:
- 5313 – Success filtered GPO list event: The discovery of filtered Group Policy objects completed successfully.
- 6313 – Warning filtered GPO list event: The discovery of filtered Group Policy objects completed with one or more errors.
- 7313 – Error filtered GPO list event: The discovery of filtered Group Policy objects did not complete.
Slow Link Detection
Multiple components rely on the speed of the network for the application of policy settings. For the Group Policy service to determine this criteria, it must perform two steps. First, it must determine the speed of the network. Second, it must determine whether the configured slow link setting in Group Policy classifies the determined speed as slow or fast. The following two events record this behavior, along with the associated event IDs:
Estimated bandwidth event
- The results of the estimated bandwidth will be recorded in the event measured in kilobits per second (Kbps). The following event IDs are associated with this event:
- 5327 – Success estimated bandwidth event: Estimating the bandwidth for a network interface completed successfully.
- 6327 – Warning estimated bandwidth event: Estimating the bandwidth for a network interface completed with one or more errors.
- 7327 – Error estimated bandwidth event: Estimating the bandwidth for a network interface did not complete.
Network information event
- After the estimated bandwidth speed is determined, the Group Policy service determines whether the speed is slow or fast. This event will classify the speed in one of the following three categories within the event recorded:
- The connection is a fast or slow link.
- The estimated bandwidth value, measured in Kbps.
- The slow link bandwidth threshold, also measured in Kbps.
This event will have the following event IDs associated with it:
- 5314 – Success network information event: The Group Policy service successfully determined a slow or fast link.
- 6314 – Warning network information event: The Group Policy service encountered one or more errors when determining a slow or fast link.
- 7314 – Error network information event: The Group Policy service encountered an error when attempting to determine a slow or fast link.
Nonsystem GP Extension Discovery
Any third-party Group Policy extensions that need to process are also tracked. The Group Policy service runs in a separate service host process from nonsystem extensions (third-party extensions) for stability reasons. This information is reported under the following event and event IDs:
Operational information event
- The following event IDs are associated with this event:
- 5320 – Success operational information event: The event description provides information or describes a successful event.
- 6320 – Warning operational information event: The event description provides information about a recent warning event.
- 7320 – Error operational informational event: The event description provides information about a recent error event.
Divide the Custom View of the Log into Three Phases: Processing
This phase uses the information gathered in the preprocessing phase to cycle through each Group Policy extension. It is the extension that applies policy settings to the user or computer. The Group Policy service passes all of the information gathered in the preprocessing phase to each of the system and nonsystem CSEs. You can clearly see the beginning of this phase in the Event Viewer by noting that the Group Policy service records the CSE processing start event of 4016, including a list of all GPOs that have settings for the associated CSE. Afterward, with the successful completion of the CSE processing event, the service records a final event ID of 5016. Each CSE that is processed has a beginning event and an ending event.
Divide the Custom View of the Log into Three Phases: Postprocessing
The postprocessing phase reports the end of the policy processing instance and records whether the instance ended successfully, was processed with warnings, or failed. Table 3 describes the event IDs associated with the events and the levels of success or failure of the event recorded.
| Warning or Error Event ID | Failure Event ID | Successful Event ID | End Policy Processing Event |
| 6000 | 7000 | 8000 | Computer end event |
| 6001 | 7001 | 8001 | User end event |
| 6002 | 7002 | 8002 | Computer network change event |
| 6003 | 7003 | 8003 | User network change event |
| 6004 | 7004 | 8004 | Computer manual refresh event |
| 6005 | 7005 | 8005 | User manual refresh event |
| 6006 | 7006 | 8006 | Computer periodic refresh event |
| 6007 | 7007 | 8007 | User periodic refresh event |
Associate All Starting Events with the Correct Ending Event
Each phase and each subset of the phases has a starting and ending event pair. This is extremely useful in troubleshooting, because it allows you to more narrowly identify where problems are occurring. If a pair of events or subevents has only success events, it is unlikely that the event pair is causing any problems with Group Policy processing.
Investigate All Errors, Warnings, and Failures
You should focus carefully on the errors, warnings, and failures that are logged in the events. These are the events most likely to cause the most problems with the application of Group Policy.
Isolate the Event Causing the Problem
After you determine the initial problem from the preceding steps, you should address it without concern for other errors that might be occurring. Group Policy application can often have a “trickling” affect on other areas of the processing. If too many problems are handled at one time, more problems can arise. Also, you should avoid spending time trying to fix a problem that may be a by-product of the original problem.
Run GPUpdate on the Computer with the Group Policy Problem
To determine whether Group Policy processing is fully functional after an error has been fixed, you can run GPUpdate to learn whether a new instance of the Group Policy processing causes any issues. If only successful events are logged and the behavior of the computer is as desired, the problem is fixed. If problems still exist, repeat the steps in this section until all errors and problems are resolved.
