Troubleshooting Group Policy Using Event Logs
Group Policy Event Log Improvements
Windows Vista provides a new centralized event logging system and Event Viewer. Features such as cross-log querying, scheduled task integration, and page support in filtered views make the Event Viewer the ideal tool to view the health of the computer and the health of Group Policy.
Earlier instances of Group Policy used the event source name "Userenv". Earlier versions of Windows shared this source name with other components. This made it difficult to identify events specific to Group Policy. Also, when troubleshooting, the information provided by Group Policy events added little value.
In Windows Vista, Group Policy writes all event and logging information to the Event Viewer and uses a source name of "Group Policy." This makes it easier to locate events relevant to Group Policy. Additional improvements were made by updating the details of each event. These improvements include better explanations of the event in the event description, possible causes, and suggested followup actions. You can locate Group Policy events in the System event log and the Group Policy operational event log.
How to Start the Event Viewer
System event log
You use the System event log to view events logged by Windows and Windows Services. Windows categorizes these events as error, warnings, and informational events. The Group Policy service logs administrative events in the System log. Administrative events help you determine the initial state of Group Policy processing. These events appeared in the Application log on earlier versions of Windows.
To start Event Viewer
1. Click Start. 2. Click Control Panel. 3. Click System and Maintenance. 4. Click Administrative Tools. 5. Double-click Event Viewer. |
Group Policy operational log
The Group Policy operational log provides you a view of the work the Group Policy service performs before and during Group Policy processing. Earlier versions of Windows provided this same functionality by using userenv logging. However, other Windows components shared this log file, which created information unrelated to Group Policy. Additionally, entries found in userenv log files were ambiguous, confusing, and usually required an advanced technical understanding of Group Policy. The Group Policy operational log replaces the userenv log file and provides comprehensive and detailed event descriptions than its predecessor.
To view the Group Policy operational log
1. Start the Event Viewer. 2. Click the arrow next to Applications and Services Logs. 3. Click the arrow next to Microsoft, and then Windows, and then Group Policy. 4. Click Operational. |
Troubleshooting Group Policy Using Event Logs
Using the Event Viewer
You can use the Event Viewer to isolate the cause of most Group Policy failures. Windows Vista provides a new user interface for the Event Viewer. You should familiarize yourself with the new Event Viewer and where you locate information related to Group Policy processing. The following section shows you the location of information you will use when troubleshooting Group Policy.
General tab
Figure 1 The General tab of a Group Policy event as seen using the Event Viewer
Description: Contains text that describes the logged event. Group Policy events usually contain information describing the events, possible reasons why the event occurred, and suggested followup actions.
Source: The name of the software that logs the event. Group Policy events always use the source of "GroupPolicy."
Event ID: A numerical ID representing the type of event logged. Administrative events in the System event log and the Group Policy operation event log use event ids. You can find more information about specific Group Policy events and event IDs in the appendices of this document.
Level: Classifies the severity of an event. Group Policy events use Error, Informational, and Warning event levels.
User: The name of the user account that triggered the logged event. The Group Policy service uses the name SYSTEM for recording events related to computer policy processing. User policy processing events use the name of the user who is processing policy.
Logged: The date and local time when the event logging system logged the event. Group Policy in Windows Vista has the opportunity to refresh more often. When troubleshooting Group Policy, make sure the events you are viewing match the time of the reported problem.
Computer: The name of the computer on which the event occurred.
More Information: A hyperlink to the Microsoft TechNet Web site. Clicking this link provides you with information about the event, possible causes for the event, and suggestions that may resolve the issue, if the event is a warning or error.
Details tab
The Event Logging system in Windows Vista records each event using XML. This allows the Group Policy service to record additional information about each event. This information is useful for troubleshooting Group Policy; however, you cannot see the information from the General tab. Therefore, you use the Details tab to view the additional information. The Details tab provides two views to this data: XML view and Friendly view. The XML view displays the additional event data in raw XML and is difficult to read. The Friendly view displays this same data in an expandable, easy to read, hierarchical view. You will use the Friendly view when you need to view this additional data.
System and EventData nodes
The Friendly view of an event message has two nodes: System and EventData. The Group Policy service writes information in both nodes. The following section describes important fields included in the Friendly view that you use when troubleshooting Group Policy.
Figure 2 The Details tab of a Group Policy event as seen using the Event Viewer
System\Correlation:ActivityID
The ActivityID represents one instance of Group Policy processing. The Group Policy service creates a unique ActivityID each time Group Policy refreshes. For example, a computer processes Group Policy during startup. At that time, the Group Policy service assigns that instance of processing an ActivityID. Further events logged during that instance use the same ActivityID until that instance of Group Policy processing completes (Group Policy processing completes when the process ends either successfully or with errors). Users process Group Policy during the logon process. Again, the Group Policy service assigns a unique ActivityID to that instance of Group Policy processing and uses it until processing completes. This behavior repeats for each new instance of Group Policy processing, which includes automatic and forced Group Policy refreshes. You can view this value on all Group Policy events.
EventData\PolicyActivityID
This is the same value as the System\Correlation:ActivityID. The Group Policy service uses this value to identify an instance of Group Policy processing. You can view this value in policy start events (4000–4007).
EventData\PrincipalSamName
This value contains the name of the security principal to which the Group Policy service applies, the name of the computer during computer policy processing, and the name of the user during user policy processing. The event displays the format as domainname\computer or domainname\user. This information appears in policy start events (4000–4007), next policy application events (5315), policy end events (8000–8007), and scripts processing start and end events (4018, 5018).
EventData\IsDomainJoined
This value is True when the computer is a member of a domain and False when not. You can view this value on policy start events (4000–4007).
EventData\IsBackgoundProcessing
This value is True when the Group Policy service applies policy settings in the background. Otherwise, this value is False. When this value and the IsAsyncProcessing are False, then the Group Policy service applies policy settings synchronously in the foreground. You can view this value on policy start events (4000–4007).
EventData\IsAsyncProcessing
This value is True when the Group Policy service applies policy setting asynchronously in the foreground. Otherwise, this value is False. When this value and the IsBackgroundProcessing are False, then the Group Policy service applies policy settings synchronously in the foreground. You can view this value on policy start events (4000–4007).
EventData\PolicyApplicationMode
The Group Policy service records the type of Group Policy processing in the PolicyApplicationMode field. The PolicyApplicationMode field is one of three values. Those values are:
Value |
Explanation |
---|---|
0 |
Background processing: The instance of Group Policy processing occurring after the initial instance of Group Policy processing. Background processing occurs when the Group Policy service refreshes. For example, The Group Policy service periodically refreshes Group Policy every 90 minutes |
1 |
Synchronous Foreground processing: Foreground processing is the instance of policy processing that occurs at computer startup and user logon. Synchronous foreground processing is when the processing of computer Group Policy must complete before Windows displays the logon dialog box, and user Group Policy processing, which happens during user logon, must complete before Windows displays the user's desktop. |
2 |
Asynchronous Foreground processing: Asynchronous Foreground processing is the instance of Group Policy processing that occurs at computer startup and user logon. However, Windows does not wait for computer Group Policy processing to complete before displaying the logon dialog box. Additionally, Windows does not wait for user Group Policy processing to complete before displaying the user's desktop. |
EventData\PolicyProcessingMode
You use the PolicyProcessingMode field to determine the presence of loopback processing and whether loopback processing is in Merge or Replace mode.
Value |
Explanation |
---|---|
0 |
Normal Processing mode: Loopback is not enabled. |
1 |
Loopback Merge mode: Loopback processing is enabled. The Group Policy service merges user settings within the scope of the computer with user settings within the scope of the user. |
2 |
Loopback Replace mode: Loopback processing is enabled. The Group Policy service replaces user settings within the scope of the user with user settings within the scope of the computer. |
EventData\ProcessingTimeInMilliseconds
You use the ProcessingTimeInMilliseconds field to determine the amount of time, in milliseconds, the described event used to complete the operation.
Note
1 millisecond is .1000 of a second. To determine the number of elapsed seconds, divide the value in ProcessingTimeInMilliseconds by 1000. For example, a ProcessingTimeInMilliseconds value of 12,747 equates to 12.74 seconds.
EventData\DCName
The Group Policy service records the name of a domain controller in the DCName field. The name found in this field is the domain controller the Group Policy service uses when communicating with Active Directory.
EventData\ErrorCode and EventData\ErrorDescription
These two fields appear only on error events. The ErrorCode field provides a value, represented as a decimal, that the described event encountered. The ErrorDescription field provides a short description of the ErrorCode value.
Where to start
The improvements made in the Group Policy service make troubleshooting more methodical than in earlier versions. If you are experiencing problems with Group Policy on Windows Vista, start troubleshooting by using these steps.
Using the System event log to troubleshoot Group Policy
· Start troubleshooting Group Policy by using the System event log. The Group Policy service writes administrative events to the System event logs. The status of the Group Policy service is indicated by:
· An informational event: The Group Policy service is functioning properly.
· A warning event: The Group Policy service is functioning properly, but other dependencies may have failed.
· An error event: The Group Policy service has failed.
Read the event description when you encounter these events. In most cases, the event description provides you with information about the event, what may cause the event, and followup suggestions.
· Click the More Information link. If you need more help with troubleshooting the problem, then click the More Information link. This link connects you to the Microsoft TechNet Troubleshooting Web site and provides information specific to the event. The link also provides basic information you can use to help diagnose and resolve the event.
· Read the Group Policy operational event log. The Group Policy service depends on other components for it to operate properly. Many times, problems with dependent components appear as Group Policy events in the System event log. These situations require you to review the sequence of policy application for the user or computer using the Group Policy operational event log. Use the set of procedures in the next section, "Troubleshooting using the Group Policy operational log."
Troubleshooting using the Group Policy operational log
Determine the instance of Group Policy processing
Before you view the Group Policy operational log, you must first determine the instance of Group Policy processing that failed.
How to determine an instance of Group Policy processing
To determine an instance of Group Policy processing
1. Start the Event Viewer. 2. Under Event Viewer (Local) , click to expand Windows Logs, and then click System. 3. Double-click the Group Policy warning or error event you want to troubleshoot. 4. Click the Details tab, and then click Friendly view. Click System to expand the System node. 5. Find the ActivityID in the System node details. You use this value (without the opening and closing braces) in your query. Copy this value to Notepad, so it is available to you later. Click Close. |
Create a custom view of a Group Policy instance
A computer often has more than one instance of Group Policy processing. Computers dedicated to running Terminal Services usually have more than one instance of Group Policy processing and operate simultaneously. Therefore, it is important to filter the Group Policy operational event log to show only events for the instance you are troubleshooting.
Use the following procedure to create a custom view of a Group Policy instance. You do this by using an Event Viewer query. This query creates a filtered view of the Group Policy operational log for a specific instance of Group Policy processing.
To create a custom view of a Group Policy instance
1. Start the Event Viewer. 2. Right-click Custom Views, and then click Create Custom Views. 3. Click the XML tab, and then select the Edit query manually check box. The Event Viewer displays a dialog box that explains editing a query manually prevents you from modifying the query using the Filter tab. Click Yes. 4. Copy the Event Viewer query (provided at the end of this step) to the clipboard. Paste the query into the Query box. <QueryList><Query Id="0" Path="Application"><Select Path="Microsoft-Windows-GroupPolicy/Operational">*[System/Correlation/@ActivityID='{INSERT ACTIVITY ID HERE}']</Select></Query></QueryList> 5. Copy the ActivityID you previously saved from the To Determine an instance of Group Policy processing procedure to the clipboard. In the Query box, highlight "INSERT ACTIVITY ID HERE" and then press CTRL+V to paste the ActivityID over the text. Note Be sure not to paste over the leading and trailing braces ({ }). You must include these braces for your query to work properly. 6. In the Save Filter to Custom View dialog box, type a name and description meaningful to the view you created. Click OK. 7. The name of the saved view appears under Custom Views. Click the name of the saved view to display its events in the Event Viewer. |
Important
Remember, the Group Policy service assigns a unique ActivityID for each instance of policy processing. For example, the Group Policy service assigns a unique ActivityID when user policy processing occurs during user logon. When Group Policy refreshes, the Group Policy service assigns another unique ActivityID to the instance of Group Policy responsible for refreshing user policy.
Reading the events
The Group Policy operational log has a range of event numbers dedicated to related events. The following table summarizes the range of events and their meanings.
Event ID Range |
Description |
---|---|
4000–4007 |
Group Policy start events: These informational events appear in the event log when an instance of Group Policy processing begins. |
4016–4299 |
Component start events: These informational events appear in the event log when a component of Group Policy processing begins the task described in the event. |
5000–5299 |
Component success events: These informational events appear in the event log when a component of Group Policy processing successfully completes the task described in the event. |
5300–5999 |
Informative events: These informational events appear in the event log during the entire instance of Group Policy processing and provide additional information about the current instance. |
6000–6007 |
Group Policy warning events: These warning events appear in the event log when an instance of Group Policy processing completes with errors. |
6017–6299 |
Component warning events: These warning events appear in the event log when a component of Group Policy processing completes the task described in the event with errors. |
6300–6999 |
Informative warning events: These warning events appear in the event log to provide additional information about possible error conditions with the action described in the event. |
7000–7007 |
Group Policy error events: These error events appear in the event log when the instance of Group Policy processing does not complete. |
7017–7299 |
Component error events: These error events appear in the event log when a component of Group Policy processing does not complete the task described in the event. |
7300–7999 |
Informative error events: These error events appear in the event log to provide additional information about the error condition with the action described in the event. |
8000–8007 |
Group Policy success events: These informational events appear in the event log when the instance of Group Policy completes successfully. |
Most of the events in the Group Policy operational log appear in pairs. For each start event, there is an end event. End events can be successful, warning, or error events. Usually these events share the last two digits in their event ids. For example, a 4017 event appears in the event log, which represents a Group Policy component beginning a specific action. If the action completes successfully, then the Group Policy service records a 5017 event. If the action completes with errors or fails then the Group Policy service records a 6017 or 7017 event, respectively. Policy processing events use the same numbering scheme for warning and error events messages in the 8000–8007 range for Group Policy success events. You can use these numbering patterns to quickly identify warning and failure events in the Group Policy operational log.
Analyzing events in the Event Viewer
The best way to troubleshoot Group Policy processing is to break the process down into three phases. Within each phase of the process is a subset of processing scenarios. When processing Group Policy, the Group Policy service iterates through each scenario as it transitions to each phase. The phases of Group Policy processing are:
· Preprocessing phase: Indicates the beginning instance of Group Policy processing and gathers information required to process Group Policy.
· Processing phase: Uses the information gathered in the preprocessing phase to cycle through each Group Policy extension, which applies policy settings to the user or computer.
· Post-processing phase: Reports the end of the policy processing instance and records if the instance ended successfully, was processed with warnings, or failed.
This section provides information about each phase of Group Policy processing and the processing scenarios included in each phase.
Preprocessing phase
An instance of Group Policy processing starts with the pre-processing phase. This introductory phase is where the Group Policy service collects the required information to process Group Policy. The service collects this data using processing scenarios, which are small subsets of policy processing within a given phase of policy processing. The processing scenarios included in the preprocessing phase are:
· Retrieve account information
· Security principal discovery
· Loopback processing mode discovery
· Nonsystem GP Extension discovery
Scenario: Start policy processing
Windows Vista creates an instance of Group Policy processing during startup, user logon, periodic and manual refreshes, and changes to network interfaces. Each instance of Group Policy begins with a Group Policy processing start event. This is an informational event with an event id ranging from 4000–4007. The following table lists the different types of Group Policy processing start events.
Event ID |
Start event type |
---|---|
4000 |
Computer startup |
4001 |
User logon |
4002 |
Computer network change |
4003 |
User network change |
4004 |
Computer manual refresh |
4005 |
User manual refresh |
4006 |
Computer periodic refresh |
4007 |
User periodic refresh |
The Group Policy service records an event between 4000–4007 in the Group Policy operational log when an instance of Group Policy begins. Also included in the event is the ActivityID that identifies the instance of Group Policy processing. The following are examples of the start policy processing scenario.
12:41:16.472 4000 Starting computer boot policy processing for CONTOSO\MSTEPVISTA$.
ActivityID: {89824640-B13A-4C67-B2EE-9DEB948182F9}
14:15:55.708 4001 Starting user logon Policy processing for CONTOSO\user.
ActivityID: {6A64962C-6C32-4C8A-8E89-C53FB71A7A67}
Scenario: Retrieve account information
The Group Policy service must retrieve the location of the user or computer object in Active Directory before it can apply Group Policy. The GPO discovery scenario uses this information to determine which Group Policy objects are within scope for the given user or computer. The retrieve account information scenario includes the following events:
Event ID 5320: Informational/successful interaction event
The Group Policy service writes this event to record information about an imminent interaction with a dependent component or a successful interaction with a dependent component. It is normal for this event to appear multiple times in the operational log. One of three different events may follow when the Group Policy service uses this event to describe an imminent interaction:
Event ID |
Explanation |
---|---|
5320 |
Success interaction event: The interaction described in the event completed successfully. |
6320 |
Warning interaction event: The interaction described in the event completed with one or more errors. |
7320 |
Error interaction event: The interaction described in the event failed to complete. |
The following example shows the event 5320 used as an informational event in the retrieve account information scenario.
12:41:16.632 5320 Attempting to retrieve the account information.
Event ID 4017: Start-trace component event
The Group Policy service records this event before making a system call. Often, the Group Policy service must use another function of Windows to gather information required to process Group Policy. When a component of Windows asks another component of Windows to perform some specific work and return the information, it is referred to as a system call. The Group Policy service performs system calls throughout an instance of Group Policy processing. Therefore, it is normal for these events to appear multiple times in the operational log.
Event ID 4017, sometimes called the "trace" event, represents the beginning of a system call. Each 4017 event must have a corresponding end event. The Group Policy service records one of the following end-trace events.
Event ID |
Explanation |
---|---|
5017 |
Success end-trace event: The system call described in the event completed successfully. |
6017 |
Warning end-trace event: The system call described in the event completed with one or more errors. |
7017 |
Error end-trace event: The system call described in the event failed to complete. |
All end-trace events contain the elapsed time used by the system call. Warning and failed end-trace events contain error information in the Details tab. The following is an example of a start-trace event and successful end-trace event, both of which occur during the retrieve account information scenario.
2006-09-14 12:41:16.632 4017 Making system call to get account information.
2006-09-14 12:41:17.022 5017 The system call to get account information completed.
CN=MSTEPVISTA,CN=Computers,DC=contoso,DC=com The call completed in 390 milliseconds.
Note
Most ending events regardless of success, warning, or error display the amount of elapsed time, in milliseconds, from the start event. For example, end events for policy processing (event IDs 8000–8007) display how long it took the Group Policy service to process Group Policy. Trace events (events ending in 017) display elapsed time used to perform the system call. You can use these values to determine if Group Policy processing is delaying computer startup or user logon.
Scenario: Domain controller discovery
The Group Policy service reads Group Policy objects from Active Directory. Therefore, the service must discover a domain controller.
Event ID 4326: Domain controller discovery start event
This event marks the beginning of the domain controller (DC) discovery scenario and follows with event ID 5320, which is used to record information about the Group Policy service interacting with other portions of the operating system.
12:41:17.022 4326 Group Policy is trying to discover the Domain Controller information.
12:41:17.022 5320 Retrieving Domain Controller details.
The DC discovery process continues by recording a start-trace event, which includes the name of the discovered domain controller the Group Policy service uses to retrieve domain controller information, and corresponding end-trace event.
Event ID |
Explanation |
---|---|
5017 |
Success end-trace event: The system call described in the event completed successfully |
6017 |
Warning end-trace event: The system call described in the event completed with one or more errors. |
7017 |
Error end-trace event: The system call described in the event failed to complete. |
12:41:19.376 5017 The LDAP call to connect and bind to Active Directory completed. hq-con-srv-01.contoso.com The call completed after 171 milliseconds.
Next, the Group Policy service records the DC discovery end event.
Event ID 5308: DC discovery interaction event
The Group Policy service records the DC discovery interaction event to report the result of a specific interaction that occurred during the DC discovery scenario. Interaction events report the results of the interaction with a success, warning, or failure event. Also, each event includes additional information related to the reported result.
Event |
Explanation |
---|---|
5308 |
Success DC interaction event: The interaction described in the paragraph before this table has completed successfully. |
6308 |
Warning DC interaction event: The interaction described in the paragraph before this table has completed with one or more errors. |
7308 |
Error DC interaction event: The interaction described in the paragraph before this table did not complete. |
A successful DC interaction event contains information returned from the domain controller. This information includes the universal naming convention (UNC) path and IP address of the contacted domain controller. Warning and failure interaction events contain the return error code in the description. You can view a description of the error on the Details tab.
Note
It is common to see a start-trace event and end trace event before a DC discovery interaction event. Also, the end-trace event and the DC discovery interaction event usually start with the same number. For example, the first digit in a successful end-trace event is the number five; therefore, the first digit of the DC discovery interaction event is also a five. The following is an example of a successful DC discovery interaction event, which occurs during the Domain controller discovery scenario.
12:41:19.376 5308 Domain Controller details: Domain Controller Name: \\hq-con-srv-01.contoso.com Domain Controller IP Address : \\192.168.0.1
Event ID 5326: Domain controller discovery end event
Domain controller discovery completes when the Group Policy service records the DC discovery end event. This event reports the result of the Group Policy service's attempt to discover a domain controller. And, just like most of the other events, the DC discovery event has three statuses: success, warning, and error.
Event ID |
Explanation |
---|---|
5326 |
Success DC discovery end event: The process of discovering a domain controller completed successfully. |
6326 |
Warning DC discovery end event: The process of discovering a domain controller completed with one or more errors. |
7326 |
Error DC discovery end event: The process of discovering a domain controller did not complete. |
All of these event IDs report the lapsed time used to discover a domain controller. The following is a example of a complete DC discovery scenario.
12:41:17.022 4326 Group Policy is trying to discover the Domain Controller information.
12:41:17.022 5320 Retrieving Domain Controller details.
12:41:19.206 4017 Making LDAP calls to connect and bind to Active Directory. hq-con-srv-01.contoso.com
12:41:19.376 5017 The LDAP call to connect and bind to Active Directory completed. hq-con-srv-01.contoso.com The call completed after 171 milliseconds.
12:41:19.376 5308 Domain Controller details: Domain Controller Name : \\hq-con-srv-01.contoso.com Domain Controller IP Address : \\192.168.0.1
12:41:19.376 5326 Group Policy successfully discovered the Domain Controller in 2354 milliseconds.
Scenario: Computer role discovery
In this scenario, the Group Policy service detects the role of the computer. The computer role determines if the current computer is a standalone workstation or server; domain member computer, which supports directory services; domain controller; or domain member computer, which does not support directory services. The Group Policy service requires this information to apply Group Policy based on the computer's role.
Event ID 5309: Computer information event
The Group Policy service records this interaction event after an attempt to determine the role of the current computer.
Event ID |
Explanation |
---|---|
5309 |
Success computer information event: The discovery of computer information completed successfully. |
6309 |
Warning computer information event: The discovery of computer information completed with one or more errors. |
7309 |
Error computer information event: The discovery of computer information did not complete. |
Completed computer information events provide the role of the computer and the name of the network. The event displays the computer role as a numerical value. You can use the following table to determine the role of the computer.
Value |
Explanation |
---|---|
0 |
The current computer is not a member of a domain and is a standalone workstation or server. |
1 |
The current computer is a member of a domain that does not support directory services. |
2 |
The current computer is a member of a domain that supports directory services. |
3 |
The current computer is a domain controller. |
The following is example output of the computer role discovery scenario.
12:41:19.416 5309 Computer details: Computer role : 2 Network name :
Scenario: Security principal discovery
The Group Policy service applies Group Policy to computers and users. These are two examples of security principals (computers and users)—an entity recognized by the Windows security system. The Group Policy service must discover if the current security principal is a user or computer in order to apply the correct policy settings.
Event ID 5310: Security principal information event
The Group Policy service records this interaction event after its attempt to retrieve information about the current security principal, which is a computer or user.
Event ID |
Explanation |
---|---|
5310 |
Success security principal information event: Discovering information about the current security principal completed successfully. |
6310 |
Warning security principal information event: Discovering information about the current security principal completed with one or more errors. |
7310 |
Error security principal information event: Discovering information about the current security principal did not complete. |
The success and warning versions of the security principal information event contain information about the security principal, such as:
· Distinguished name of the account.
· Name of the domain where the account is located.
· Name of the domain controller used to determine the account information.
· Name of the domain where the domain controller resides.
The following is example output of the security principal discovery scenario
12:41:19.416 5310 Account details: Account Name:CN=MSTEPVISTA,CN=Computers,DC=contoso,DC=com Account Domain Name : contoso.com DC Name : \\hq-con-srv-01.contoso.com DC Domain Name : contoso.com
Scenario: Loopback processing mode discovery
Group Policy loopback processing changes how the Group Policy service applies user policies. Typically, the Group Policy service reads Group Policy objects within the scope of the user object to determine user policy setting. Depending on the mode, loopback processing merges or replaces the user policy settings with user policy settings included in Group Policy objects within the scope of the computer object.
Event ID 5311: Loopback processing mode event
The Group Policy service records this interaction event after it has determined the loopback processing mode.
Event ID |
Explanation |
---|---|
5311 |
Success loopback processing mode event: Determining the loopback processing mode completed. |
6311 |
Warning loopback processing mode event: Determining the loopback processing mode completed with one or more errors. |
7311 |
Error loopback processing mode event: Determining the loopback processing mode did not complete. |
The event description includes quoted text that identifies the loopback processing mode.
· No loopback mode: Loopback processing is not enabled.
· Merge: Loopback processing is enabled. The Group Policy service merges user settings within the scope of the computer with user setting within the scope of the user.
· Replace: Loopback processing is enabled. The Group Policy service replaces user settings within the scope of the user with user settings from the scope of the computer.
The following is example output of the loopback processing mode discovery scenario.
12:41:19.486 5311 The loopback policy processing mode is "No loopback mode".
Scenario: GPO discovery
The Group Policy service discovers a list of Group Policy objects applicable to the computer or user. When the service has the list, it checks the accessibility of each Group Policy object by reading the gpt.ini file located on the system volume of the previously discovered domain controller. The Group Policy service records this activity with a series of start and end-trace events (event ID 4017). You can use the corresponding end-trace event to determine the success or failure of each attempt to read the gpt.ini file.
Event ID |
Explanation |
---|---|
5017 |
Success end-trace event: The system call described in the event completed successfully. |
6017 |
Warning end-trace event: The system call described in the event completed with one or more errors. |
7017 |
Error end-trace event: The system call described in the event failed to complete. |
The following is example output of the start-trace events and end-trace events included in the GPO discovery scenario.
12:41:19.636 4017 Making system calls to access specified file. \\contoso.com\SysVol\contoso.com\Policies\{9F1DE622-0635-4F10-8A0B-4AEAEB5C3B79}\gpt.ini
12:41:20.307 5017 The system calls to access specified file completed. \\contoso.com\SysVol\contoso.com\Policies\{9F1DE622-0635-4F10-8A0B-4AEAEB5C3B79}\gpt.ini The call completed in 671 milliseconds.
The Group Policy service continues the GPO discovery process by recording the applied GPO discovery list event.
Event ID 5312: Applied GPO list event
The Group Policy service records this event after it checks each Group Policy object's gpt.ini file. The details of the event include the names of Group Policy objects applicable to the computer or user.
Event ID |
Explanation |
---|---|
5312 |
Success applied GPO list event: The discovery of applicable Group Policy objects completed successfully. |
6312 |
Warning applied GPO list event: The discovery of applicable Group Policy objects completed with one or more errors. |
7312 |
Error applied GPO list event: The discovery of applicable Group Policy objects did not complete. |
The following is example output of a Applied GPO list event.
12:41:20.958 5312 List of applicable Group Policy objects: Removable Devices Policy
Power Management Policy
Folder Redirection Policy
Default Domain Policy
The Group Policy service concludes the GPO discovery scenario by recording the filtered GPO list event.
Event ID 5313: Filtered GPO list event
The Group Policy service records this event at the conclusion of the GPO discovery scenario. The details of the event include the names of filtered Group Policy objects. The Group Policy service does not apply these GPOs to the computer or user.
Event ID |
Explanation |
---|---|
5313 |
Success filtered GPO list event: The discovery of filtered Group Policy objects completed successfully. |
6313 |
Warning filtered GPO list event: The discovery of filtered Group Policy objects completed with one or more errors. |
7313 |
Error filtered GPO list event: The discovery of filtered Group Policy objects did not complete. |
The following is example output of the entire GPO discovery scenario.
12:41:19.636 4017 Making system calls to access specified file. \\contoso.com\SysVol\contoso.com\Policies\{9F1DE622-0635-4F10-8A0B-4AEAEB5C3B79}\gpt.ini
12:41:20.307 5017 The system calls to access specified file completed. \\contoso.com\SysVol\contoso.com\Policies\{9F1DE622-0635-4F10-8A0B-4AEAEB5C3B79}\gpt.ini The call completed in 671 milliseconds.
12:41:20.307 4017 Making system calls to access specified file. \\contoso.com\SysVol\contoso.com\Policies\{1AAEB8CD-E71C-4D7F-A658-A5331ED8FEF0}\gpt.ini
12:41:20.598 5017 The system calls to access specified file completed. \\contoso.com\SysVol\contoso.com\Policies\{1AAEB8CD-E71C-4D7F-A658-A5331ED8FEF0}\gpt.ini The call completed in 290 milliseconds.
12:41:20.598 4017 Making system calls to access specified file. \\contoso.com\SysVol\contoso.com\Policies\{898264CC-84A5-4A77-95F6-402B30778048}\gpt.ini
12:41:20.648 5017 The system calls to access specified file completed. \\contoso.com\SysVol\contoso.com\Policies\{898264CC-84A5-4A77-95F6-402B30778048}\gpt.ini The call completed in 51 milliseconds.
12:41:20.648 4017 Making system calls to access specified file. \\contoso.com\SysVol\contoso.com\Policies\{CBBCB787-7FE6-45B3-89D3-38D74D658BA3}\gpt.ini
12:41:20.668 5017 The system calls to access specified file completed. \\contoso.com\SysVol\contoso.com\Policies\{CBBCB787-7FE6-45B3-89D3-38D74D658BA3}\gpt.ini The call completed in 20 milliseconds.
12:41:20.668 4017 Making system calls to access specified file. \\contoso.com\sysvol\contoso.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini
12:41:20.848 5017 The system calls to access specified file completed. \\contoso.com\sysvol\contoso.com\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini The call completed in 180 milliseconds.
12:41:20.958 5312 List of applicable Group Policy objects: Removable Devices Policy
Power Management Policy
Folder Redirection Policy
Default Domain Policy
12:41:20.958 5313 The following Group Policy objects were not applicable because they were filtered out : Local Group Policy
Not Applied (Empty)
Shell Restriction Policy
Not Applied (Empty)
Scenario: Slow link detection
Several components of Group Policy rely on a fast network connection. However, sometimes a fast network connection is not available. The Group Policy service is responsible for detecting and estimating bandwidth between the computer and the domain controller. The Group Policy service compares the result of the estimated bandwidth to the slow link threshold (configured by Group Policy). A value below the threshold results in the Group Policy service flagging the network connection as a slow link.
The Group Policy service shares this information with each Group Policy client-side extension. Client-side extensions have a default behavior when they encounter a slow link. For example, the security client-side extension processes Group Policy settings, even when the network connection is slow. However, the folder redirection client-side extension does not process its Group Policy settings over a slow network connection.
Event ID 5327: Estimated bandwidth event
The Group Policy service records this event when it successfully estimates the network bandwidth of a network interface.
Event ID |
Explanation |
---|---|
5327 |
Success estimated bandwidth event: Estimating the bandwidth for a network interface completed successfully. |
6327 |
Warning estimated bandwidth event: Estimating the bandwidth for a network interface completed with one or more errors. |
7327 |
Error estimated bandwidth event: Estimating the bandwidth for a network interface did not complete. |
The Group Policy service includes the estimated bandwidth, measured in kilobits per second (Kbps), in success and warning events.
Important
The Group Policy service uses all enabled network interfaces to determine the estimated bandwidth. It is important to remember this when troubleshooting computers with multiple network interfaces. The following is example output of a successful estimated bandwidth event
12:41:22.991 5327 Estimated network bandwidth on one of the connections: 1408 kbps.
After estimating the network bandwidth, the Group Policy service records a Network information event.
Event ID 5314: Network information event
The Group Policy service records this event after it estimates the network bandwidth for the computer. Success and warning network information events include:
· The connection is a fast or slow link.
· The estimated bandwidth value, measured in Kbps.
· The slow link bandwidth threshold, also measured in Kbps.
Event ID |
Explanation |
---|---|
5314 |
Success network information event: The Group Policy service successfully determined a slow or fast link. |
6314 |
Warning network information event: The Group Policy service encountered one or more errors when determining a slow or fast link. |
7314 |
Error network information event: The Group Policy service encountered an error when attempting to determine a slow or fast link. |
The following is example output of the slow link detection scenario
12:41:22.991 5327 Estimated network bandwidth on one of the connections: 1408 kbps.
12:41:22.991 5314 A fast link was detected. The Estimated bandwidth is 1408 kbps. The slow link threshold is 500 kbps.
Scenario: Nonsystem GP extension discovery
The Group Policy service runs in a shared service host process with other components included with Windows Vista. The service operating in this shared service host increases its performance. However, third party developers can extend Group Policy by providing additional extensions, which are processed during Group Policy processing. The Group Policy service detects for non-system extensions during the pre-processing phase of Group Policy processing. The service reconfigures itself to run in a separate service host process when it detects non-system extensions, also known as standalone mode.
The Group Policy service reports this information in the operational log using the operational information event.
Event ID 5320: Operational information event
The Group Policy service uses this event to display success information in the operational log. This event is not specific to any given phase or scenario within Group Policy processing. It is common for the event description to change for this event.
Event ID |
Explanation |
---|---|
5320 |
Success operational information event: The event description provides information or describes a successful event. |
6320 |
Warning operational information event: The event description provides information about a recent warning event. |
73201 |
Error operational informational event: The event description provides information about a recent error event. |
The following is example output of the non–system extension discovery process.
12:41:28.058 5320 Checking for Group Policy client extensions that are not part of the system.
12:41:28.058 5320 Service configuration update to standalone is not required and will be skipped.
12:41:28.058 5320 Finished checking for non-system extensions.
Processing phase
The pre-processing phase of Group Policy processing collects information needed to process Group Policy settings. The next phase is the processing phase. In this phase, the Group Policy service uses the information it collected in the pre-processing phase to apply each policy setting. The service accomplishes this by passing the previously collected information to each of the system and nonsystem client-side extensions. This phase begins by recording a client-side extension (CSE) processing start event.
Event ID 4016: CSE processing start event
The Group Policy service records this event at the beginning of the processing phase. The Group Policy service records the name of the processing extension and a list of the applicable GPOs for the processing extension. This event, as do many other Group Policy events, has a corresponding end event. Each client-side extension reports to the Group Policy service when it finishes processing. At that time, the Group Policy service records the CSE processing end event.
Event ID 5016: CSE processing end event
The Group Policy service records this event when a client-side extension successfully completes its processing. The event description includes the name of the client-side extension and the amount of elapsed time (measures in milliseconds) the extension used for processing.
Event ID |
Explanation |
---|---|
5016 |
Success CSE processing end event: The processing of the described Group Policy client-side extension completed successfully. |
6016 |
Warning CSE processing end event: The processing of the described Group Policy client-side extension completed with one or more errors. |
7016 |
Error CSE processing end event: The processing of the described Group Policy client-side extension did not complete. |
The following is example output of a CSE processing start and end events.
17:53:28.725 4016 Starting Registry Extension Processing.
List of applicable Group Policy objects: (Changes were detected.)
Removable Devices Policy
Power Management Policy
Default Domain Policy
17:53:37.912 5016 Completed Registry Extension Processing in 9188 milliseconds.
17:53:38.022 4016 Starting Scripts Extension Processing.
List of applicable Group Policy objects: (Changes were detected.)
User Logon Script Policy
17:53:38.537 5016 Completed Scripts Extension Processing in 516 milliseconds.
17:53:38.553 4016 Starting Security Extension Processing.
List of applicable Group Policy objects: (Changes were detected.)
Default Domain Policy
17:53:56.912 5016 Completed Security Extension Processing in 18359 milliseconds.
17:53:56.928 4016 Starting EFS recovery Extension Processing.
List of applicable Group Policy objects: (Changes were detected.)
EFS Recovery Agent Policy
17:53:57.365 5016 Completed EFS recovery Extension Processing in 437 milliseconds.
Post-processing phase
The post-processing phase completes an instance of Group Policy processing. The Group Policy service records a single event: the end policy processing event.
Event ID 8000: End policy processing event
This event identifies a successful completion of Group Policy processing for a computer. The Group Policy service reserves event IDs between 8000 and 8007 to indicate a particular type of Group Policy processing completed successfully.
Event ID |
End policy processing event |
---|---|
8000 |
Successful computer end event |
8001 |
Successful user end event |
8002 |
Successful computer network change event |
8003 |
Successful user network change event |
8004 |
Successful computer manual refresh event |
8005 |
Successful user manual refresh event |
8006 |
Successful computer periodic refresh event |
8007 |
Successful user periodic refresh event |
Each end policy processing event has a corresponding warning and error event. These events follow the same pattern as described through the document. The corresponding warning event ID begins with a 6 with the last three digits identical to the start policy-processing event. The corresponding error event ID begins with a 7. Likewise, the remaining numbers in the event ID match those of the start policy processing event. For example, the Group Policy service records a start policy processing event with the event ID 4003. The service records an end policy processing event with the event ID 8003, when the instance completes successfully. If the instance completes with errors or fails altogether, the service records an end policy processing event with event ID 6003 or event ID 7003, respectively. The following is example output of a successful end policy processing event.
12:41:30.922 8000 Completed computer boot policy processing for CONTOSO\WKST007$ in 14 seconds.
Summary of policy processing
You can break an instance of Group Policy processing into three distinct parts: pre-processing, processing, and post-processing. During pre-processing, the Group Policy service collects information it needs for processing Group Policy settings. Next, the Group Policy service uses the information gathered during pre-processing and processes Group Policy settings. The service accomplishes this by sharing the previously collected data with each system and non-system client-side extension. Client-side extensions use this information to apply their individual policy settings and then return control to the Group Policy service. The service repeats this process until each client-side extension processes its portion of Group Policy. Post-processing is the final phase. During this phase, the Group Policy service reports the success or failure of the entire instance of Group Policy processing, along with elapsed time the instance used.
Group Policy troubleshooting quick reference
1. Start by reading Group Policy events recorded in the System event log.
· Warning events provide further information for you to follow to ensure the Group Policy service remains healthy.
· Error events provide you with information that describes the failure and probable causes.
· Use the More Information link included in the event message. This link connects you to the Microsoft TechNet Troubleshooting Web site. This Web site provides you with known causes and resolution steps for the current event. Microsoft updates this information as it receives new information.
· Use the Details tab to view error codes and descriptions.
· Use the Group Policy operational log.
2. Use the Group Policy operational log.
· Identify the activity ID of the instance of Group Policy processing you are troubleshooting.
· Create a custom view of the operational log.
· Divide the log into phases: pre-processing, processing, and post-processing.
· In order, consolidate each starting event with its corresponding ending event. Investigate all warning and error events.
· Isolate and troubleshoot the dependent component.
· Use the Group Policy update command (GPUPDATE) to refresh Group Policy. Repeat these steps to determine if the warning or error still exists.
Important
Refreshing Group Policy changes the Activity ID in your custom view. When troubleshooting, be sure to update your custom view with the most current activity ID.
More troubleshooting information
Connectivity with domain controllers
The Group Policy service requires communication with a domain controller. The service discovers domain controllers using name resolution, namely DNS. The Group Policy service contains many warning and error event messages to help you identify connectivity issue with domain controllers. Use the Details tab of the event id, and review the error code and error description the event encountered. For example, the Group Policy service reports an error event with an event ID 1030 in the System log. This event occurs when the query for Group Policy object information fails, usually because it cannot contact the domain controller. However, the error code returned in the event detail is event ID 1355, which often times indicates a problem with name resolution and not the domain controller.
Also, the majority of Group Policy events contains the name of the domain controller the service is attempting to use. Read the event description for the name of the domain controller or check the Details tab. Look for the node named DCname. This helps you determine if the problem is related to this single domain controller.
Suspected delays associated with Group Policy
Group Policy applies to the computer shortly after it is turned on and to users shortly after they log on. It is common to suspect Group Policy as the cause of delayed user logons. Group Policy operational logging improves your ability to diagnose if Group Policy processing is causing your logon delays. Consider the following information if you suspect Group Policy processing is delaying your logons.
· The Group Policy service, operating in synchronous processing mode, can cause delays with the logon process. This behavior is by design because synchronous processing does not allow the logon processes to complete until Group Policy processing is complete. Read the Details tab of start policy processing events (event IDs 4000–4007). The nodes IsBackgroundProcessing and IsAsyncProcessing can help you determine the processing mode. Also, success and warning network information events contain the application processing mode. On the Details tab for events with event IDs 5314 or 6314, read the PolicyApplicationMode node. You can use the value displayed to determine the mode of Group Policy application.
· Each end event displays the elapsed time, in milliseconds, used by the described event. Additionally, you can see this same information in the Details tab of the event message. You can use the ProcessingTimeInMilliseconds node to determine how much time expired when processing each scenario and phase of Group Policy.
· Certain policy settings take longer to apply than others. Typically, the Group Policy service applies these policy settings synchronously. For example, expect longer Group Policy processing times when deploying a software package to a computer or user. The Group Policy service waits for the software to finish installing before it transitions to the next scenario or phase of processing.
GPLogView
Often times, it is easier to read text files for troubleshooting instead of using the Event Viewer. In fact, exporting event logs into text files may be the only solution when troubleshooting computers in remote locations. GPLogView is a utility you can download and use to export Group Policy event data from the system and operational log into a text, html, or xml file. You can download GPLogView from the Microsoft Download Center (https://go.microsoft.com/fwlink/?LinkId=75004). The following examples show the syntax of commonly used options for GPLogView.
Example 1: Export all Group Policy events
You can use GPLogView to export all Group Policy–related events from the system log and the operational log.
gplogview -o gpevents.txt
Example 2: Export Group Policy events with a specific Activity ID
GPLogView filters Group Policy–related events by Activity ID, which is useful when troubleshooting a specific instance of Group Policy processing.
gplogview -a 8A7C7CE5-F7D0-4d32-8700-57C650A53839 -o gpevents.txt
Example 3: Monitor Mode
You can use GPLogView to capture Group Policy events in real time. GPLogView writes all Group Policy related events to the command window, as they occur. Press CTRL+C to exit monitor mode, or press Q and ENTER.
gplogview -m
Figure 3 GPLogView operating in monitor mode
Example 4: Using an external event log for input
By default, GPLogView reads the events logs on the current Windows Vista computer. However, you can change the GPLogView input source to an exported event log from another Windows Vista computer. This change gives you the ability to export multiple views of Group Policy processing that happened on another computer.
Note
The saved event log must come from a computer running Windows Vista. GPLogView does not work with saved event logs from earlier releases of Microsoft Windows.
gplogview-i savedevents.evtx -o gpevents.txt
You can view these and other commands supported by GPLogView by invoking command line Help.
gplogview -?
Appendix A: Group Policy system event messages
The following table lists Group Policy event messages that appear in the System log of the Event Viewer.
Event ID |
Event Type |
Appears in |
Explanation |
---|---|---|---|
1002 |
Error |
System log |
Failed Allocation: The Group Policy service logs this event when an attempt to allocate memory fails. |
1006 |
Error |
System log |
DS Bind Failure: The Group Policy service logs this event when an attempt to authenticate to Active Directory fails. |
1007 |
Error |
System log |
Site Query Failure: The Group Policy service logs this event when, using the credentials of the user or computer, an attempt to query the Active Directory Site fails. |
1030 |
Error |
System log |
GPO Query Failure: The Group Policy service logs this event when an attempt to query Group Policy objects fails. |
1052 |
Error |
System log |
Computer Role Failure: The Group Policy service logs this event when an attempt to determine the role of the computer (workgroup, domain member, or domain controller) fails. |
1053 |
Error |
System log |
User name Resolution Failure: The Group Policy service logs this event when an attempt to resolve a user name fails. |
1054 |
Error |
System log |
DC Resolution Failure: The Group Policy service logs this event when an attempt to obtain the name of a domain controller fails. |
1055 |
Error |
System log |
Computer Name Resolution Failure: The Group Policy service logs this event when an attempt to resolve a computer name fails. |
1058 |
Error |
System log |
Policy Read Failure: The Group Policy service logs this event when an attempt to read the GPT.INI of a Group Policy object fails. |
1065 |
Error |
System log |
WMI Evaluation Failure: The Group Policy service logs this event when an attempt to evaluate a WMI filter fails. |
1079 |
Error |
System log |
GPO Search Failure: The Group Policy service logs this event when an attempt to obtain a list of Group Policy objects fails. |
1080 |
Error |
System log |
OU Search Failure: The Group Policy service logs this event when an attempt to search the Active Directory Organizational Unit hierarchy fails. |
1085 |
Warning |
System log |
CSE Failure Warning: The Group Policy service logs this event when a Group Policy client side extension fails. |
1088 |
Error |
System log |
Excessive GPO Failure: The Group Policy service logs this event when the scope of Group Policy objects for a computer or user exceeds 999. |
1089 |
Warning |
System log |
RSOP Session Failure: The Group Policy service logs this event when a Resultant Set of Policy session fails. |
1090 |
Warning |
System log |
WMI Failure: The Group Policy service logs this event when it encounters errors with the Windows Management Instrumentation service. |
1091 |
Warning |
System log |
RSOP CSE Failure: The Group Policy service logs this event when a Group Policy client side extension fails to record Resultant Set of Policy information. |
1095 |
Warning |
System log |
RSOP Failure: The Group Policy service logs this event when an error occurs while recording Resultant Set of Policy information. |
1096 |
Error |
System log |
Registry.pol Failure: The Group Policy logs this event when an attempt to read the registry.pol fails. |
1097 |
Error |
System log |
Computer Token Failure: The Group Policy service logs this event when an attempt to read the computer's authentication token fails. |
1101 |
Error |
System log |
Object Not Found Failure: The Group Policy service logs this event when an attempt to locate an Active Directory object fails. |
1104 |
Warning |
System log |
WMI Filter Not Found Warning: The Group Policy service logs this event when an attempt to locate an associated WMI filter fails. |
1109 |
Warning |
System log |
Cross Forest GP Disabled Warning: The Group Policy service logs this event when an attempt is disabled to process Group Policy across a forest. |
1110 |
Error |
System log |
Cross Forest Discovery Failure: The Group Policy service logs this event when an attempt fails to determine if the user and computer belong to the same forest. |
1112 |
Warning |
System log |
CSE Synchronous Warning: The Group Policy service logs this event when a Group Policy client side extension requires synchronous policy processing to apply one or more policy settings. |
1126 |
Error |
System log |
Time Skew Failure: The Group Policy service logs this event when the time on the local computer is not synchronized with the time on the domain controller. |
1128 |
Warning |
System log |
CSE Disabled Warning: The Group Policy service logs this event when it disables a Group Policy client side extension to prevent unexpected termination of the Group Policy service. |
1129 |
Error |
System log |
DC Connectivity Failure: The Group Policy service logs this event when there is an absence of authenticated connectivity from the computer to the domain controller. |
1130 |
Error |
System log |
Script Failure: The Group Policy service logs this event when an attempt fails to run a script. |
1500 |
Informational |
System log |
Computer Policy Processing: The Group Policy service logs this event when an instance of computer Group Policy processing completes without encountering new policy settings. |
1501 |
Informational |
System log |
User Policy Processing: The Group Policy service logs this event when an instance of user Group Policy processing completes without encountering new policy settings. |
1502 |
Informational |
System log |
Computer Policy Processing: The Group Policy service logs this event when an instance of computer Group Policy processing completes with new or changed policy settings. |
1503 |
Informational |
System log |
User Policy Processing: The Group Policy service logs this event when an instance of user Group Policy processing completes with new or changed policy settings. |
Appendix B: Group Policy operational event messages
The following tables identify the collections of Group Policy event messages (ordered by start event) that appear in the Group Policy operational event log.
Client-side extension processing
Security principal information
Next policy processing information
Successful or informational interaction
Computer startup wait information
Winlogon notification information
Service Control Manager notification information
Service configuration information
Client-side failure information
Policy processing
Computer start and end events
Event ID |
Event Type |
Explanation |
---|---|---|
4000 |
Informational |
The Group Policy service logs this event when an instance of computer Group Policy processing begins. |
6000 |
Warning |
The Group Policy service logs this event when an instance of computer Group Policy processing completes with one or more errors. |
7000 |
Error |
The Group Policy service logs this event when an instance of computer Group Policy processing fails to complete. |
8000 |
Success |
The Group Policy service logs this event when an instance of computer Group Policy processing completes successfully. |
User logon start and end events
Event ID |
Event Type |
Explanation |
---|---|---|
4001 |
Informational |
The Group Policy service logs this event when an instance of user Group Policy processing begins. |
6001 |
Warning |
The Group Policy service logs this event when an instance of user Group Policy processing completes with one or more errors. |
7001 |
Error |
The Group Policy service logs this event when an instance of user Group Policy processing fails to complete. |
8001 |
Success |
The Group Policy service logs this event when an instance of user Group Policy processing completes successfully. |
Computer network change start and end events
Event ID |
Event Type |
Explanation |
---|---|---|
4002 |
Informational |
The Group Policy service logs this event when a network change triggers the start of an instance of computer Group Policy processing. |
6002 |
Warning |
The Group Policy service logs this event when an instance of computer Group Policy processing, triggered by a network change, completes with one or more errors. |
7002 |
Error |
The Group Policy service logs this event when an instance of computer Group Policy processing, triggered by a network change, fails to complete. |
8002 |
Success |
The Group Policy service logs this event when an instance of computer Group Policy processing, triggered by a network change, completes successfully. |
User network change start and end events
Event ID |
Event Type |
Explanation |
---|---|---|
4003 |
Informational |
The Group Policy service logs this event when a network change triggers the start of an instance of user Group Policy processing. |
6003 |
Warning |
The Group Policy service logs this event when an instance of user Group Policy processing, triggered by a network change, completes with one or more errors. |
7003 |
Error |
The Group Policy service logs this event when an instance of user Group Policy processing, triggered by a network change, fails to complete. |
8003 |
Success |
The Group Policy service logs this event when an instance of user Group Policy processing, triggered by a network change, completes successfully. |
Computer manual refresh start and end events
Event ID |
Event Type |
Explanation |
---|---|---|
4004 |
Informational |
The Group Policy service logs this event when a manual refresh triggers the start of an instance of computer Group Policy processing. |
6004 |
Warning |
The Group Policy service logs this event when an instance of computer Group Policy processing, triggered by a manual refresh, completes with one or more errors. |
7004 |
Error |
The Group Policy service logs this event when an instance of computer Group Policy processing, triggered by a manual refresh, fails to complete. |
8004 |
Success |
The Group Policy service logs this event when an instance of computer Group Policy processing, triggered by a manual refresh, completes successfully. |
User manual refresh start and end events
Event ID |
Event Type |
Explanation |
---|---|---|
4005 |
Informational |
The Group Policy service logs this event when a manual refresh triggers the start of an instance of user Group Policy processing. |
6005 |
Warning |
The Group Policy service logs this event when an instance of user Group Policy processing, triggered by a manual refresh, completes with one or more errors. |
7005 |
Error |
The Group Policy service logs this event when an instance of user Group Policy processing, triggered by a manual refresh, fails to complete. |
8005 |
Success |
The Group Policy service logs this event when an instance of user Group Policy processing, triggered by a manual refresh, completes successfully. |
Computer periodic refresh start and end events
Event ID |
Event Type |
Explanation |
---|---|---|
4006 |
Informational |
The Group Policy service logs this event when a periodic refresh triggers the start of an instance of computer Group Policy processing. |
6006 |
Warning |
The Group Policy service logs this event when an instance of computer Group Policy processing, triggered by a periodic refresh, completes with one or more errors. |
7006 |
Error |
The Group Policy service logs this event when an instance of computer Group Policy processing, triggered by a periodic refresh, fails to complete. |
8006 |
Success |
The Group Policy service logs this event when an instance of computer Group Policy processing, triggered by a periodic refresh, completes successfully. |
User periodic refresh start and end events
Event ID |
Event Type |
Explanation |
---|---|---|
4007 |
Informational |
The Group Policy service logs this event when a periodic refresh triggers the start of an instance of user Group Policy processing. |
6007 |
Warning |
The Group Policy service logs this event when an instance of user Group Policy processing, triggered by a periodic refresh, completes with one or more errors. |
7007 |
Error |
The Group Policy service logs this event when an instance of user Group Policy processing, triggered by a periodic refresh, fails to complete. |
8007 |
Success |
The Group Policy service logs this event when an instance of user Group Policy processing, triggered by a periodic refresh, completes successfully. |
Client-side extension processing
Event ID |
Event Type |
Explanation |
---|---|---|
4016 |
Informational |
The Group Policy service logs this event each time it a Group Policy client-side extension begins processing. |
5016 |
Success |
The Group Policy service logs this event when a Group Policy client side extension completes its processing successfully. |
6016 |
Warning |
The Group Policy service logs this event when a Group Policy client-side extension completes its processing while encountering one or more errors. |
7016 |
Error |
The Group Policy service logs this event when a Group Policy client-side extension fails to complete its processing. |
Trace events
Event ID |
Event Type |
Explanation |
---|---|---|
4017 |
Informational |
The Group Policy service logs this event to mark the beginning of the service making a system call. |
5017 |
Success |
The Group Policy service logs this event when a system call completes successfully. |
6017 |
Warning |
The Group Policy service logs this event when a system call completes while encountering one or more errors. |
7017 |
Error |
The Group Policy service logs this event when a system call fails to complete. |
Scripts processing
Event ID |
Event Type |
Explanation |
---|---|---|
4018 |
Informational |
The Group Policy service logs this event when it begins to process Group Policy scripts. |
5018 |
Success |
The Group Policy service logs this event when Group Policy scripts processing completes successfully. |
6018 |
Warning |
The Group Policy service logs this event when Group Policy scripts processing completes while encountering one or more errors. |
7018 |
Error |
The Group Policy service logs this event when Group Policy scripts processing fails to complete. |
Individual script processing
Event ID |
Event Type |
Explanation |
---|---|---|
4019 |
Informational |
The Group Policy service logs this event when it begins to process an individual script during the processing of Group Policy scripts. |
5019 |
Success |
The Group Policy service logs this event when an individual script, during Group Policy script processing, completes successfully. |
6019 |
Warning |
The Group Policy service logs this event when an individual script, during Group Policy script processing, completes while encountering one or more errors. |
7019 |
Error |
The Group Policy service logs this event when an individual script, during Group Policy script processing, fails to complete. |
Domain controller discovery
Event ID |
Event Type |
Explanation |
---|---|---|
4326 |
Informational |
The Group Policy service logs this event when it begins to discover an Active Directory domain controller. |
5326 |
Success |
The Group Policy service logs this event when the discovery of an Active Directory domain controller completes successfully. |
6326 |
Warning |
The Group Policy service logs this event when the discovery of an Active Directory domain controller completes while encountering one or more errors. |
7326 |
Error |
The Group Policy service logs this event when the discovery of an Active Directory domain controller fails to complete. |
Domain controller information
Event ID |
Event Type |
Explanation |
---|---|---|
5308 |
Success |
The Group Policy service logs this event when an attempt to display information about a discovered domain controller completes successfully. |
6308 |
Warning |
The Group Policy service logs this event when an attempt to display information about a discovered domain controller completes while encountering one or more errors. |
7308 |
Error |
The Group Policy service logs this event when an attempt to display information about a discovered domain controller fails to complete. |
Computer information
Event ID |
Event Type |
Explanation |
---|---|---|
5309 |
Success |
The Group Policy service logs this event when an attempt to display information about a computer completes successfully. |
6309 |
Warning |
The Group Policy service logs this event when an attempt to display information about a computer completes while encountering one or more errors. |
7309 |
Error |
The Group Policy service logs this event when an attempt to display information about a computer fails to complete. |
Security principal information
Event ID |
Event Type |
Explanation |
---|---|---|
5310 |
Success |
The Group Policy service logs this event when an attempt to display security principal information about a user completes successfully. |
6310 |
Warning |
The Group Policy service logs this event when an attempt to display security principal information about a user completes while encountering one or more errors. |
7310 |
Error |
The Group Policy service logs this event when an attempt to display security principal information about a user fails to complete. |
Loopback processing mode
Event ID |
Event Type |
Explanation |
---|---|---|
5311 |
Success |
The Group Policy service logs this event when an attempt to display information about loopback processing mode completes successfully. |
6311 |
Warning |
The Group Policy service logs this event when an attempt to display information about loopback processing mode completes while encountering one or more errors. |
7311 |
Error |
The Group Policy service logs this event when an attempt to display information about loopback processing mode fails to complete. |
Applied GPO list
Event ID |
Event Type |
Explanation |
---|---|---|
5312 |
Success |
The Group Policy service logs this event when an attempt to display a list of applied Group Policy objects completes successfully. |
6312 |
Warning |
The Group Policy service logs this event when an attempt to display a list of applied Group Policy objects completes while encountering one or more errors. |
7312 |
Error |
The Group Policy service logs this event when an attempt to display a list of applied Group Policy objects fails to complete. |
Filtered GPO list
Event ID |
Event Type |
Explanation |
---|---|---|
5313 |
Success |
The Group Policy service logs this event when an attempt to display a list of filtered Group Policy objects completes successfully. |
6313 |
Warning |
The Group Policy service logs this event when an attempt to display a list of filtered Group Policy objects completes while encountering one or more errors. |
7313 |
Error |
The Group Policy service logs this event when an attempt to display a list of filtered Group Policy objects fails to complete. |
Network information
Event ID |
Event Type |
Explanation |
---|---|---|
5314 |
Success |
The Group Policy service logs this event when an attempt to display network information completes successfully. |
6314 |
Warning |
The Group Policy service logs this event when an attempt to display network information completes while encountering one or more errors. |
7314 |
Error |
The Group Policy service logs this event when an attempt to display network information fails to complete. |
Next policy processing information
Event ID |
Event Type |
Explanation |
---|---|---|
5315 |
Success |
The Group Policy service logs this event when an attempt to display information about the next instance of Group Policy processing completes successfully. |
6315 |
Warning |
The Group Policy service logs this event when an attempt to display information about the next instance of Group Policy processing completes while encountering one or more errors. |
7315 |
Error |
The Group Policy service logs this event when an attempt to display information about the next instance of Group Policy processing fails to complete. |
Successful or informational interaction
Event ID |
Event Type |
Explanation |
---|---|---|
5320 |
Success |
The Group Policy service logs this event to display successful information about the current instance of Group Policy processing. |
6320 |
Warning |
The Group Policy service logs this event to display warning information about the current instance of Group Policy processing. |
7320 |
Error |
The Group Policy service logs this event to display failure information about the current instance of Group Policy processing. |
Event ID |
Event Type |
Explanation |
---|---|---|
5321 |
Success |
The Group Policy service logs this event to display successful information about the current instance of Group Policy processing. |
6321 |
Warning |
The Group Policy service logs this event to display warning information about the current instance of Group Policy processing. |
7321 |
Error |
The Group Policy service logs this event to display failure information about the current instance of Group Policy processing. |
Note
Event messages with event IDs 5320 and 5321 provide the same basic functionality. Event messages with event ID 5321 usually display more information in the event details.
Computer startup wait information
Event ID |
Event Type |
Explanation |
---|---|---|
5322 |
Success |
The Group Policy service logs this event to display successful information about the service waiting for the network. |
6322 |
Warning |
The Group Policy service logs this event to display warning information about the service waiting for the network. |
7322 |
Error |
The Group Policy service logs this event to display failure information about the service waiting for the network. |
Winlogon notification information
Event ID |
Event Type |
Explanation |
---|---|---|
5324 |
Success |
The Group Policy service logs this event to display successful information about a notification received from Winlogon. |
6324 |
Warning |
The Group Policy service logs this event to display warning information about a notification received from Winlogon. |
7324 |
Error |
The Group Policy service logs this event to display failure information about a notification received from Winlogon. |
Service Control Manager notification information
Event ID |
Event Type |
Explanation |
---|---|---|
5325 |
Success |
The Group Policy service logs this event to display successful information about a notification received from the Service Control Manager. |
6325 |
Warning |
The Group Policy service logs this event to display warning information about a notification received from the Service Control Manager. |
7325 |
Error |
The Group Policy service logs this event to display failure information about a notification received from the Service Control Manager. |
Network bandwidth information
Event ID |
Event Type |
Explanation |
---|---|---|
5327 |
Success |
The Group Policy service logs this event to display successful information about network bandwidth. |
6327 |
Warning |
The Group Policy service logs this event to display warning information about network bandwidth. |
7327 |
Error |
The Group Policy service logs this event to display failure information about network bandwidth. |
Service configuration information
Event ID |
Event Type |
Explanation |
---|---|---|
5331 |
Success |
The Group Policy service logs this event to display successful information about the Group Policy service's configuration. |
6331 |
Warning |
The Group Policy service logs this event to display warning information about the Group Policy service's configuration. |
7331 |
Error |
The Group Policy service logs this event to display failure information about the Group Policy service's configuration. |
Network Location Awareness service warning
Event ID |
Event Type |
Explanation |
---|---|---|
6323 |
Warning |
The Group Policy service logs this event to display warning information about the operability of the Network Location Awareness service. |
7323 |
Error |
The Group Policy service logs this event to display failure information about the operability of the Network Location Awareness service. |
Client-side failure information
Event ID |
Event Type |
Explanation |
---|---|---|
6330 |
Warning |
The Group Policy service logs this event to display warning information about a Group Policy client-side extension that failed in an earlier instance of Group Policy processing. |
Comments
- Anonymous
January 01, 2003
The computer name on this notice is unknown to me. How can I find out how to block this other computer from my computer....Thanks JoeC Log Name: Microsoft-Windows-GroupPolicy/Operational Source: Microsoft-Windows-GroupPolicy Date: 2/22/2008 7:11:01 AM Event ID: 8001 Task Category: None Level: Information Keywords: User: SYSTEM Computer: WIN-RI6Z3BLOBTK Description: Completed user logon policy processing for WIN-RI6Z3BLOBTKAdministrator in 0 seconds. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" /> <EventID>8001</EventID> <Version>0</Version> <Level>4</Level> <Task>0</Task> <Opcode>2</Opcode> <Keywords>0x4000000000000000</Keywords> <TimeCreated SystemTime="2008-02-22T13:11:01.154Z" /> <EventRecordID>22</EventRecordID> <Correlation ActivityID="{9B9B8490-C3A9-4708-A4AC-E5CA27C30D20}" /> <Execution ProcessID="960" ThreadID="2396" /> <Channel>Microsoft-Windows-GroupPolicy/Operational</Channel> <Computer>WIN-RI6Z3BLOBTK</Computer> <Security UserID="S-1-5-18" /> </System> <EventData> <Data Name="PolicyElaspedTimeInSeconds">0</Data> <Data Name="ErrorCode">0</Data> <Data Name="PrincipalSamName">WIN-RI6Z3BLOBTKAdministrator</Data> <Data Name="IsMachine">false</Data> <Data Name="IsConnectivityFailure">false</Data> </EventData> </Event>